diff --git a/providers/keycloak_test.go b/providers/keycloak_test.go
index ced528b..b5d2625 100644
--- a/providers/keycloak_test.go
+++ b/providers/keycloak_test.go
@@ -1,15 +1,18 @@
 package providers
 
 import (
-	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 
 	"github.com/bmizerany/assert"
+	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
 )
 
+const imaginaryAccessToken = "imaginary_access_token"
+const bearerAccessToken = "Bearer " + imaginaryAccessToken
+
 func testKeycloakProvider(hostname, group string) *KeycloakProvider {
 	p := NewKeycloakProvider(
 		&ProviderData{
@@ -41,7 +44,7 @@ func testKeycloakBackend(payload string) *httptest.Server {
 			url := r.URL
 			if url.Path != path {
 				w.WriteHeader(404)
-			} else if r.Header.Get("Authorization") != "Bearer imaginary_access_token" {
+			} else if r.Header.Get("Authorization") != bearerAccessToken {
 				w.WriteHeader(403)
 			} else {
 				w.WriteHeader(200)
@@ -94,10 +97,10 @@ func TestKeycloakProviderGetEmailAddress(t *testing.T) {
 	b := testKeycloakBackend("{\"email\": \"michael.bland@gsa.gov\"}")
 	defer b.Close()
 
-	bUrl, _ := url.Parse(b.URL)
-	p := testKeycloakProvider(bUrl.Host, "")
+	bURL, _ := url.Parse(b.URL)
+	p := testKeycloakProvider(bURL.Host, "")
 
-	session := &sessions.SessionState{AccessToken: "imaginary_access_token"}
+	session := &sessions.SessionState{AccessToken: imaginaryAccessToken}
 	email, err := p.GetEmailAddress(session)
 	assert.Equal(t, nil, err)
 	assert.Equal(t, "michael.bland@gsa.gov", email)
@@ -107,10 +110,10 @@ func TestKeycloakProviderGetEmailAddressAndGroup(t *testing.T) {
 	b := testKeycloakBackend("{\"email\": \"michael.bland@gsa.gov\", \"groups\": [\"test-grp1\", \"test-grp2\"]}")
 	defer b.Close()
 
-	bUrl, _ := url.Parse(b.URL)
-	p := testKeycloakProvider(bUrl.Host, "test-grp1")
+	bURL, _ := url.Parse(b.URL)
+	p := testKeycloakProvider(bURL.Host, "test-grp1")
 
-	session := &sessions.SessionState{AccessToken: "imaginary_access_token"}
+	session := &sessions.SessionState{AccessToken: imaginaryAccessToken}
 	email, err := p.GetEmailAddress(session)
 	assert.Equal(t, nil, err)
 	assert.Equal(t, "michael.bland@gsa.gov", email)
@@ -122,8 +125,8 @@ func TestKeycloakProviderGetEmailAddressFailedRequest(t *testing.T) {
 	b := testKeycloakBackend("unused payload")
 	defer b.Close()
 
-	bUrl, _ := url.Parse(b.URL)
-	p := testKeycloakProvider(bUrl.Host, "")
+	bURL, _ := url.Parse(b.URL)
+	p := testKeycloakProvider(bURL.Host, "")
 
 	// We'll trigger a request failure by using an unexpected access
 	// token. Alternatively, we could allow the parsing of the payload as
@@ -138,10 +141,10 @@ func TestKeycloakProviderGetEmailAddressEmailNotPresentInPayload(t *testing.T) {
 	b := testKeycloakBackend("{\"foo\": \"bar\"}")
 	defer b.Close()
 
-	bUrl, _ := url.Parse(b.URL)
-	p := testKeycloakProvider(bUrl.Host, "")
+	bURL, _ := url.Parse(b.URL)
+	p := testKeycloakProvider(bURL.Host, "")
 
-	session := &sessions.SessionState{AccessToken: "imaginary_access_token"}
+	session := &sessions.SessionState{AccessToken: imaginaryAccessToken}
 	email, err := p.GetEmailAddress(session)
 	assert.NotEqual(t, nil, err)
 	assert.Equal(t, "", email)