2 failed and 1 flaky tests on run #9525 ↗︎

2

525

48

0

1

Details:

  cypress/e2e/realm_settings_general_tab_test.spec.ts • 2 failed tests • chrome

View Output Video

Test		Artifacts
Realm settings general tab tests > Check Access Endpoints OpenID Endpoint Configuration link		Test Replay Output Screenshots
Realm settings general tab tests > Access Endpoints OpenID Endpoint Configuration link		Test Replay Output Screenshots

  cypress/e2e/clients_test.spec.ts • 1 flaky test • chrome

View Output Video

Test		Artifacts
Clients test > Keys tab test > Generate new keys		Test Replay Output Screenshots

Review all test suite changes for PR #10905 ↗︎

We have rebased this PR in current main and we have added support for new admin console.
Could you review it?

Configuring claims_supported parameter in Keycloak OP metadata is useful because we are not able now to show claims supported by our instance – which are different than the default. This can lead to client misconfigurations. Moreover, take into account that documentation mentioned "Note that for privacy or other reasons, this might not be an exhaustive list.”

@jonkoops my co-worker @linathedog have done requested changes.

It would be simpler if we could leverage the same set of claims across all the realms and add a provider property instead.

But I guess you really want to make this realm-specific, right?

Trying to figure out if we can start small by enabling this at the provider level instead of changing UIs and storage. I did not find any discussion about this, that is why I'm asking.

We could open a discussion for this.
However, we believe that configuration must be inside realm.
Some of our instnces have only one extra realm and other instances is based on multirealm with some different configuration including claims supported.

@cgeorgilakis I'm sorry for pointing this but as you know we don't have good support for multiple realms. Yeah, kinda of an old issue/request/problem/discussion ....

Another problem I see here is that the provider is already handling customizations to the metadata but using a different approach. For instance, you can override any metadata by setting the openid-configuration-override property as you can see here https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProviderFactory.java#L55. To solve this particular problem, we could probably add support for prefixing files so that we read them on a per-realm basis. It should work if you know your realms beforehand but yeah, not as good as your proposal.

If we accept the changes you are proposing we are adding a different behavior (better, for sure) to override the default metadata and, IMO, we should choose one or another. I'm in favor of your solution but we need to also consider the other settings we have in the current implementation of the provider:

• Possibility to enable/disable client scopes. Perhaps we can do even better here and actually configure which scopes we want to expose.
• Possibility to override any other metadata. Not sure if we want settings for each and every metadata in that document but perhaps the possibility to upload a JSON.

@mposolda @rmartinc Wdyt ?