Error when initializing example project

[Coding-Crashkurse]

Hello!

really good project, i love keycloak and fastapi :-). Unfortunately I am not able to get it running and I guess this is due to a bug:

The error happens, when I the token is decoded:

PS C:\Users\User\Desktop\KeyCloakFastAPI> python .\app.py
{'exp': 1649355552, 'iat': 1649355252, 'jti': '51e67522-19f7-45b0-9894-e862b440106b', 'iss': 'http://localhost:8085/auth/realms/Test', 'sub': '33b940e2-0bdb-49a7-9356-e6e230f49619', 'ty
p': 'Bearer', 'azp': 'admin-cli', 'acr': '1', 'scope': 'profile email', 'clientId': 'admin-cli', 'clientHost': '172.23.0.1', 'email_verified': False, 'preferred_username': 'service-acco
unt-admin-cli', 'clientAddress': '172.23.0.1'}

I my token I don´t have "resource_access, which leads to "None" and to a follow up error:

AttributeError: 'NoneType' object has no attribute 'get'

traceback:

Traceback (most recent call last):
  File ".\app.py", line 7, in <module>
    idp = FastAPIKeycloak(
  File "C:\Users\User\anaconda3\lib\site-packages\fastapi_keycloak\api.py", line 129, in __init__
    self._get_admin_token()  # Requests an admin access token on startup
  File "C:\Users\User\anaconda3\lib\site-packages\fastapi_keycloak\api.py", line 292, in _get_admin_token
    self.admin_token = response.json()['access_token']
  File "C:\Users\User\anaconda3\lib\site-packages\fastapi_keycloak\api.py", line 159, in admin_token
    if not decoded_token.get('resource_access').get('realm-management') or not decoded_token.get('resource_access').get('account'):
AttributeError: 'NoneType' object has no attribute 'get'

Is there something I did wrong or is this an error in the lib?

[yannicschroeer]

Hello @Data-Mastery, at a first glance I would say this happens because your configuration is not correct. Seems like your configured admin user does not have sufficient rights on the realm.

Did you use our provided example configuration? Or did you setup things yourself?

[Coding-Crashkurse]

Thanks for the quick response. I used the provided example configuration here: https://fastapi-keycloak.code-specialist.com/downloads/realm-export.json. I used the setup from here: https://fastapi-keycloak.code-specialist.com/quick_start/

[yannicschroeer]

Well, that should obviously not happen then. I will look into it, to fix the provided example. However, we might want to fix your issue anyway, since I'm not sure how fast I can tackle this.

Could you check if the admin-cli service account has all realm-related roles? If you use the Keycloak web interface, you should find this at: Clients > admin-cli > Service Account Roles > Client Roles > Realm Management. If not done yet, add all the roles to the service account. If this does not fix your issue, its probably the permissions are given but somehow do not end up as claims in your access token signed for the service account

[Coding-Crashkurse]

Ok, that solved the issue, thank you very much. I ran into a follow up error, which gave me the following hint:

AssertionError: The access required was not contained in the access token for the `admin-cli`.
                                 Possibly a Keycloak misconfiguration. Check if the admin-cli client has `Full Scope Allowed`
                                 and that the `Service Account Roles` contain all roles from `account` and `realm_management`

=> very good, easy to solve

As a user of your library I would expect something similar also for the first error :-).

[yannicschroeer]

Glad we could solve it. We'll try to improve the error message as well

[jeromecremers]

I opened a PR in which I updated these required modifications to realm-export.json. Hopefully that helps; for me it does.

[yannicschroeer]

Closed with #38