grycap · SergioLangaritaBenitez · Oct 22, 2025 · Oct 22, 2025 · Oct 30, 2025 · gmolto
diff --git a/README.md b/README.md
@@ -26,27 +26,37 @@ You can install it by following the [documentation](https://docs.oscar.grycap.ne
 
 ### 🧑‍💻 Setting Up the Configuration File
 
-The test suite uses environment variables to store sensitive information such as  endpoints and credentials.
+The test suite uses environment variables to store sensitive information such as endpoints and credentials. I'd recommend that you have two environment files. The first includes the cluster information, and the second contains the authentication process credentials. This way, you can switch between authentication processes such as EGI-CheckIn or Keycloak. Also, you can create one environment file that contains all the information.
 
 Create a `.env.yaml` file according to the template shown in `env-template.yaml`
 
-The following information is required:
-
+The following information is required about the cluster information:
   - `OSCAR_ENDPOINT`: The endpoint of the OSCAR cluster (e.g. https://mycluster.oscar.grycap.net) 
   - `OSCAR_METRICS`: The endpoint of the OSCAR metrics.
   - `OSCAR_DASHBOARD`: The endpoint of the OSCAR UI (dashboard).
   - `BASIC_USER:`: Base64-encoded information of the authentication for the 'oscar' user (echo -n "oscar:password"  | base64)
-  - `EGI_AAI_URL`: The base URL of the EGI AAI (Authentication and Authorisation Infrastructure) server.
-      - For the production server, use `https://aai.egi.eu`.
-      - For the demo server, use `https://aai-demo.egi.eu`.
-  - `REFRESH_TOKEN`: The OIDC token used to automate the execution of the test suite. In order to get a Refresh Token, head to the [Check-in Token Portal](https://aai.egi.eu/token/) or [Demo Check-in Token Portal](https://aai-demo.egi.eu/token/), click **Authorise** and then **Create Refresh Token** button to generate a new token.
-  - `EGI_VO`: The virtual organization used to test the OSCAR cluster.
-  - `FIRST_USER`: User ID
-  - `FIRST_USER_ID`: Get the first 10 characters of FIRST_USER (e.g. FIRST_USER: 1234567890987654321 -> FIRST_USER_ID: 1234567890) 
-  - `REFRESH_TOKEN_SECOND_USER`: The OIDC token of the second user used to automate the execution
-  - `SECOND_USER`: User ID of the second user
-  - `SECOND_USER_ID`: Get the first 10 characters of SECOND_USER
 
+The next parameters are required to configure the authentication process:
+  - `AUTHENTICATION_PROCESS`: This parameter selects the authentication process between EGI `resources/token-egi.resource` and Keycloak `resources/token-keycloak.resource`. **ALWAYS REQUIRED**.
+  - `AAI_URL`: The URL token of the AAI (Authentication and Authorisation Infrastructure) server. **ALWAYS REQUIRED**.
+      - For the EGI production server, use `https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token`.
+      - For the EGI demo server, use `https://aai-demo.egi.eu/auth/realms/egi/protocol/openid-connect/token`.
+  - `AAI_VO`: The virtual organization used to test the OSCAR cluster. **ALWAYS REQUIRED**.
+  - `CLIENT_ID`: Client ID of Keycloak. Only needed in Keycloak.
+  - `SCOPE`: Scope of Keycloak.  Only needed in Keycloak.
+  - `FIRST_USER`: User ID. **ALWAYS REQUIRED**.
+  - `REFRESH_TOKEN`: The OIDC token used to automate the execution of the test suite. In order to get a Refresh Token, head to the [Check-in Token Portal](https://aai.egi.eu/token/) or [Demo Check-in Token Portal](https://aai-demo.egi.eu/token/), click **Authorise** and then **Create Refresh Token** button to generate a new token. Only used in EGI.
+  - `KEYCLOAK_USERNAME` and `KEYCLOAK_PASSWORD`: The user/password Keycloak authentication. Only used in Keycloak.
+
+In case you are testing isolation or visibility, you have to add a second user:
+  - `SECOND_USER`: User ID of the second user. **ALWAYS REQUIRED**.
+  - `REFRESH_TOKEN_SECOND_USER`: The OIDC token of the second user used to automate the execution.
+  - `KEYCLOAK_USERNAME_AUX` and `KEYCLOAK_PASSWORD_AUX`: The user/password of a second user in Keycloak.
+
+In case you are testing the mount feat using an external OSCAR cluster add,:
+  - `OSCAR_EXTERNAL`: Endpoint of an external OSCAR cluster.
+  - `MINIO_EXTERNAL`: MinIO endpoint of external OSCAR cluster.
+  - `MINIO_SECRET_KEY`: Secret Key of `FIRST_USER` used the `MINIO_EXTERNAL`.
 
 
 ### 🧪 Running Tests

diff --git a/resources/token-egi.resource b/resources/token-egi.resource
@@ -0,0 +1,78 @@
+*** Settings ***
+Documentation       Shared keywords and variables for handling OIDC authentication
+
+Library             Collections
+Library             DateTime
+Library             Process
+Library             RequestsLibrary
+Library             JSONLibrary
+
+
+*** Variables ***
+${REFRESH_TOKEN}        ${REFRESH_TOKEN}
+${TOKEN_URL}            ${AAI_URL}    
+${CLIENT_ID}            token-portal
+${SCOPE}                openid%20email%20profile%20voperson_id%20eduperson_entitlement
+
+
+*** Keywords ***
+Check Valid OIDC Token
+    [Documentation]    Get the access token
+    [Tags]    create    delete
+    ${token}=    Get Access Token
+    Check JWT Expiration    ${token}
+
+Get Access Token
+    [Documentation]    Retrieve OIDC token using a refresh token
+    ${result}=    Run Process    curl    -s    -X    POST    '${TOKEN_URL}'    -d
+    ...    'grant_type\=refresh_token&refresh_token\=${REFRESH_TOKEN}&client_id\=${CLIENT_ID}&scope\=${SCOPE}'
+    ...    shell=True    stdout=True    stderr=True
+    ${json_output}=    Convert String To Json    ${result.stdout}
+    ${access_token}=    Get Value From Json    ${json_output}    $.access_token
+    VAR    ${access_token}=    ${access_token}[0]
+    Log    Access Token: ${access_token}
+    VAR    &{HEADERS}=    Authorization=Bearer ${access_token}    Content-Type=text/json    Accept=application/json
+    ...    scope=SUITE
+    VAR    &{HEADERS_OSCAR}=    Authorization=Basic ${BASIC_USER}    Content-Type=text/json    Accept=application/json
+    ...    scope=SUITE
+    RETURN    ${access_token}
+
+Decode JWT Token
+    [Documentation]    Decode a JWT token and returns its payload
+    [Arguments]    ${token}
+    ${decoded}=    Evaluate
+    ...    jwt.decode('${token}', options={"verify_signature": False}, algorithms=["HS256", "RS256"])
+    RETURN    ${decoded}
+
+Check JWT Expiration
+    [Documentation]    Check if the given JWT token is expired
+    [Arguments]    ${token}
+    ${decoded_token}=    Decode JWT Token    ${token}
+    Log    ${decoded_token}
+    ${expiry_time}=    Get From Dictionary    ${decoded_token}    exp
+    Log    Token Expiration Time: ${expiry_time}
+    ${current_time}=    Get Current Date    result_format=epoch
+    Log    Current Time: ${current_time}
+    Should Be True    ${expiry_time} > ${current_time}    Token is expired
+
+
+Checks Valids OIDC Token
+    [Documentation]    Get the access token
+    ${result}=    Run Process    curl    -s    -X    POST    '${TOKEN_URL}'    -d
+    ...    'grant_type\=refresh_token&refresh_token\=${REFRESH_TOKEN}&client_id\=${CLIENT_ID}&scope\=${SCOPE}'
+    ...    shell=True    stdout=True    stderr=True
+    ${json_output}=    Convert String To Json    ${result.stdout}
+    ${token}=    Get Value From Json    ${json_output}    $.access_token
+    VAR    ${token}=    ${token}[0]
+    Check JWT Expiration    ${token}
+    VAR    &{HEADERS}=    Authorization=Bearer ${token}    Content-Type=text/json    Accept=application/json
+    ...    scope=SUITE
+    ${result}=    Run Process    curl    -s    -X    POST    '${TOKEN_URL}'    -d
+    ...    'grant_type\=refresh_token&refresh_token\=${REFRESH_TOKEN_SECOND_USER}&client_id\=${CLIENT_ID}&scope\=${SCOPE}'
+    ...    shell=True    stdout=True    stderr=True
+    ${json_output}=    Convert String To Json    ${result.stdout}
+    ${token2}=    Get Value From Json    ${json_output}    $.access_token
+    VAR    ${token2}=    ${token2}[0]
+    Check JWT Expiration    ${token2}
+    VAR    &{HEADERS2}=    Authorization=Bearer ${token2}    Content-Type=text/json    Accept=application/json
+    ...    scope=SUITE
diff --git a/tests/oscar_mount_external.robot b/tests/oscar_mount_external.robot
diff --git a/variables/.env-template.yaml b/variables/.env-template.yaml
@@ -1,25 +1,53 @@
-# OSCAR SERVICES
+# MAIN OSCAR configuration
 OSCAR_ENDPOINT: <COMPLETE>
 OSCAR_METRICS: <COMPLETE>
 OSCAR_DASHBOARD: <COMPLETE>
+# Basic auth for OSCAR
 BASIC_USER: <COMPLETE>
+# Other configuration
+LOCAL_TESTING: False
+SSL_VERIFY: True
 
