Description
Describe the bug
With the quarkus-oidc in place, the restriction to the REST API are added.
The @QuarkusTest run okay. all of them.
The @QuarkusIntegrationTest do no run okay.
So adding quarkus-oidc to a quarkus project, adding few REST API restrictions (as in security-keycloak-authorization-quickstart demo), and @QuarkusTest runs fine, both with/withouth oidc restrictions, also healthchecks.
Same tests run as @quarkusIntegrationTest fail. (build native but is not related to the build as I understand)
The difference observed is that --hostname-port is sent when running the integration tests. Please remove this because was deprecated (25) and with keycloak 26+ was removed and now the keycloak is failing to start.
Workaround found for this was to:
quarkus.keycloak.devservices.service-name=keycloak
quarkus.keycloak.devservices.start-command=start --http-enabled=true --hostname=keycloak --hostname-strict=false --spi-user-profile-declarative-user-profile-config-file=/opt/keycloak/upconfig.json --features=hostname:v1
However, this works only with quarkus less than 3.18 (CR1), and it fails still in case of healthchecks (integration tests only). Sure, the keyloack can be downgraded but that still doesn't completely fix the issues.
For keycloak the v1 is replaced with v2 (--features=hostname:v2) . However, that does not work anymore, container fails to start.
The 3.17.7 with the workaround fails for the API that don't include oidc restrictions and also for the healthcheck IT tests.
This is what I get from the keycloak container (when running IT tests that fail):
Changes detected in configuration. Updating the server image.
Updating the configuration and installing your custom providers, if any. Please wait.
2025-01-22 12:56:41,951 INFO [io.qua.dep.QuarkusAugmentor] (main) Quarkus augmentation completed in 6640ms
Server configuration updated and persisted. Run the following command to review the configuration:
kc.sh show-config
Next time you run the server, just run:
� kc.sh start --http-enabled=true --hostname-debug=true --hostname=localhost --spi-user-profile-declarative-user-profile-config-file=/opt/keycloak/upconfig.json --hostname-port=53483 --optimized
Unknown option: '--hostname-port'
Possible solutions: --hostname, --hostname-admin, --hostname-backchannel-dynamic, --hostname-strict, --hostname-debug
Try 'kc.sh start --help' for more information on the available options.
Expected behavior
All test run nicely.
Actual behavior
Integration tests fails
- in 3.18 CR1, no integration test runs and because you updated the Keycloak to verison 26.0.0.7 there's no workaround but to downgrade this version
- in version less than 3.18 (ex. 3.17.7) integration tests are failing as well, but for some there are ways to mitigate, see in the description.
I see there is a difference that the --hostname-port option has been removed
How to Reproduce?
Run integration tests involving devservices keycloak and this pops up immediately.
Also test this when endpoints are healtchecks and there are no restrictions and when the management port is used (with healthchecks on that port).
Output of uname -a or ver
No response
Output of java -version
java 21
Quarkus version or git rev
3.18 CR1 and also lower (3.17)
Build tool (ie. output of mvnw --version or gradlew --version)
maven 3.9.9
Additional information
I see for the version 3.18 there were numerous improvements related to OIDC, so would be nice to have the fix for quarkus-oidc running IT tests in 3.18. If needed, more details can be provided, but if you just run IT tests with OIDC this should pop-up.