babangsund / cypress-keycloak Goto Github PK

The default path of the keycloak server seems to be changed from https://host:port/auth/ to https://host:port/ since keycloak 17.0. (You can notice it if comparing what the document for 17.0 and one for 16.1 say for auth-server-url.)
Can you consider to set the default of path_prefix for login and login_OTP to blank, not auth?

Related to #29

From keycloak 18 If post_logout_redirect_uri and id_token_hint parameters are not sent with logout request, confirmation prompt will be displayed and user will not be automatically logged out.

This is a default behaviour, as post_logout_redirect_uri and id_token_hint are optional.

It would be great if library could handle logout confirmation prompt

Hello

First of all thanks for this package I've been using it in my work.

But after upgrading to keycloak 18.0.2 the login ceased to work.

So I console logged the body of the response after cy.request() in login.ts

And I found that Keycloak is redirecting the request with a status of 302 and a URL : /#error=invalid_request&error_description=Missing+parameter%3A+code_challenge_method&state=afe8ee1c-a801-4c80-8e51-1ab25afdca22

And after a bit of goggling I found that the login have to implement the PKCE feature.

So then I changed the login to take code_challenge and code_challenge_method as params

Cypress.Commands.add(
  'login',
  ({
    root,
    realm,
    username,
    password,
    client_id,
    redirect_uri,
    path_prefix = 'auth',
    kc_idp_hint,
    code_challenge, // added this here
    code_challenge_method // and this here
  }) =>
    cy
      .request({
        url: `${root}${
          path_prefix ? `/${path_prefix}` : ''
        }/realms/${realm}/protocol/openid-connect/auth`,
        qs: {
          client_id,
          redirect_uri,
          kc_idp_hint,
          scope: 'openid',
          state: createUUID(),
          nonce: createUUID(),
          response_type: 'code',
          response_mode: 'fragment',
          code_challenge, // here
          code_challenge_method, // and here
        },
      })
      .then((response) => {
        console.log('keycloak login page = ', response);
        const html = document.createElement('html');
        html.innerHTML = response.body;

        const form = html.getElementsByTagName('form');
        const isAuthorized = !form.length;

        if (!isAuthorized)
          return cy.request({
            form: true,
            method: 'POST',
            url: form[0].action,
            followRedirect: false,
            body: {
              username,
              password,
            },
          });
      })
);

And It's working now.

So I think I have to make a Pull request with this change but I'm unsure if the package needs to generate these variables or does the user have to pass them like I did

Please add peer dependency for Cypress 12

Now is:
"peerDependencies": { "cypress": "^6.5.0 || ^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0" }

Should be:
"peerDependencies": { "cypress": "^6.5.0 || ^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0 || ^11.0.0 || ^12.0.0" }

I think when keycloak is configured to use code verifiers, these libraries no longer work. I've been trying to integrate them into my cypress testing environment. Any plans on adding this capability? I will study the keycloak.js and see if I can figure out how they are doing it.

https://datatracker.ietf.org/doc/html/rfc7636#section-4

Hi!

I'm fighting a bit here with making TS (Using WebStorm) actually accept the types for this great package:

Reading cypress' help on Typescript doesn't really say anything about third-party packages like this, it just talks about how to type your own commands.

Can you help me? Thanks a lot!

In the Readme https://github.com/babangsund/cypress-keycloak/blob/edc34e705bb28ace5f40801f9620f435cd4860c3/README.md

It shows:

cy.logout({ ... }):
  root: string
  realm: string
  redirect_uri: string
  path_prefix?: string = "auth"

But in the index.d.ts file:

The logout method does not accept a path_prefix. Happy to contribute a PR but what is the source of truth here?

We have multiple Users with different Permissions and want to choose which user to login per test.

I currently override the login-function:

// cypress/commands.ts
declare global {
  namespace Cypress {
    interface Chainable {
      login(username?: string, password?: string): Cypress.Chainable
    }
  }
}

and use Cypress.Commands.overwrite to implement it:

// cypress/commands.ts
Cypress.Commands.overwrite('login', (originalFunktion, username: string = '', password: string = '') => {
  // @ts-ignore
  originalFunktion({
    realm: '<realm>',
    root: '<root>',
    client_id: '<client_id>',
    username,
    password,
    redirect_uri: 'http://localhost:8080/',
  })
})

This works but i have to add the ts-ignore-comment and do not get the autocomplete-functions.

The best solution (for me) would be to import the login function.

// cypress/commands.ts
import {login} from 'cypress-keycloak'

declare global {
  namespace Cypress {
    interface Chainable {
      login(username?: string, password?: string): Cypress.Chainable
    }
  }
}

Cypress.Commands.add('login', (username, password) => {
  login({
    realm: '<realm>',
    root: '<root>',
    client_id: '<client_id>',
    username,
    password,
    redirect_uri: 'http://localhost:8080/',
  })
})

Can we have peerDependencies include version 11 of Cypress?

"peerDependencies": {
    "cypress": "^6.5.0 || ^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0" # Right here
  },

Hi.
Using this add-on to login gives me an error in Chrome console:
​ ERROR Error: Uncaught (in promise): Error: The user profile was not loaded as the user is not logged in. Error: The user profile was not loaded as the user is not logged in.
It seems there is no redirection happening when using cy.login(). Going to a URL using cy.visit() works after I login. But this error remains in the console.

Cypress tests using keycloak and Chrome browser are no longer working.

cypress 7.0.1
cypress-keycloak 1.7.0
Chrome 96

chromeWebSecurity is set to false according to this:
https://docs.cypress.io/guides/guides/web-security#Disabling-Web-Security

Redirect after login is not working because some cookies used by keycloak are rejected.
Same tests run successfully using Firefox.

The issue is related to this:

https://issues.redhat.com/browse/KEYCLOAK-12125

Apparently there is a workaround disabling the session-iframe but I do not know how to do that using cypress-keycloak
https://www.keycloak.org/docs/latest/securing_apps/index.html#session-status-iframe

Any idea how to fix this issue?

Thanks in advance

cy.session(()=>{
cy.logout(...);
cy.login(...)
}
)

I'm trying to hide my credentials using https://github.com/bahmutov/as-a

If I use the login() method, passing my credentials in to the username and password fields, everything works just fine.

But when I try to reference those same exact same values by using Cypress.env('username') and Cypress.env('password) - the authentication fails everytime.

I've tried toString() and encodeURI() but to no avail. Any ideas are welcome!

I am new to cypress-keycloak, but I tried following the tutorial and I'm getting a 400 error from keycloak, and it seems to be due to a missing client_id parameter.
Is anybody else affected, or can reproduce?
EDIT: My client is not public; this may be the issue. Normally authentification is handled by the back-end service, but for cypress tests it is recommended that cypress handles the auth, so adding support for client_secret would be advisable.

Cypress package version: 4.12.1
Cypress binary version: 4.12.1
cypress-keycloak version: 1.5.0
keycloak version: 6.0.1
---My test:
test_js.txt
---My log:
log.txt
---Summary:
It seems that the url requested, https:///auth/realms//protocol/openid-connect/auth, does not have any parameters. Keycloak responds "We're sorry... Missing parameters: client_id".
However the parameters are indicated in the login call.

Hi guys :)

Any ideia why the client_id is missing on the URL ?

I got this error:

request GET --- https://keycloak.babangsund.com/auth/realms/stage/protocol/openid-connect/auth

I used the example from the README:

describe('thing', () => {
  beforeEach(() => {
    cy.login({
      root: 'https://keycloak.babangsund.com',
      realm: 'stage',
      username: 'babangsund',
      password: 'bacon',
      client_id: 'frontend',
      redirect_uri: 'https://babangsund.com/',
    });

    // or login with OTP
    cy.loginOTP({
      root: 'https://keycloak.babangsund.com',
      realm: 'stage',
      username: 'babangsund',
      password: 'bacon',
      client_id: 'frontend',
      redirect_uri: 'https://babangsund.com/',
      otp_secret: 'OZLDC2HZKM3QUC...', // e.g. 32 chars
      otp_credential_id: '5e231f20-8ca7-35e1-20a694b60181ca9', // e.g. 36 chars
    });
  });

  afterEach(() => {
    cy.logout({
      root: 'https://keycloak.babangsund.com',
      realm: 'stage',
      // using Keycloak < 18.0.0:
      // redirect_uri: 'https://babangsund.com/',
      // using Keycloak >= 18.0.0:
      post_logout_redirect_uri: 'https://babangsund.com/',
    });
  });
});

Please add code_challenge_method to the interfaces.

Cypress has released a new major version (10.0.0). Please add it to the peer dependencies so I can update my project to the latest version.

npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: [email protected]
npm WARN Found: [email protected]
npm WARN node_modules/cypress
npm WARN   dev cypress@"^10.0.3" from the root project
npm WARN   1 more (cypress-keycloak)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer cypress@"^6.5.0 || ^7.0.0 || ^8.0.0 || ^9.0.0" from [email protected]
npm WARN node_modules/cypress-keycloak
npm WARN   dev cypress-keycloak@"^1.8.0" from the root project

I connect to my client in my app using standard flow and pkceMethod set to 'S256'.

keycloak
        .init({ flow: 'standard', pkceMethod: 'S256' })

How can I specify these when using this package?

Cypress 11, our logout functionality is working just fine
With Cypress 12+, it stopped working

We are seeing:

Our logout command:

Cypress.Commands.add('logoutKC', () =>
  cy.logout({
    root: ENVS.keycloak_root,
    realm: Cypress.env('keycloak_realm'),
    post_logout_redirect_uri: ENVS.keycloak_redirect,
  }),
);

Usage:

  afterEach(() => {
    cy.logoutKC();
  });

Running: "cypress-keycloak": "2.0.1"

Any ideas?

Keycloak 18 will not handle the redirect_uri param anymore which is used here.

The Breaking Change in Keycloak is described in the Release Notes - Section "Migration from 17.0 -> OpenID Connect Logout".

The params post_logout_redirect_uri together with the parameter id_token_hint should be handled.

Keycloak version I am working with: 17.0.1

When a keycloak client is set to confidential, you always have to pass the client_secret when fetching a token.
Even with grant_type set to password.

This means that I need to pass the client_secret to the login method.

So I would think adding client_secret as a optional parameter to the login method is needed.

As per the example, I added a cy.logout in my afterEach hook. Login in beforeEach works just fine, but as soon as it tries logging out, I get an error from Keycloak saying that id_token_hint is missing. I'm not sure on what I should fill in there. I think it might be the Keycloak token (which isn't accessible as mentioned in ticket #39.
Apologies if this is an obvious one, I'm not that experienced with OIDC and whatnot.

Versions :

• Cypress 7.4
• Keycloak : 12.0.4

Here is my test :

describe('Admin / login page', () => {
  before(() => {
    cy.task('db:seed');
    cy.mailhog('clear');
  });

  it('Should login', () => {
    cy.login({
      client_id: 'admin',
      password: 'adminadmin',
      realm: 'bilik',
      redirect_uri: 'http://admin.devbilik.loc/',
      root: 'http://auth.traefik.loc',
      username: '[email protected]',
    }).then((el) => {
      console.log(el);

      cy.visit(`${Cypress.env('ADMIN_URL')}/`);
      cy.get('#username').type('[email protected]');
      cy.get('#password').type('adminadmin');
      cy.get('#kc-login').click();
    });

    // cy.contains('Tableau de bord');
    // cy.logout();
  });
});

For some reasons, the requests seems to pass (requests from the cypress-keycloak plugin) :

But when I do a cy.visit() right after the login, my app keep redirecting me. It's a react app. The funny thing is when I login though the Cypress browser, it's working perfectly : http://auth.traefik.loc/auth/realms/bilik/protocol/openid-connect/auth?client_id=admin&redirect_uri=http%3A%2F%2Fadmin.devbilik.loc%2F&state=09736f9f-73c9-473a-93b7-1f6542102309&response_mode=fragment&response_type=code&scope=openid%20offline_access&nonce=2399c1c6-7752-48a7-8f57-cdc472e66a4b

What do I miss here ? Thanks.

Hi, I'm trying to authenticate to my API which uses OTP to login, but I'm having a hard time figuring out where do i find the otp_secret and the otp_credential_id.

I'm not sure this would be the place to ask, it's more of a keycloak question, but since there is an example in the documentation I was hoping someone could give any kind of directions.

Thanks

Good morning,

Thanks for your great work.

When attempting to install cypress-keycloak as a project dependency the folling NPM Error is generated:

% npm install --save-dev cypress-keycloak@latest         
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! Found: [email protected]
npm ERR! node_modules/cypress
npm ERR!   dev cypress@"^6.2.1" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! dev cypress-keycloak@"1.5.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/cypress
npm ERR!   peer cypress@"^3.6.0" from [email protected]
npm ERR!   node_modules/cypress-keycloak
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /Users/iammac/.npm/eresolve-report.txt for a full report.

Plugin dependency is not compatible with Cypress 13

As described on the docs: https://www.keycloak.org/docs/latest/securing_apps/#_javascript_adapter

Is Cypress-Keycloak supporting the ability just to grab the token?

This old Cypress-Keycloak-Commands repo is supporting following:

describe("Keycloak Login", () => {
  beforeEach(() => {
    cy.kcLogout();
    cy.kcLogin("user").as("tokens");
    cy.visit("/");
  });

  it("should call an API with the token", () => {
    cy.get("@tokens").then(tokens => {
      cy.request({
        url: "/my_api"
        auth: {
          bearer: tokens.access_token
        }
      });
    });
  });
});

https://github.com/Fredx87/cypress-keycloak-commands#get-user-tokens-for-calling-apis-from-e2e-tests