-# EGI INFO
-EGI_AAI_URL: <COMPLETE>
-REFRESH_TOKEN: <COMPLETE>
-EGI_VO: <COMPLETE>
-EGI_UID: <COMPLETE>
 
 
-LOCAL_TESTING: False
-SSL_VERIFY: True
-FIRST_USER: <COMPLETE>
-FIRST_USER_ID: <COMPLETE>
+##### EGI Authentication file example
+AUTHENTICATION_PROCESS: resources/token-egi.resource
+AAI_URL: https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/token
+AAI_VO: <COMPLETE>
+
+#First user
+REFRESH_TOKEN: <>
+FIRST_USER: <>@egi.eu
 
 #Second user for testing
 REFRESH_TOKEN_SECOND_USER: <COMPLETE>
-SECOND_USER: <COMPLETE>
-SECOND_USER_ID: <COMPLETE>
+SECOND_USER: <>@egi.eu
 
-# BASIC AUTH for OSCAR
-BASIC_USER: <COMPLETE>
+# For testing mounting external buckets
+OSCAR_EXTERNAL: https://<COMPLETE>
+MINIO_EXTERNAL: https://minio.<COMPLETE>
+MINIO_SECRET_KEY: <COMPLETE>
+
+
+
+##### Keycloak Authentication file example
+AUTHENTICATION_PROCESS: resources/token-keycloak.resource
+AAI_URL: https://<KEYCLOAK_HOST>/realms/<REALM>/protocol/openid-connect/token
+AAI_VO: <COMPLETE>
+CLIENT_ID: <COMPLETE>
+SCOPE: <COMPLETE>
+
+#First user
+KEYCLOAK_USERNAME: <COMPLETE>
+KEYCLOAK_PASSWORD: <COMPLETE>
+FIRST_USER: <>
+
+#Second user for testing
+KEYCLOAK_USERNAME_AUX: <COMPLETE>
+KEYCLOAK_PASSWORD_AUX: <COMPLETE>
+SECOND_USER: <>
+
+# For testing mounting external buckets
+OSCAR_EXTERNAL: https://<COMPLETE>
+MINIO_EXTERNAL: https://minio.<COMPLETE>
+MINIO_SECRET_KEY: <>