Add scope param to oidc refresh token request #1977
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Keycloak CI | |
on: | |
push: | |
branches-ignore: | |
- main | |
- dependabot/** | |
pull_request: | |
workflow_dispatch: | |
env: | |
MAVEN_ARGS: "-B -nsu -Daether.connector.http.connectionMaxTtl=25" | |
SUREFIRE_RERUN_FAILING_COUNT: 2 | |
SUREFIRE_RETRY: "-Dsurefire.rerunFailingTestsCount=2" | |
concurrency: | |
# Only cancel jobs for PR updates | |
group: ci-${{ github.ref }} | |
cancel-in-progress: true | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
conditional: | |
name: Check conditional workflows and jobs | |
runs-on: ubuntu-latest | |
outputs: | |
ci: ${{ steps.conditional.outputs.ci }} | |
ci-store: ${{ steps.conditional.outputs.ci-store }} | |
ci-sssd: ${{ steps.conditional.outputs.ci-sssd }} | |
steps: | |
- uses: actions/checkout@v4 | |
- id: conditional | |
uses: ./.github/actions/conditional | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
build: | |
name: Build | |
if: needs.conditional.outputs.ci == 'true' | |
runs-on: ubuntu-latest | |
needs: conditional | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Build Keycloak | |
uses: ./.github/actions/build-keycloak | |
unit-tests: | |
name: Base UT | |
runs-on: ubuntu-latest | |
needs: build | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v4 | |
- id: unit-test-setup | |
name: Unit test setup | |
uses: ./.github/actions/unit-test-setup | |
- name: Run unit tests | |
run: | | |
SEP="" | |
PROJECTS="" | |
for i in `find -name '*Test.java' -type f | egrep -v './(testsuite|quarkus|docs)/' | sed 's|/src/test/java/.*||' | sort | uniq | sed 's|./||'`; do | |
PROJECTS="$PROJECTS$SEP$i" | |
SEP="," | |
done | |
./mvnw test -pl "$PROJECTS" -am | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: unit-tests | |
base-integration-tests: | |
name: Base IT | |
needs: build | |
runs-on: ubuntu-latest | |
timeout-minutes: 100 | |
strategy: | |
matrix: | |
group: [1, 2, 3, 4, 5, 6] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
- name: Run base tests | |
run: | | |
TESTS=`testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh ${{ matrix.group }}` | |
echo "Tests: $TESTS" | |
./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus "-Dwebdriver.chrome.driver=$CHROMEWEBDRIVER/chromedriver" -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: Base IT | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: base-integration-tests-${{ matrix.group }} | |
quarkus-unit-tests: | |
name: Quarkus UT | |
needs: build | |
timeout-minutes: 15 | |
strategy: | |
matrix: | |
os: [ ubuntu-latest, windows-latest ] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
# We want to download Keycloak artifacts | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
- name: Run unit tests | |
run: | | |
./mvnw test -f quarkus/pom.xml -pl '!tests,!tests/junit5,!tests/integration,!dist' | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: quarkus-unit-tests | |
quarkus-integration-tests: | |
name: Quarkus IT | |
needs: build | |
timeout-minutes: 115 | |
strategy: | |
matrix: | |
os: [ubuntu-latest, windows-latest] | |
server: [sanity-check-zip, zip, container, storage] | |
exclude: | |
- os: windows-latest | |
server: zip | |
- os: windows-latest | |
server: container | |
- os: windows-latest | |
server: storage | |
fail-fast: false | |
runs-on: ${{ matrix.os }} | |
env: | |
MAVEN_OPTS: -Xmx1024m | |
steps: | |
- uses: actions/checkout@v4 | |
- id: unit-test-setup | |
name: Unit test setup | |
uses: ./.github/actions/unit-test-setup | |
# Not sure why, but needs to re-build otherwise there's some failures starting up | |
- name: Run Quarkus integration Tests | |
run: | | |
declare -A PARAMS | |
PARAMS["sanity-check-zip"]="-Dtest=StartCommandDistTest,StartDevCommandDistTest,BuildAndStartDistTest,ImportAtStartupDistTest" | |
PARAMS["zip"]="" | |
PARAMS["container"]="-Dkc.quarkus.tests.dist=docker" | |
PARAMS["storage"]="-Ptest-database -Dtest=PostgreSQLDistTest,MariaDBDistTest#testSuccessful,MySQLDistTest#testSuccessful,DatabaseOptionsDistTest,JPAStoreDistTest,HotRodStoreDistTest,MixedStoreDistTest,TransactionConfigurationDistTest,ExternalInfinispanTest" | |
./mvnw install -pl quarkus/tests/integration -am -DskipTests | |
./mvnw test -pl quarkus/tests/integration ${PARAMS["${{ matrix.server }}"]} 2>&1 | misc/log/trimmer.sh | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: quarkus-integration-tests-${{ matrix.os }}-${{ matrix.server }} | |
jdk-integration-tests: | |
name: Java Distribution IT | |
needs: build | |
timeout-minutes: 100 | |
strategy: | |
matrix: | |
os: [ubuntu-latest, windows-latest] | |
dist: [temurin] | |
version: [19] | |
fail-fast: false | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
with: | |
jdk-dist: ${{ matrix.dist }} | |
jdk-version: ${{ matrix.version }} | |
- name: Prepare Quarkus distribution with current JDK | |
run: ./mvnw install -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus | |
- name: Run base tests | |
run: | | |
TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh jdk` | |
echo "Tests: $TESTS" | |
./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh | |
- name: Build with JDK | |
run: | |
./mvnw install -e -DskipTests -DskipExamples | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: Java Distribution IT | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: jdk-integration-tests-${{ matrix.os }}-${{ matrix.dist }}-${{ matrix.version }} | |
legacy-store-integration-tests: | |
name: Legacy Store IT | |
needs: [build, conditional] | |
if: needs.conditional.outputs.ci-store == 'true' | |
runs-on: ubuntu-latest | |
timeout-minutes: 75 | |
strategy: | |
matrix: | |
db: [postgres, mysql, oracle, mssql, mariadb] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
- name: Run base tests | |
run: | | |
TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh database` | |
echo "Tests: $TESTS" | |
./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Pdb-${{ matrix.db }} -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: Legacy Store IT | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: legacy-store-integration-tests-${{ matrix.db }} | |
store-model-tests: | |
name: Store Model Tests | |
runs-on: ubuntu-latest | |
needs: [build, conditional] | |
if: needs.conditional.outputs.ci-store == 'true' | |
timeout-minutes: 75 | |
steps: | |
- uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
- name: Run model tests | |
run: testsuite/model/test-all-profiles.sh ${{ env.SUREFIRE_RETRY }} | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: Store Model Tests | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: store-model-tests | |
clustering-integration-tests: | |
name: Legacy Clustering IT | |
needs: build | |
runs-on: ubuntu-latest | |
timeout-minutes: 35 | |
env: | |
MAVEN_OPTS: -Xmx1024m | |
steps: | |
- uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
- name: Run cluster tests | |
run: | | |
./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-cluster-quarkus -Dsession.cache.owners=2 -Dtest=**.cluster.** -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: Legacy Clustering IT | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: clustering-integration-tests | |
fips-unit-tests: | |
name: FIPS UT | |
runs-on: ubuntu-latest | |
needs: build | |
timeout-minutes: 20 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Fake fips | |
run: | | |
cd .github/fake_fips | |
make | |
sudo insmod fake_fips.ko | |
- id: unit-test-setup | |
name: Unit test setup | |
uses: ./.github/actions/unit-test-setup | |
- name: Run crypto tests | |
run: docker run --rm --workdir /github/workspace -v "${{ github.workspace }}":"/github/workspace" -v "$HOME/.m2":"/root/.m2" registry.access.redhat.com/ubi8/ubi:latest .github/scripts/run-fips-ut.sh | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: fips-unit-tests | |
fips-integration-tests: | |
name: FIPS IT | |
needs: build | |
runs-on: ubuntu-latest | |
timeout-minutes: 45 | |
strategy: | |
matrix: | |
mode: [non-strict, strict] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Fake fips | |
run: | | |
cd .github/fake_fips | |
make | |
sudo insmod fake_fips.ko | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
with: | |
jdk-version: 17 | |
- name: Prepare Quarkus distribution with BCFIPS | |
run: ./mvnw install -e -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus,auth-server-fips140-2 | |
- name: Run base tests | |
run: docker run --rm --workdir /github/workspace -e "SUREFIRE_RERUN_FAILING_COUNT" -v "${{ github.workspace }}":"/github/workspace" -v "$HOME/.m2":"/root/.m2" registry.access.redhat.com/ubi8/ubi:latest .github/scripts/run-fips-it.sh ${{ matrix.mode }} | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: FIPS IT | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: fips-integration-tests-${{ matrix.mode }} | |
account-console-integration-tests: | |
name: Account Console IT | |
runs-on: ubuntu-latest | |
needs: build | |
timeout-minutes: 75 | |
strategy: | |
matrix: | |
browser: [chrome] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
- name: Run Account Console IT | |
run: ./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Dtest=**.account2.**,!SigningInTest#passwordlessWebAuthnTest,!SigningInTest#twoFactorWebAuthnTest -Dbrowser=${{ matrix.browser }} "-Dwebdriver.chrome.driver=$CHROMEWEBDRIVER/chromedriver" -f testsuite/integration-arquillian/tests/other/base-ui/pom.xml 2>&1 | misc/log/trimmer.sh | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: Account Console IT | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: account-console-integration-tests-${{ matrix.browser }} | |
forms-integration-tests: | |
name: Forms IT | |
runs-on: ubuntu-latest | |
needs: build | |
timeout-minutes: 75 | |
strategy: | |
matrix: | |
browser: [chrome, firefox] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
- name: Run Forms IT | |
run: | | |
TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh forms` | |
echo "Tests: $TESTS" | |
./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Dtest=$TESTS -Dbrowser=${{ matrix.browser }} "-Dwebdriver.chrome.driver=$CHROMEWEBDRIVER/chromedriver" "-Dwebdriver.gecko.driver=$GECKOWEBDRIVER/geckodriver" -f testsuite/integration-arquillian/tests/base/pom.xml 2>&1 | misc/log/trimmer.sh | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: Forms IT | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: forms-integration-tests-${{ matrix.browser }} | |
webauthn-integration-tests: | |
name: WebAuthn IT | |
runs-on: ubuntu-latest | |
needs: build | |
timeout-minutes: 45 | |
strategy: | |
matrix: | |
browser: | |
- chrome | |
# - firefox disabled until https://github.com/keycloak/keycloak/issues/20777 is resolved | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
# Don't use Chrome for testing (just regular Chrome) until https://github.com/keycloak/keycloak/issues/22214 is resolved | |
#- id: install-chrome | |
# name: Install Chrome browser | |
# uses: ./.github/actions/install-chrome | |
# if: matrix.browser == 'chrome' | |
- name: Run WebAuthn IT | |
run: ./mvnw test ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Dtest=org.keycloak.testsuite.webauthn.**.*Test -Dbrowser=${{ matrix.browser }} "-Dwebdriver.chrome.driver=$CHROMEWEBDRIVER/chromedriver" "-Dwebdriver.gecko.driver=$GECKOWEBDRIVER/geckodriver" -Pwebauthn -f testsuite/integration-arquillian/tests/other/pom.xml 2>&1 | misc/log/trimmer.sh | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: WebAuthn IT | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: webauthn-integration-tests-${{ matrix.browser }} | |
sssd-unit-tests: | |
name: SSSD | |
runs-on: ubuntu-latest | |
if: needs.conditional.outputs.ci-sssd == 'true' | |
needs: | |
- conditional | |
- build | |
timeout-minutes: 30 | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
- id: weekly-cache-key | |
name: Key for weekly rotation of cache | |
shell: bash | |
run: echo "key=ipa-data-`date -u "+%Y-%U"`" >> $GITHUB_OUTPUT | |
- id: cache-maven-repository | |
name: ipa-data cache | |
uses: actions/cache@v3 | |
with: | |
path: ~/ipa-data.tar | |
key: ${{ steps.weekly-cache-key.outputs.key }} | |
- name: Run tests | |
run: .github/scripts/run-ipa.sh "${{ github.workspace }}" | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: sssd-unit-tests | |
migration-tests: | |
name: Migration Tests | |
runs-on: ubuntu-latest | |
needs: build | |
timeout-minutes: 45 | |
strategy: | |
matrix: | |
old-version: [19.0.3] | |
database: [postgres, mysql, oracle, mssql, mariadb] | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- id: integration-test-setup | |
name: Integration test setup | |
uses: ./.github/actions/integration-test-setup | |
- name: Run Migration Tests | |
run: | | |
./mvnw clean install ${{ env.SUREFIRE_RETRY }} \ | |
-Pauth-server-quarkus -Pdb-${{ matrix.database }} -Pauth-server-migration \ | |
-Dtest=MigrationTest \ | |
-Dmigration.mode=auto \ | |
-Dmigrated.auth.server.version=${{ matrix.old-version }} \ | |
-Dmigration.import.file.name=migration-realm-${{ matrix.old-version }}.json \ | |
-Dauth.server.ssl.required=false \ | |
-Dauth.server.db.host=localhost \ | |
-f testsuite/integration-arquillian/pom.xml 2>&1 | misc/log/trimmer.sh | |
- name: Upload JVM Heapdumps | |
if: always() | |
uses: ./.github/actions/upload-heapdumps | |
- uses: ./.github/actions/upload-flaky-tests | |
name: Upload flaky tests | |
env: | |
GH_TOKEN: ${{ github.token }} | |
with: | |
job-name: Migration Tests | |
- name: Surefire reports | |
if: always() | |
uses: ./.github/actions/archive-surefire-reports | |
with: | |
job-id: migration-tests-${{ matrix.old-version }}-${{ matrix.database }} | |
check: | |
name: Status Check - Keycloak CI | |
if: always() | |
needs: | |
- conditional | |
- unit-tests | |
- base-integration-tests | |
- quarkus-unit-tests | |
- quarkus-integration-tests | |
- jdk-integration-tests | |
- legacy-store-integration-tests | |
- store-model-tests | |
- clustering-integration-tests | |
- fips-unit-tests | |
- fips-integration-tests | |
- account-console-integration-tests | |
- forms-integration-tests | |
- webauthn-integration-tests | |
- sssd-unit-tests | |
- migration-tests | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/status-check | |
with: | |
jobs: ${{ toJSON(needs) }} |