Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-27066

[QA](8.0.z) Keycloak OIDC integration - Client authentication default configuration in realm definition prevents successful authorization

XMLWordPrintable

    • False
    • None
    • False
    • Documentation (Ref Guide, User Guide, etc.), Migration, Compatibility/Configuration, User Experience
    • Regression
    • ?
    • Workaround Exists
    • Hide

      Set the client .publicClient property in the client definition to true when creating the realm.

      Show
      Set the client .publicClient property in the client definition to true when creating the realm.
    • Hide

      1. Deploy a Keycloak instance
      2. create one OIDC realm, and a related client
      3. deploy a WildFly/EAP application service that connects to the Keycloak instance and perform login with an authorized user
      4. HTTP 401 is received and the Keycloak logs report traces like:

       type=CODE_TO_TOKEN_ERROR, realmId=basic-auth, clientId=basic-auth-service, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code
      
      Show
      1. Deploy a Keycloak instance 2. create one OIDC realm, and a related client 3. deploy a WildFly/EAP application service that connects to the Keycloak instance and perform login with an authorized user 4. HTTP 401 is received and the Keycloak logs report traces like: type=CODE_TO_TOKEN_ERROR, realmId=basic-auth, clientId=basic-auth-service, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code

      The Keycloak/RHBK operator lets users provide realm import definitions so that applications can connect to delegate access control to resources for users in a given realm.

      We have a test that started failing soon after migrating from RHSSO to RHBK. The test validates securing resources on OpenShift via OIDC based SSO, and it fails an authentication which is expected to be successful because the client .publicClient property is set to false by default now.

      Something like the following error is traced by the RHBK instance logs:

       type=CODE_TO_TOKEN_ERROR, realmId=basic-auth, clientId=basic-auth-service, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code
      

      This seems to be change in behavior causing a regression when compared to the RHSSO integration, which impacts users/customers experience when migrating the described configuration from RHSSO to RHBK.

      BTW this is related to RHBK-1408

            Unassigned Unassigned
            fburzigo Fabio Burzigotti
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: