From aa1efd06761be3647f21f2afd35dff3f17ea4ba8 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Mon, 11 May 2026 15:49:25 +0000 Subject: [PATCH] fix(oidc/testfixtures): set legacy KEYCLOAK_ADMIN* env vars for start-dev master-admin bootstrap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase-10 live-IdP smoke (post-iss-param fix landing in 360e744) advanced 4 of 6 integration tests to green. The remaining 2 — the realm-key rotation tests — failed with: admin-cli token: HTTP 401 at the master-realm token endpoint. Root cause: Keycloak 26.x has TWO admin-bootstrap env-var pairs and the right pair depends on the launch command: - 'start' (production): KC_BOOTSTRAP_ADMIN_USERNAME + KC_BOOTSTRAP_ADMIN_PASSWORD - 'start-dev': KEYCLOAK_ADMIN + KEYCLOAK_ADMIN_PASSWORD The fixture sets KC_BOOTSTRAP_ADMIN_USERNAME + KC_BOOTSTRAP_ADMIN_PASSWORD but runs 'start-dev'. The bootstrap pair is silently ignored in dev-mode, leaving the master realm with no admin user → admin-cli token endpoint returns 401 → RotateRealmKeys can't authenticate to the Admin API. The 4 auth-code flow tests passed because they authenticate the engineer / viewer test users INSIDE the certctl realm (created by the realm import), which doesn't need a master admin. Fix: set BOTH pairs as belt-and-braces. The legacy KEYCLOAK_ADMIN pair covers start-dev today; the KC_BOOTSTRAP_ADMIN_* pair keeps a future flip to 'start' working. Inline comment in the fixture explains the why so a future reader doesn't drop one back. Verify (sandbox): go vet -tags=integration clean; gofmt clean. Workstation re-runs 'make keycloak-integration-test' to confirm the 2 rotation tests now reach + execute the Admin API successfully. --- internal/auth/oidc/testfixtures/keycloak.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/internal/auth/oidc/testfixtures/keycloak.go b/internal/auth/oidc/testfixtures/keycloak.go index 58ab03f..8e7d8cb 100644 --- a/internal/auth/oidc/testfixtures/keycloak.go +++ b/internal/auth/oidc/testfixtures/keycloak.go @@ -153,6 +153,23 @@ func StartKeycloak(t *testing.T) *KeycloakFixture { Image: KeycloakImage, ExposedPorts: []string{"8080/tcp"}, Env: map[string]string{ + // Keycloak 26.x has TWO sets of admin-bootstrap env vars + // and the right pair depends on the launch command: + // - `start` (production): KC_BOOTSTRAP_ADMIN_USERNAME + + // KC_BOOTSTRAP_ADMIN_PASSWORD + // - `start-dev`: KEYCLOAK_ADMIN + KEYCLOAK_ADMIN_PASSWORD + // + // This fixture runs `start-dev` (see the Cmd line below). + // Pre-fix only the KC_BOOTSTRAP_ADMIN_* names were set — + // they're silently ignored in dev-mode, leaving the + // master-realm with no admin user. The auth-code flow tests + // passed (they authenticate test users in the certctl + // realm), but the RotateRealmKeys path 401's on the + // admin-cli token endpoint because there's no admin to + // authenticate as. Set BOTH pairs as belt-and-braces so a + // future flip to `start` doesn't re-introduce the same gap. + "KEYCLOAK_ADMIN": AdminUser, + "KEYCLOAK_ADMIN_PASSWORD": AdminPass, "KC_BOOTSTRAP_ADMIN_USERNAME": AdminUser, "KC_BOOTSTRAP_ADMIN_PASSWORD": AdminPass, // Disable HTTPS in dev mode; the integration test runs