OIDC Keycloak devservice keeps throwing 403 #37964
Comments
|
/cc @geoand (devservices), @pedroigor (keycloak,oidc), @sberyozkin (keycloak,oidc), @stuartwdouglas (devservices) |
|
@appiepollo14 This issue appears to be invalid. The guide you link to does not suggest to login as I recommend to use the quickstart and learn how that custom realm sets the policies, and check the linked Keycloak docs for more information |
|
@appiepollo14 It is difficult to avoid reading the Keycloak docs if you'd like to use Keycloak Authorization - it is quite subtle at some points so we can't really make it all automatic, so, as I said, start with the working quickstart, and continue from there. |
|
@sberyozkin it does suggest to login as those users, see topic: 'Running the Application in Dev mode' in the guide. |
|
@sberyozkin 'So I'm not sure why you mark this issue as a bug - IMHO it looks like an incorrect setup in your reproducer.' I don't see a diff between my reproducer and what the Guide suggests. If you see any, please advice, that's what I've written in the issue. IMHO there no different. |
|
@sberyozkin Sorry I made a typo. The Guide writes about two users, Alice and Admin. However, the devservices keycloak config in my reproducer doesn't allow user admin to login as a user. User Bob can login however. Both users: Alice and Bob, return 403 when trying to access both endpoints. |
|
@sberyozkin more concrete:
Anyhow, one and other needs to be alligned. I think the 'bug' I wanted to mention, is the devservices quarkus-realm is not in accordance to what's in the Guide and isn't the same as the json-file. |
|
@appiepollo14 Can you give me a favor, and go through the documented guide, step by step, without your reproducer, and list what exactly does not work there for you. |
This is exactly what your asking for @sberyozkin |
|
@appiepollo14 I'm sorry , I'm here to help, but I don't have time to read between the lines of some of these comments or try to map them to specific parts of the guide. Also, the fact the realm may have more users than 2 which are used to test is irrelevant. |
|
@appiepollo14 We'll sort it out if something will have to be improved in the guide, I see |
|
@sberyozkin Hi man, I could have been more explanatory. The reproducer is my outcome of when following the guide. I did the following:
As I understand from the guide, when using devservices for keycloak. I DON'T need to add a quarkus-realm.json file myself, but devservices will import a default one for my. Issue: When I add the linked quarkus-realm.json to the project, the 403's are gone. Conclusion: |
|
@appiepollo14 , sure, I'll have a look |
|
@appiepollo14, OK, I think I see now what you are asking about,
At the moment, you have to use the realm shipped with the quickstart - if you don't use it then you need to configure your own realm correctly following Keycloak Authorization guide in the Keycloak docs. However, I do intend to improve the docs and make it clearer in the section you have linked to, I can see why the fact that reference to Unfortunately, the default realm which is created by Dev Services for Keycloak, is not Keycloak authorization aware. There is a dedicated enhancement request, #21040, to address exactly this issue, also with a linked PR, but it did not go far enough, given Pedro's concerns, who is the Keycloak Authorization author. It is too tricky to setup - one needs to ship a dedicated policy jar, besides, even for the default case, you can't know in advance which paths will have to be secure, as opposed to simply allocating Alice and Bob with specific roles. So, all in all, why it is a limitation, that when it comes down to testing Keycloak Authorization, the default realm is not sufficient, I do expect that in any practical setups, users will work with custom realms already prepared as in the quickstart or will ship a policy jar, such as the one shown in #36508. So to summarize, I'll fix this issue with this docs clarifications:
Thanks |
Describe the bug
When following this guide, security Keycloak authorization, I can't access the endpoints with both users Alice and Admin. Quarkus shows the following error in the log:
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_clientId","error_description":"Client application [backend-service] is not registered as a resource server."}When going to the dev-ui, Keycloak admin console, I notice that Authorization is turned of in the Quarkus Realm, backend-service Client.
After turning Authorization on, the error changes to the following:
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_scope","error_description":"Requires uma_protection scope."}I'm not sure if I've done something wrong, or wether the documentation is wrong or wether this is a bug, therefore I've opened this issue.
Expected behavior
Getting access to the endpoints in accordance to the guide.
Actual behavior
Keep getting 403's for both users.
How to Reproduce?
keycloak.zip
Output of
uname -aorverDarwin mn 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:53:18 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T6000 arm64
Output of
java -versionOpenJDK 64-Bit Server VM Corretto-21.0.0.35.1 (build 21+35-LTS, mixed mode, sharing)
Quarkus version or git rev
3.6.4
Build tool (ie. output of
mvnw --versionorgradlew --version)Apache Maven 3.9.6
Additional information
No response
The text was updated successfully, but these errors were encountered: