diff --git a/mypy.ini b/mypy.ini
index 46f8db86749402a13da4be604b0cdb6df568df2a..fb4140aec848b2fd36037d55f2dcd4437ba630b8 100644
--- a/mypy.ini
+++ b/mypy.ini
@@ -11,5 +11,5 @@ ignore_missing_imports = True
[mypy-pytest.*]
ignore_missing_imports = True
-# [mypy-add_your_lib_here.*]
-# ignore_missing_imports = True
+[mypy-keycloak.*]
+ignore_missing_imports = True
diff --git a/requirements-test.txt b/requirements-test.txt
index e079f8a6038dd2dc8512967540f96ee0de172067..5821059617ef3661bd493ee82a90008fbf6494c9 100644
--- a/requirements-test.txt
+++ b/requirements-test.txt
@@ -1 +1,2 @@
pytest
+requests_mock
diff --git a/swh/auth/tests/conftest.py b/swh/auth/tests/conftest.py
new file mode 100644
index 0000000000000000000000000000000000000000..ed44d5f2b13318b847b16898c4f5bb2841aee2e1
--- /dev/null
+++ b/swh/auth/tests/conftest.py
@@ -0,0 +1,176 @@
+# Copyright (C) 2021 The Software Heritage developers
+# See the AUTHORS file at the top-level directory of this distribution
+# License: GNU Affero General Public License version 3, or any later version
+# See top-level LICENSE file for more information
+
+import pytest
+
+SERVER_URL = "http://keycloak:8080/keycloak/auth/"
+REALM = "SoftwareHeritage"
+
+WELL_KNOWN = {
+ "issuer": f"{SERVER_URL}realms/SoftwareHeritage",
+ "well-known": f"{SERVER_URL}realms/{REALM}/.well-known/openid-configuration",
+ "authorization_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/auth", # noqa
+ "token_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/token",
+ "introspection_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/token/introspect", # noqa
+ "userinfo_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/userinfo",
+ "end_session_endpoint": f"{SERVER_URL}realms/{REALM}/protocol/openid-connect/logout", # noqa
+ "jwks_uri": "{SERVER_URL}realms/{REALM}/protocol/openid-connect/certs",
+ "check_session_iframe": "{SERVER_URL}realms/{REALM}/protocol/openid-connect/login-status-iframe.html", # noqa
+ "grant_types_supported": [
+ "authorization_code",
+ "implicit",
+ "refresh_token",
+ "password",
+ "client_credentials",
+ ],
+ "response_types_supported": [
+ "code",
+ "none",
+ "id_token",
+ "token",
+ "id_token token",
+ "code id_token",
+ "code token",
+ "code id_token token",
+ ],
+ "subject_types_supported": ["public", "pairwise"],
+ "id_token_signing_alg_values_supported": [
+ "PS384",
+ "ES384",
+ "RS384",
+ "HS256",
+ "HS512",
+ "ES256",
+ "RS256",
+ "HS384",
+ "ES512",
+ "PS256",
+ "PS512",
+ "RS512",
+ ],
+ "id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"],
+ "id_token_encryption_enc_values_supported": [
+ "A256GCM",
+ "A192GCM",
+ "A128GCM",
+ "A128CBC-HS256",
+ "A192CBC-HS384",
+ "A256CBC-HS512",
+ ],
+ "userinfo_signing_alg_values_supported": [
+ "PS384",
+ "ES384",
+ "RS384",
+ "HS256",
+ "HS512",
+ "ES256",
+ "RS256",
+ "HS384",
+ "ES512",
+ "PS256",
+ "PS512",
+ "RS512",
+ "none",
+ ],
+ "request_object_signing_alg_values_supported": [
+ "PS384",
+ "ES384",
+ "RS384",
+ "HS256",
+ "HS512",
+ "ES256",
+ "RS256",
+ "HS384",
+ "ES512",
+ "PS256",
+ "PS512",
+ "RS512",
+ "none",
+ ],
+ "response_modes_supported": ["query", "fragment", "form_post"],
+ "registration_endpoint": "{SERVER_URL}realms/{REALM}/clients-registrations/openid-connect", # noqa
+ "token_endpoint_auth_methods_supported": [
+ "private_key_jwt",
+ "client_secret_basic",
+ "client_secret_post",
+ "tls_client_auth",
+ "client_secret_jwt",
+ ],
+ "token_endpoint_auth_signing_alg_values_supported": [
+ "PS384",
+ "ES384",
+ "RS384",
+ "HS256",
+ "HS512",
+ "ES256",
+ "RS256",
+ "HS384",
+ "ES512",
+ "PS256",
+ "PS512",
+ "RS512",
+ ],
+ "claims_supported": [
+ "aud",
+ "sub",
+ "iss",
+ "auth_time",
+ "name",
+ "given_name",
+ "family_name",
+ "preferred_username",
+ "email",
+ "acr",
+ ],
+ "claim_types_supported": ["normal"],
+ "claims_parameter_supported": True,
+ "scopes_supported": [
+ "openid",
+ "microprofile-jwt",
+ "web-origins",
+ "roles",
+ "phone",
+ "address",
+ "email",
+ "profile",
+ "offline_access",
+ ],
+ "request_parameter_supported": True,
+ "request_uri_parameter_supported": True,
+ "require_request_uri_registration": True,
+ "code_challenge_methods_supported": ["plain", "S256"],
+ "tls_client_certificate_bound_access_tokens": True,
+ "revocation_endpoint": "{SERVER_URL}realms/{REALM}/protocol/openid-connect/revoke",
+ "revocation_endpoint_auth_methods_supported": [
+ "private_key_jwt",
+ "client_secret_basic",
+ "client_secret_post",
+ "tls_client_auth",
+ "client_secret_jwt",
+ ],
+ "revocation_endpoint_auth_signing_alg_values_supported": [
+ "PS384",
+ "ES384",
+ "RS384",
+ "HS256",
+ "HS512",
+ "ES256",
+ "RS256",
+ "HS384",
+ "ES512",
+ "PS256",
+ "PS512",
+ "RS512",
+ ],
+ "backchannel_logout_supported": True,
+ "backchannel_logout_session_supported": True,
+}
+
+
+@pytest.fixture
+def mock_keycloak(requests_mock):
+ requests_mock.get(WELL_KNOWN["well-known"], json=WELL_KNOWN)
+
+ return requests_mock
diff --git a/swh/auth/tests/test_auth.py b/swh/auth/tests/test_auth.py
new file mode 100644
index 0000000000000000000000000000000000000000..4f65567858c726eb8d4a9a4e937381139d1bd964
--- /dev/null
+++ b/swh/auth/tests/test_auth.py
@@ -0,0 +1,25 @@
+# Copyright (C) 2021 The Software Heritage developers
+# See the AUTHORS file at the top-level directory of this distribution
+# License: GNU Affero General Public License version 3, or any later version
+# See top-level LICENSE file for more information
+
+import pytest
+
+from swh.auth import KeycloakOpenIDConnect
+
+from .conftest import REALM, SERVER_URL, WELL_KNOWN
+
+
+@pytest.fixture
+def keycloak_open_id_connect():
+ return KeycloakOpenIDConnect(
+ server_url=SERVER_URL, realm_name=REALM, client_id="client-id",
+ )
+
+
+def test_auth_well_known(mock_keycloak, keycloak_open_id_connect):
+ well_known_result = keycloak_open_id_connect.well_known()
+ assert well_known_result is not None
+ assert well_known_result == WELL_KNOWN
+
+ assert mock_keycloak.called
diff --git a/swh/auth/tests/test_nothing.py b/swh/auth/tests/test_nothing.py
deleted file mode 100644
index cf504a4522c69481861d8b1a35c2843cb6e29543..0000000000000000000000000000000000000000
--- a/swh/auth/tests/test_nothing.py
+++ /dev/null
@@ -1,3 +0,0 @@
-def test_nothing():
- # Placeholder; remove this when we add actual tests
- pass