Trying to run quickstart example, got error The 'realm_access' section of the provided access token is missing on /admin method

[Felix-neko]

Hi again!

I've installed fastapi-keycloak 1.0.7 from PyPi and tried to run basic example.

I've started keycloak server via docker-compose with their provided docker-compose.yaml and realm-export.json. Than I've started an example FastAPI app on localhost:8081, created a keycloak user in admin panel (localhost:8085), logged in (http://localhost:8081/login) and obtained access token.

After that I've tried to use this access token in some external request: I ran Postman and created a request http://localhost:8081/admin with Authorization header filled as Bearer {token}. This request should check user roles, but I got the following error:

  File "/mnt/dump1/Projects/fastapi_sandbox/venv_py3.8/lib/python3.8/site-packages/anyio/_backends/_asyncio.py", line 867, in run
    result = context.run(func, *args)
  File "/mnt/dump1/Projects/fastapi_sandbox/venv_py3.8/lib/python3.8/site-packages/fastapi_keycloak/api.py", line 264, in current_user
    if role not in user.roles:
  File "/mnt/dump1/Projects/fastapi_sandbox/venv_py3.8/lib/python3.8/site-packages/fastapi_keycloak/model.py", line 122, in roles
    raise KeycloakError(
fastapi_keycloak.exceptions.KeycloakError: HTTP 404: The 'realm_access' section of the provided access token is missing

After that I went to keycloak admin panel again and enabled role mapper for this client (Clients --> test-client --> Mappers --> Add builtin --> realm roles), I even enabled "Add to ID token" and "Add to userinfo". Than I got new access token with /login, but nothing changed.

How can it be fixed -- and what am I doing wrong?

P.S. Here's the exact code I'm running: https://github.com/Felix-neko/fastapi_sandbox/tree/main/fastapi_sandbox

[Felix-neko]

UPD: I've read the next paragraph of docs after Quickstart: https://fastapi-keycloak.code-specialist.com/keycloak_configuration/

When I enabled client's Full Scope, it helped.

Maybe you can place the keycloak configuration topic before Quickstart for such guys like me?

[DamScan]

I had this same problem. I managed to get out of it the same way. But above all I activated "Service Account Enabled" in the "Admin-cli". I found quite a bit of info here (knowing that I didn't use the examples in the documentation) https://www.appsdeveloperblog.com/keycloak-rest-api-create-a-new-user/ This lib is no longer maintained and seeks to be adopted, it's a shame because it looks promising.

[yannicschroeer]

Feel free to contact us and pick up the maintenance. We can not spare the time and do no longer use Keycloak due to its wide variety of deficits

[DamScan]

Why not... But I doubt I'll be as good as your team. It could be a good exercise for me. What are the terms of recovery?

[ScottFred]

@yannicschroeer Can you expand on your comment above, "no longer use Keycloak due to its wide variety of deficits"? Would you be willing to share what Authentication Server you are now using? (I'm considering using Keycloak as our OAuth server, but there are things that concern me about it such as over 1,900 Issues reported on GitHub and 198 Pull Requests).

[yannicschroeer]

@ScottFred I‘m not well into the topic anymore, but our main concerns were a horrible documentation and a lot of major versions as well as undocumented non-backward-compatible changes. It was simply too unstable to use. I can’t tell if it became better, but that year we used it, we had 8 new Major versions and over 15 breaking changes, making this unmaintainable with the amount of time we can spare.

[ScottFred]

@yannicschroeer Thanks for the additional detail. Can you tell me what Authentication Server you chose to use instead? (My experience with CentOS years ago (a RedHat ecosystem) was similar... I just wanted a stable Linux based OS, but it was in constant change that kept breaking my system.)