Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-695

Quarkus Keycloak Authorization is not compatible with latest version of RH SSO 7.4

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide
      git clone https://github.com/Sgitario/quarkus-examples
      cd quarkus-examples/quarkus-keycloak-authz
      mvn clean verify
      

      You can try with other SSO images by editing the `AuthProviderQuarkusTestResource` class:

      ```
      // container = new KeycloakContainer(); // works
      container = new RedHatSso74Container(); // does not work
      // container = new RedHatSso73Container(); // works
      ```

      Show
      git clone https: //github.com/Sgitario/quarkus-examples cd quarkus-examples/quarkus-keycloak-authz mvn clean verify You can try with other SSO images by editing the `AuthProviderQuarkusTestResource` class: ``` // container = new KeycloakContainer(); // works container = new RedHatSso74Container(); // does not work // container = new RedHatSso73Container(); // works ```
    • Affects:
      Documentation (Ref Guide, User Guide, etc.), Release Notes
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      Check the OpenID Connect Compatibility Modes settings for your client and enable the Use Refresh Tokens For Client Credentials Grant setting.

      Show
      Check the OpenID Connect Compatibility Modes settings for your client and enable the Use Refresh Tokens For Client Credentials Grant setting.
    • QE Test Coverage:
      +

      Description

      GitHub issue: https://github.com/quarkusio/quarkus/issues/14318

      I've configured a Quarkus app using the extension "quarkus-keycloak-authorization" with the following properties:

      quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
      quarkus.oidc.client-id=test-application-client
      quarkus.oidc.credentials.secret=test-application-client-secret
      
      quarkus.keycloak.policy-enforcer.enable=true
      

      Code:

      @Path("/user")
      public class UserResource {
          @Inject
          SecurityIdentity identity;
      
          @Inject
          JsonWebToken jwt;
      
          @GET
          @Produces(MediaType.TEXT_PLAIN)
          public String get() {
              return "Hello, user " + identity.getPrincipal().getName();
          }
      
          @GET
          @Path("/issuer")
          @Produces(MediaType.TEXT_PLAIN)
          public String issuer() {
              return "user token issued by " + jwt.getIssuer();
          }
      }
      

      This setup is NOT working either on jvm and native using the latest RH SSO 7.4 (I could not test with the latest Keycloak image). It throws this exception at startup:

      __  ____  __  _____   ___  __ ____  ______
       --/ __ \/ / / / _ | / _ \/ //_/ / / / __/
       -/ /_/ / /_/ / __ |/ , _/ ,< / /_/ /\ \
      --\___\_\____/_/ |_/_/|_/_/|_|\____/___/
      2021-01-14 16:57:40,466 INFO  [org.key.ada.aut.PolicyEnforcer] (main) Paths provided in configuration.
      2021-01-14 16:57:40,670 WARN  [org.apa.htt.cli.pro.ResponseProcessCookies] (main) Invalid cookie header: "Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/test-realm/; HttpOnly". Invalid 'expires' attribute: Thu, 01-Jan-1970 00:00:10 GMT
      2021-01-14 16:57:40,871 ERROR [io.qua.run.Application] (main) Failed to start application (with profile native): java.lang.NullPointerException
          at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:44)
          at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:64)
          at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:296)
          at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38)
          at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:225)
          at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:222)
          at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:230)
          at org.keycloak.authorization.client.resource.ProtectedResource.findByMatchingUri(ProtectedResource.java:291)
          at org.keycloak.adapters.authorization.PolicyEnforcer.configureDefinedPaths(PolicyEnforcer.java:180)
          at org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:160)
          at org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:76)
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pcraveiro Pedro Igor Silva
              Reporter:
              jcarvaja-1 Jose Carvajal Hilario
              Tester:
              Jose Carvajal Hilario Jose Carvajal Hilario
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: