
Parent pom providing dependency and plugin management for applications built with Maven





Security KeY Data Data Formats Formal Verification




Last Version

Last Version

Release Date

Release Date





Parent pom providing dependency and plugin management for applications built with Maven
Project URL

Project URL

Download spring-security-test-keycloack-addons

How to add to project

<!-- -->
implementation 'com.c4-soft.springaddons:spring-security-test-keycloack-addons:1.2.0'
implementation ("com.c4-soft.springaddons:spring-security-test-keycloack-addons:1.2.0")
<dependency org="com.c4-soft.springaddons" name="spring-security-test-keycloack-addons" rev="1.2.0">
  <artifact name="spring-security-test-keycloack-addons" type="jar" />
@Grab(group='com.c4-soft.springaddons', module='spring-security-test-keycloack-addons', version='1.2.0')
libraryDependencies += "com.c4-soft.springaddons" % "spring-security-test-keycloack-addons" % "1.2.0"
[com.c4-soft.springaddons/spring-security-test-keycloack-addons "1.2.0"]


compile (14)

Group / Artifact Type Version
com.c4-soft.springaddons : spring-security-oauth2-addons jar 1.2.0
com.c4-soft.springaddons : spring-security-test-oauth2-addons jar 1.2.0
org.keycloak : keycloak-spring-security-adapter jar
org.springframework.boot : spring-boot-test-autoconfigure jar 2.2.4.RELEASE
org.mockito : mockito-core jar 3.1.0 : spring-security-test jar : spring-security-oauth2-resource-server jar : spring-security-oauth2-client jar : spring-security-oauth2-jose jar
org.springframework : spring-webmvc jar
org.springframework : spring-core jar
javax.servlet : javax.servlet-api jar 4.0.1
org.springframework : spring-webflux jar
junit : junit jar 4.12

test (5)

Group / Artifact Type Version
org.assertj : assertj-core jar 3.13.2 : spring-security-config jar
org.springframework.boot : spring-boot-starter-web jar 2.2.4.RELEASE
org.springframework.boot : spring-boot-starter-security jar 2.2.4.RELEASE
org.keycloak : keycloak-spring-boot-starter jar

Project Modules

There are no modules declared in this project.


Set of tools I find useful to work with Spring-framework. For now it is focused on spring-security with OAuth2, but could grow.

As I write this, latest springaddons.version is 2.4.1 but I could forget to update before releasing, so please refer to to pick latest available release of one of the following:




Some extensions to Spring OAuth2 that could be of use at runtime (not solely tests) such as:

  • new Authentication implementations (OidcIdAuthenticationToken for instance)
  • builders for Jwt, BearerTokenAuthentication, ...
  • base classes for Keycloak authentication configuration


Code common to webmvc and webflux test libs. This includes annotations, very useful as it allows to tests not only @Controller but also any other kind of @Component (such as @Service): @WithMockAuthentication, @WithMockKeycloakAuth and @WithMockOidcId


Focus on reactive tests with

  • "fluent" API for WebTestClient
  • some tooling around WebTestClient: configurable default media-type and charset, requests shortcuts


Focus on servlet tests with

  • "fluent" API for MockMvc
  • some tooling around MockMvc: configurable default media-type and charset, requests shortcuts

Sample applications

I put quite a few spring-boot app samples in spring-security-oauth2-test-webmvc-addons and spring-security-oauth2-test-webflux-addons.

The reason why samples are in test sources (under src/test folders) is to keep jar small. It can, of course, be run / debug from within your favorite IDE.

I recommand you clone my repo and debug the samples with a REST client like Postman, so that you can hack the config and tests. Adapting the samples to your Keycloak instance should be just a matter of editing

Caveat do not narrow your exploration to keycloak sample just beacause you are using a Keycloak authorization-server: I run all samples against a Keycloak instance.

Last, *RetrievingAuthoritiesFromDatabase samples retrieve authorities from a DB instead of extracting it from JWT claims. The key in the DB is the user "subject". In that case, Keycloak authorisation-server is responsible for ensuring user ID only, authorities are the responsibility of the resource-server. As a consequence, (to run only, not in unit-tests) those samples expect a database to be accessible and populated, which I can't do for you as I can't know the "subject" claims for your test users registered in your Keycloak instance.

Java version

11 or higher. I've been asked to port this lib to Java 8. I won't. Java 8 was release in early 2014, more than 6 years ago, langage and JDK have improved and I use some of recent collections and stream APIs.

keycloak-spring-boot-starter & keycloak-spring-security-adapter version

If using Keycloak with version >= 9.0.2 and < 11.0.0, you need to add following bean to your conf because of a regression:

	public class SpringBootKeycloakConfigResolver implements KeycloakConfigResolver {

		private KeycloakDeployment keycloakDeployment;

		private AdapterConfig adapterConfig;

		public SpringBootKeycloakConfigResolver(AdapterConfig adapterConfig) {
			this.adapterConfig = adapterConfig;

		public KeycloakDeployment resolve(OIDCHttpFacade.Request request) {
			if (keycloakDeployment != null) {
				return keycloakDeployment;

			keycloakDeployment =;

			return keycloakDeployment;

From 11.0.0 on, just @Import(KeycloakSpringBootConfigResolver.class) with @KeycloakConfiguration on your KeycloakWebSecurityConfigurerAdapter implementation.

Release notes

2.0 comes with a noticeable amount of breaking changes. So lets start tracking features.



  • rename ServletKeycloakAuthUnitTestingSupport::keycloakAuthenticationToken() to authentication() to improve API fluidity (api.with(keycloak.authentication()).get(...))


  • implementation closer to open ID specs: split claims into @IdTokenClaims and @OidcStandardClaims
  • re-use OIDC ID annotations into @WithMockKeycloakAuth


  • OidcId::getName() returns subject claim instead of preferred_username
  • replace name with subject in @WithMockOidcId
  • replace name from @WithMockKeycloakAuth with preferedUsername in @WithAccessToken
  • support for private claims in @WithMockOidcId and @WithMockKeycloakAuth (claims with values of type int, long, String and String[] only)
  • add missing subject claim in Keycloak access and ID tokens
  • compose @WithAccessToken with @WithKeycloakIDToken instead of repeting properties (AccessToken extends IDToken)
  • add advanced @WithMockKeycloakAuth sample usage in spring-security-oauth2-test-addons README


  • fix Keycloak typo (was wrongly spelled Keycloack at many places)
  • add samples with authrities retieved from a DB instead of the JWT for both OidcIdAuthenticationToken and JwtAuthenticationToken
  • add sample involving keycloak-spring-boot-starter and keycloak-spring-security-adapter


These release is still focused on unit-testing Spring OAuth2 applications

  • @WithMockAuthentication annotation along with mockAuthentication() servlet (webmvc) and reactive (webflux) flow APIs. You choose the Authentication type, the framework feeds the security context with a Mockito mock. This is dead simple but should cover 99% of test cases. I wonder why I didn't think of it sooner...
  • Focus solely on adding to Spring Authentication implementations and tests tooling (no more alternatives, with an exception for OidcId which overlaps Spring's OidcIdToken)
  • Split webmvc (servlets) and webflux (reactive) code in distinct libs to ease dependency management
  • Re-shuffle packages and jars (less code, less jars, more expressive package names)
  • WIP: Extensives samples and tests. Samples are boot apps under src/test to keep jars small
  • Use Keycloak as authorisation-server for all resource-server samples, each of which configuring a specific Authentication impl

Note that I chose Keycloak because it's a feature reach, easy to setup authorisation-server. It should not be much of an effort to migrate sample resource-servers to another one, with an exception of those using KeycloakAuthenticationToken as authentication impl, of course.

