[keycloak-dev] min-time-between-jwks-requests Problems when running tests

Stian Thorgersen sthorger at redhat.com
Mon Mar 6 09:38:02 EST 2017 

I'm not 100% sure, but thinking that there are cases where it could cause
issues. For example if a service gets bad requests from a client, say every
5 seconds, it won't be able to fetch new proper keys. I'm probably
overthinking this though.

On 6 March 2017 at 15:27, Marek Posolda <mposolda at redhat.com> wrote:

> Will it be useful for other scenarios besides automated tests? I am not
> seeing why someone would re-import realm every 10 seconds in real
> environment?
>
> Even the tests can be easily fixed by put the keys into JSON reps. And
> once we fix the adapter tests to not require realm re-import after every
> method, even that won't be needed.
>
> Marek
>
>
> On 06/03/17 13:07, Stian Thorgersen wrote:
>
> Is this maybe something we should improve in the adapter in the first
> place? A blind only allow one request every 10 seconds seems a bit to
> forceful. Would it not be better to allow X number of failed attempts
> within some window?
>
> On 2 March 2017 at 12:26, Marek Posolda <mposolda at redhat.com> wrote:
>
>> On 02/03/17 10:08, Marek Posolda wrote:
>> > On 02/03/17 00:29, Bill Burke wrote:
>> >> Ok, I just spent 1.5 days on debugging a problem and I was ready to
>> >> throw my Laptop out of the window I was getting so frustrated.
>> >>
>> >> #1 I copied code from the arquillian adapter tests to deploy my own
>> >> servlet.  When running in IntelliJ, all logging messages by the servlet
>> >> and OIDC adapters were eaten and never displayed.
>> > Keycloak logging disabled in
>> > testsuite/integration-arquillian/tests/base/src/test/
>> resources/log4j.properties
>> > . AFAIK it's disabled just because running whole testsuite produces very
>> > big logs, which caused issues with travis.
>> >
>> > I hope it's possible to fix that and have Keycloak logging enabled when
>> > running from IDE, but still keep it disabled when running from command
>> > line with "mvn" command. Will try to look into it. Created :
>> > https://issues.jboss.org/browse/KEYCLOAK-4520
>> Fixed now. Logging for both server and adapters is enabled now when
>> running test from IDE.
>>
>> Marek
>> >
>> >> #2 If you have a @Deployment it deploys it in @BeforeClass and only
>> once
>> >> for all tests run in the class
>> >>
>> >> #3 I  recreate/destroy my realms for every test
>> >>
>> >> #4 The default "min-time-between-jwks-requests" is 10
>> seconds...Because
>> >> my servlet doesn't get redeployed per test, the 1st test would set up
>> >> the cache for the realm key for the servlet.  The 2nd test would run,
>> >> because the realms were recreated, there is a different key, but the
>> >> min-time-between-jwkds-requests was 10 seconds so it wasn't updating
>> the
>> >> key and my logins would fail.  This was extermely frustrating to debug
>> >> because of #1 and because it only happened if I was running all tests
>> in
>> >> the class.
>> >>
>> >> The workaround is to set "min-time-between-jwks-requests" to zero in
>> >> your adapter configuration.  This is an FYI just in case somebody else
>> >> runs into this.  Took me awhile to figure out.
>> > Another possibility is to put private/public keys into your realm JSON.
>> > Then there is always same keys and same "kid" and application doesn't
>> > need to re-download it.
>> >
>> > FYI. with my latest changes, there is no realm reimport for every test
>> > for most of the tests (see other thread I sent yesterday). But
>> > unfortunately this is not yet the case for Adapter tests (subclasses of
>> > AbstractAdapterTest)...
>> >
>> > Marek
>> >> _______________________________________________
>> >> keycloak-dev mailing list
>> >> keycloak-dev at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>

More information about the keycloak-dev mailing list