Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2453

Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 [GHI#34944]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      oidc

      Describe the bug

      We are encountering a 403 Forbidden error after enabling the “Add to lightweight access token” flag for the sub claim in Keycloak 26.0.5. Despite the sub claim being successfully included in the token (as verified by decoding the access token), the user receives a 403 response when attempting to access Keycloak resources (for example, via the /admin/master/console/whoami API).

      Version

      26.0.5

      Regression

      [ ] The issue is a regression

      Expected behavior

      After enabling the "Add to lightweight access token" flag for the sub claim, we expect the sub claim to be present in the lightweight access token and for the request to proceed without encountering a 403 Forbidden error.

      Actual behavior

      The sub claim is present in the lightweight access token (as verified by decoding the token).
      !Pasted Graphic 1

      After logging in, a 403 Forbidden error is returned when accessing Keycloak resources (as seen in the logs and browser console).
      !Pasted Graphic

      Logs show a ForbiddenException when trying to access resources.

      > 2024-11-14 11:29:14,656 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-7) JtaTransactionWrapper end. Request Context: HTTP GET /admin/master/console/whoami
      > 2024-11-14 11:29:14,656 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-16) hibernate.connection.provider_disables_autocommit was enabled. This setting should only be enabled when you are certain that the Connections given to Hibernate by the ConnectionProvider have auto-commit disabled. Enabling this setting when the Connections do not have auto-commit disabled will lead to Hibernate executing SQL operations outside of any JDBC/SQL transaction.
      > 2024-11-14 11:29:14,656 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (executor-thread-16) Hibernate RegisteredSynchronization successfully registered with JTA platform
      > 2024-11-14 11:29:14,656 DEBUG [org.hibernate.orm.sql.exec] (executor-thread-16) Skipping reading Query result cache data: cache-enabled = false, cache-mode = NORMAL
      > 2024-11-14 11:29:14,656 DEBUG [org.hibernate.SQL] (executor-thread-16) select re1_0.ID from REALM re1_0
      > 2024-11-14 11:29:14,656 DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-15) Error response Forbidden: jakarta.ws.rs.ForbiddenException: HTTP 403 Forbidden
      > at org.keycloak.services.resources.admin.permissions.RealmPermissions.requireViewRealmNameList(RealmPermissions.java:87)
      > at org.keycloak.services.resources.admin.RealmAdminResource.getRealm(RealmAdminResource.java:380)
      > at org.keycloak.services.resources.admin.RealmAdminResource$quarkusrestinvoker$getRealm_1bf39733aab8d3fea8c232249d5424607d2bc915.invoke(Unknown Source)
      > at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
      > at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
      > at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
      > at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
      > at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
      > at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
      > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
      > at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
      > at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
      > at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
      > at java.base/java.lang.Thread.run(Thread.java:833)

      How to Reproduce?

      1. In Keycloak 26.0.5, under master realm, click on Client Scopes
      2. Click on basic, under Mappers, select claim "sub".
      3. Enable the “Add to lightweight access token” flag for the sub claim.
      4. Log in to Keycloak providing admin credentials.
      5. Observe that a 403 Forbidden error occurs.
      6. Decode the access token and verify that the sub claim is present.

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: