Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dedicated feature flag for oauth device grant flow (#23891) #23892

Merged
merged 11 commits into from
Oct 24, 2023
Merged

Add dedicated feature flag for oauth device grant flow (#23891) #23892

merged 11 commits into from
Oct 24, 2023

Conversation

thomasdarimont
Copy link
Contributor

The new flag "DEVICE_FLOW" is enabled by default for now. At a later stage we might disable the feature by default.

Users can now disable the device flow support for the whole server via: -Dkeycloak.profile.feature.device_flow=disabled
or
--features-disabled=device_flow

See discussion: #23700

Fixes #23891

@cypress
Copy link

cypress bot commented Oct 11, 2023
edited
Loading

2 flaky tests on run #9541 ↗︎

0 527 48 0 Flakiness 2

Details:

Merge 5841a1f into 03a8f05...
Project: Keycloak Admin UI Commit: 85e78d1cf2 ℹ️
Status: Passed Duration: 11:15 💡
Started: Oct 23, 2023 8:41 PM Ended: Oct 23, 2023 8:52 PM
Flakiness  clients_test.spec.ts • 1 flaky test • chrome

View Output Video

Test Artifacts
Clients test > Accessibility tests for clients > Check a11y violations on load/ clients list tab Test Replay Output Screenshots
Flakiness  realm_settings_general_tab_test.spec.ts • 1 flaky test • chrome

View Output Video

Test Artifacts
Realm settings general tab tests > Test all general tab switches Test Replay Output Screenshots

Review all test suite changes for PR #23892 ↗︎

@ghost ghost added the flaky-test label Oct 11, 2023
This was referenced Oct 11, 2023
Closed
Closed
ghost
ghost reviewed Oct 11, 2023
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@ghost
Copy link

ghost commented Oct 11, 2023

Unreported flaky test detected

If the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.ui.account2.LDAPAccountTest#createdNotVisibleTest

Keycloak CI - Account Console IT (firefox)

org.openqa.selenium.NoSuchElementException: 
Unable to locate element: #username
For documentation on this error, please visit: http://seleniumhq.org/exceptions/no_such_element.html
Build info: version: '3.14.0', revision: 'aacccce0', time: '2018-08-02T20:19:58.91Z'
System info: host: 'fv-az951-282', ip: '10.1.0.194', os.name: 'Linux', os.arch: 'amd64', os.version: '6.2.0-1012-azure', java.version: '17.0.8.1'
...

Report flaky test

org.keycloak.testsuite.ui.account2.WelcomeScreenTest#resourcesTest

Keycloak CI - Account Console IT (firefox)

java.lang.AssertionError: Element should be visible expected:<true> but was:<false>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:120)
	at org.keycloak.testsuite.util.UIAssert.assertElementVisible(UIAssert.java:47)
...

Report flaky test

org.keycloak.testsuite.forms.ResetCredentialsAlternativeFlowsTest#resetCredentialsVerifyCustomOtpLabelSetProperly

Keycloak CI - Forms IT (chrome)

java.lang.IllegalArgumentException: No enum constant org.keycloak.testsuite.pages.AppPage.RequestType.
	at java.base/java.lang.Enum.valueOf(Enum.java:273)
	at org.keycloak.testsuite.pages.AppPage$RequestType.valueOf(AppPage.java:60)
	at org.keycloak.testsuite.pages.AppPage.getRequestType(AppPage.java:49)
	at jdk.internal.reflect.GeneratedMethodAccessor552.invoke(Unknown Source)
...

Report flaky test

@thomasdarimont thomasdarimont force-pushed the issue/GH-23891-device-flow-feature-flag branch from d2a5920 to 057cdf6 Compare October 11, 2023 12:27
This was referenced Oct 11, 2023
Closed
Closed
Closed
ghost
ghost reviewed Oct 11, 2023
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@ghost
Copy link

ghost commented Oct 11, 2023

Unreported flaky test detected

If the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.x509.X509BrowserCRLTest#loginSuccessWithCRLSignedWithIntermediateCA3FromTruststore

Keycloak CI - FIPS IT (strict)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:313)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

@thomasdarimont
Copy link
Contributor Author

The following screenshots show the new behaviour when the device-flow is disabled for the Keycloak Server:

Realm Info lists device-flow as disabled feature
image

Tokens Tab in Realm Settings doesn't show device flow settings
image

When creating a new client Capability config doesn't show the device flow
image

When editing a client device flow is also not shown:
image

/realms/{realm}/device shows 404 page
image

@thomasdarimont thomasdarimont force-pushed the issue/GH-23891-device-flow-feature-flag branch from 25136a7 to 5dcdf07 Compare October 11, 2023 19:36
@ghost ghost mentioned this pull request Oct 11, 2023
Closed
@ghost
Copy link

ghost commented Oct 11, 2023

Unreported flaky test detected

If the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.ui.account2.DeviceActivityTest#currentSessionTest

Keycloak CI - Account Console IT (firefox)

org.awaitility.core.ConditionTimeoutException: Assertion condition defined as a org.keycloak.testsuite.util.URLAssert URL expected to begin with: https://localhost:8543/auth/realms/test/protocol/openid-connect/auth ; actual URL: https://localhost:8543/auth/realms/test/account/#/security/device-activity within 10 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:119)
	at org.awaitility.core.AssertionCondition.await(AssertionCondition.java:31)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:985)
...

Report flaky test

org.keycloak.testsuite.ui.account2.DeviceActivityTest#timesTests

Keycloak CI - Account Console IT (firefox)

org.openqa.selenium.UnhandledAlertException: 
Dismissed user prompt dialog: failed to initialize keycloak: 
Build info: version: '3.14.0', revision: 'aacccce0', time: '2018-08-02T20:19:58.91Z'
System info: host: 'fv-az1233-258', ip: '10.1.0.100', os.name: 'Linux', os.arch: 'amd64', os.version: '6.2.0-1012-azure', java.version: '17.0.8.1'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
...

Report flaky test

ghost
ghost reviewed Oct 11, 2023
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@thomasdarimont thomasdarimont force-pushed the issue/GH-23891-device-flow-feature-flag branch from 5dcdf07 to d0f6908 Compare October 12, 2023 20:23
jonkoops
jonkoops previously approved these changes Oct 14, 2023
View reviewed changes
Copy link
Contributor

@jonkoops jonkoops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes to the front-end code look good to me. I will leave it to other team members to judge if this feature is something we want and if the Java code is adequate.

common/src/main/java/org/keycloak/common/Profile.java Outdated Show resolved Hide resolved
Michito-Okai
Michito-Okai approved these changes Oct 16, 2023
View reviewed changes
Copy link
Contributor

@Michito-Okai Michito-Okai left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Please insert its test code afterwards.

@thomasdarimont thomasdarimont force-pushed the issue/GH-23891-device-flow-feature-flag branch 2 times, most recently from fc5ba3e to 8692de8 Compare October 17, 2023 18:44
@thomasdarimont
Copy link
Contributor Author

@mposolda @tnorimat I just added the missing tests and I think the feature is complete now. Feel free to merge if the pipeline passes.

@thomasdarimont thomasdarimont marked this pull request as ready for review October 17, 2023 18:46
@thomasdarimont thomasdarimont requested review from a team as code owners October 17, 2023 18:46
@thomasdarimont thomasdarimont requested a review from a team October 17, 2023 18:46
@ghost ghost mentioned this pull request Oct 19, 2023
Closed
@mposolda
Copy link
Contributor

Thanks for taking a look! What's different in "Keycloak CI / Base IT (6)"? (Perhaps a better name would really help here) Locally it works fine, I try to replicate whatever "Keycloak CI / Base IT (6)" later today.

@thomasdarimont It uses keycloak distribution instead of the undertow distribution. Maybe you can replicate the issue when you run the test with something like:

mvn clean install -DskipTests=true
cd testsuite/integration-arquillian
mvn clean install -Pauth-server-quarkus -Dtest=OAuth2DeviceAuthorizationGrantTest

?

Just a guess (did not tried it myself).

@mposolda mposolda mentioned this pull request Oct 20, 2023
Merged
1 task
@thomasdarimont
Copy link
Contributor Author

@mposolda I gave this another try, and it seems as if the @DisableFeature(value = Profile.Feature.DEVICE_FLOW, skipRestart = true) is not taken into account by the "Keycloak CI / Base IT (6)" testrun.

When I run the tests for OAuth2DeviceAuthorizationGrantTest in the IDE, it works fine, but fails when run with
mvn clean install -Pauth-server-quarkus -Dtest=OAuth2DeviceAuthorizationGrantTest -rf :integration-arquillian-tests-base

Could it be that the undertow based test-server implementation doesn't consider the feature flags?

@thomasdarimont
Copy link
Contributor Author

@mposolda the problem seems to be that the test is run with $KEYCLOAK_PROJECT_HOME/testsuite/integration-arquillian/tests/base/target/containers/auth-server-undertow/profile.properties
which for some reason does not exist when I run only the tests from the OAuth2DeviceAuthorizationGrantTest...
image

@thomasdarimont thomasdarimont force-pushed the issue/GH-23891-device-flow-feature-flag branch from dc37888 to 4ceb3d6 Compare October 23, 2023 13:49
@thomasdarimont
Copy link
Contributor Author

thomasdarimont commented Oct 23, 2023
edited
Loading

I could successfully run the build via:

mvn clean install -Pauth-server-undertow -Dtest=OAuth2DeviceAuthorizationGrantTest --am

but it failes with:

 mvn clean install -Pauth-server-quarkus -Dtest=OAuth2DeviceAuthorizationGrantTest --am

I needed to configure OAuth2DeviceAuthorizationGrantTest to use @EnableFeature(value = Profile.Feature.DEVICE_FLOW, skipRestart = true) on class level to ensure that the device_flow feature remains active throughout the test.

I think we need something like: getTestingClient().resetFeature(Profile.Feature.DEVICE_FLOW); which removes the entry from profile.properties .

@mposolda do you have an idea how to ensure that the @EnableFeature annotation is also honored with -Pauth-server-quarkus?

@ghost ghost mentioned this pull request Oct 23, 2023
Closed
thomasdarimont
thomasdarimont commented Oct 23, 2023
View reviewed changes
...ests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2DeviceAuthorizationGrantTest.java
public void ensureDeviceFlowConfigNotPresentWhenDeviceFlowIsDisabled() throws Exception {

// this test currently does not work with -Pauth-server-quarkus
ContainerAssume.assumeAuthServerUndertow();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After many hours of trying to making this test work with -Pauth-server-quarkus I gave up and just assume that we run the test with undertow. The test works fine in the IDE and with -Pauth-server-undertow.

For some reason the @DisabledFeature annotation is now applied when the test suite is executed with -Pauth-server-quarkus.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is fine, Thanks a lot for this investigation!

Created follow-up issue for looking at this test #24241. When thinking about this, I wonder if it can have some relation to OIDC well-known not being refreshed after feature is enabled/disabled? But not sure...

@thomasdarimont
Add dedicated feature flag for oauth device grant flow (keycloak#23891)
671d1c7 
The new flag "DEVICE_FLOW" is enabled by default for now. At a later
stage we might disable the feature by default.

Users can now disable the device flow support for the whole server via:
-Dkeycloak.profile.feature.device_flow=disabled
or
--features-disabled=device_flow

See discussion: keycloak#23700

Fixes keycloak#23891
@thomasdarimont
Honor device flow feature in client capability config in admin ui
f9d6316
@thomasdarimont
Revise Profile based on code review
1af17cc
@thomasdarimont
Add tests for oauth device grant flow feature disabled (keycloak#23892)
66560b6
@thomasdarimont
Revise tests for disabled device flow
d427b73
@thomasdarimont
Add device-flow flag to approved help output references
1bdcfc5 
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
@thomasdarimont
Revise approved help output tests for disabled device flow
c1a9639
@thomasdarimont
Revise test method name
25ab908 
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
@thomasdarimont
Activate device_flow feature by default for OAuth2DeviceAuthorization…
64ac80c 
…GrantTest
@thomasdarimont
Fix typo in TestingResourceProvider#enableFeature
621df83
@thomasdarimont
Workaround non working feature toggle with -Pauth-server-quarkus
5841a1f 
For some reason @DisableFeature is not considered when executed with -Pauth-server-quarkus.

Current workaround is to ignore exceptions during -Pauth-server-quarkus.
@thomasdarimont thomasdarimont force-pushed the issue/GH-23891-device-flow-feature-flag branch from 3398c1c to 5841a1f Compare October 23, 2023 20:31
@mposolda mposolda mentioned this pull request Oct 24, 2023
Open
@mposolda mposolda merged commit e567210 into keycloak:main Oct 24, 2023
71 checks passed
@savage-alex
Copy link

Thank you for this fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mposolda mposolda mposolda approved these changes

@Michito-Okai Michito-Okai Michito-Okai approved these changes

@jonkoops jonkoops jonkoops left review comments

Assignees

@mposolda mposolda

Labels
flaky-test team/cloud-native team/ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add feature flag for OAuth 2.0 device authorization grant flow
5 participants
@thomasdarimont @mposolda @savage-alex @jonkoops @Michito-Okai