Scenario AuthorizationCode

Login a user with a username and password and exchange the authentication code.

See Scenario overview for a list of all scenarios.

Steps of the scenario

  1. Open the login page.

  2. Login with username and password.

  3. Exchange the authentication code for a token.

  4. Logout with a given probability.

See the source code at AuthorizationCode.scala for details.

Due to the circumstances described in issue #945, this scenario will not work with a non-TLS localhost URLs like http://localhost, http://127.0.0.1 or similar. Instead, use IP addresses of other interfaces, or http://0.0.0.0, or run Keycloak with a TLS certificate.

Running an example scenario

Prerequisites

  • Keycloak is running.

  • Realm, user and client exist with the values listed on the CLI.

  • The client needs to have client authentication enabled, which results in an OIDC type of confidential access type, as the confidential client secret is used in the authorization code exchange.

  • This scenario doesn’t need any service account roles set for the client.

See Preparing Keycloak for testing for details how to automate this for the realm and the client.

Running the scenario

The following scenario runs with the default settings for 30 seconds.

See Configuring benchmarks for additional CLI options.

bin/kcb.sh \
  --scenario=keycloak.scenario.authentication.AuthorizationCode \
  --server-url=http://0.0.0.0:8080/ \
  --realm-name=realm-0 \
  --username=user-0 \
  --user-password=user-0-password \
  --client-id=client-0 \
  --client-secret=client-0-secret \
  --client-redirect-uri=http://0.0.0.0:8080 \
  --log-http-on-failure

Variants

To create offline sessions, set the parameter --scope to a value including offline_access, for example, openid profile offline_access.

To test repeated refreshing of tokens between authenticating and logging out, pass --refresh-token-count=<count> and --refresh-token-period=<seconds>. By default, it will close the HTTP connection so that the next request needs to establish a new connection, simulating the behavior of a client where refreshing of token usually happens after the previous connection to Keycloak has already expired. Change this behavior by adding the option --refresh-close-http-connection=false.

Error messages

Invalid parameter: redirect_uri

This could have the following reasons:

  • The client with the given client ID doesn’t exist in the given realm or has been mistyped.

    Remedy: Check that the client ID given on the command line or as the default exists in the given realm.

  • Redirect URI doesn’t match the redirect URI configured in the client.

    Remedy: Check that the redirect URI given on the command line or as the default matches the redirect URI in the client.

Invalid username or password

This could be tested manually by trying to log in as the user on the account console at https://{keyloak-server}/realms/{realm}/account/. This could have the following reasons:

  • The user with the given username doesn’t exist.

    Remedy: Check that the user given on the command line or as the default exists in the given realm.

  • The user has a different password.

    Remedy: Check that the user has the correct password set up.

Invalid parameter value for: scope

There is an unknown scope listed in the scope-parameter.

Check that all scopes exist in the tab Client scopes for the client either as a default or optional scope. The scopes given as the parameter might not exist or there is a typo.

Further Reading