Avoiding nip.io for stability #38613

ahus1 · 2025-04-02T14:05:32Z

Closes keycloak#38104 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>

ahus1 · 2025-04-02T14:52:34Z

...ration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AbstractSamlTest.java

@@ -73,6 +74,7 @@ public abstract class AbstractSamlTest extends AbstractAuthTest {

    static {
        try {
+            CryptoIntegration.init(Thread.currentThread().getContextClassLoader());


In case you are wondering: This was necessary to run SamlReverseProxyTest isolated from the CLI, as then the crypto integration wasn't initialized yet. This call doesn't do any harm if it isn't initialized yet.

ahus1 · 2025-04-02T16:05:52Z

@vaceksimon / @mhajas - this is a PR which avoids nip.io in the reported places. Please review when you have the time and merge. Thanks!

mhajas

I am not sure we can do this. The purpose of nip.io usage is to simulate usage of a real domain in browser. Cookies for 0.0.0.0 may be handled differently, like it is possible secure cookies are sent also to insecure context when 0.0.0.0 is used.

ahus1 · 2025-04-03T13:42:40Z

For the cookie provider test, 0.0.0.0 is not considered a secure context as long as no https is used, so IMHO it is equivalent to .nip.io and it is not considered a localhost address. I see this regularly when opening that URL in the browse locally and the APIs to copy to the clipboard are regularly not working.

For the reverse proxy it doesn't matter as there are both http and https test. And using 0.0.0.0 didn't work here, as the client will be connecting via the public address, and then the tests will fail.

ahus1 · 2025-04-03T14:02:58Z

@jonkoops - AFAIK you have been involved in the discussion about secure vs. non-secure contexts. Maybe you can help to assess this change.

jonkoops · 2025-04-04T07:43:52Z

0.0.0.0 is not considered a secure context (see specification), so I agree with @ahus1's assessment that this is likely equivalent. We only need to be careful with tests that might do cross-origin requests (need to be on different domains), as those might result in a different result for setting cookies, but I see no such changes here at this time.

Note that 127.0.0.1 (previously proxy.kc.127.0.0.1.nip.io) is considered a secure context, but I am not quite sure if the context for the reverse proxy was ever used securely anywhere that impacts user-agents.

mhajas

Thanks for the fix!

ahus1 self-assigned this Apr 2, 2025

Avoiding nip.io for stability

4a9cf5d

Closes keycloak#38104 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>

ahus1 force-pushed the is-38104-avoid-nip-io-for-stability branch from 67fca54 to 4a9cf5d Compare April 2, 2025 14:45

ahus1 commented Apr 2, 2025

View reviewed changes

ahus1 marked this pull request as ready for review April 2, 2025 16:05

ahus1 requested review from a team as code owners April 2, 2025 16:05

keycloak-github-bot bot added team/cloud-native team/core-clients team/core-iam labels Apr 2, 2025

mhajas reviewed Apr 3, 2025

View reviewed changes

mhajas approved these changes Apr 8, 2025

View reviewed changes

mhajas merged commit 9eb336a into keycloak:main Apr 8, 2025
75 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Avoiding nip.io for stability #38613

Avoiding nip.io for stability #38613

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Avoiding nip.io for stability #38613

Avoiding nip.io for stability #38613

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!