search

code-specialist / fastapi-keycloak

Keycloak integration for Python FastAPI
https://fastapi-keycloak.code-specialist.com/
Apache License 2.0
195 stars 51 forks source link

Issue with Keycloak v20+ 'access required was not contained' #88

Closed k-mitevski closed 1 year ago

k-mitevski commented 1 year ago

I'm trying to set this up and was following the quick start guide(without the json) and configuration from here https://fastapi-keycloak.code-specialist.com/keycloak_configuration/. I'm testing this locally using the quay.io/keycloak/keycloak:21.0.2 image.

On startup, I immediately get that the admin-cli account is missing some roles. Since this is a test I added all possible roles but the issue still persists.

Is the 'Full Scope Allowed' the authorization toggle in recent Keycloak versions? I couldn't locate this setting to enable it.

    self._get_admin_token()  # Requests an admin access token on startup
  File "/usr/local/lib/python3.9/site-packages/fastapi_keycloak/api.py", line 348, in _get_admin_token
    self.admin_token = response.json()["access_token"]
  File "/usr/local/lib/python3.9/site-packages/fastapi_keycloak/api.py", line 193, in admin_token
    raise AssertionError(
AssertionError: The access required was not contained in the access token for the `admin-cli`.
                Possibly a Keycloak misconfiguration. Check if the admin-cli client has `Full Scope Allowed`
                and that the `Service Account Roles` contain all roles from `account` and `realm_management`

Any help or pointers are appreciated.

yannicschroeer commented 1 year ago

Hey @k-mitevski,

I'm sorry, but we currently only provide compatibility for Keycloak v16. Keycloak keeps throwing one major release after another, making it impossible to keep pace. It's part of the reason why we abandoned using Keycloak completely and are no longer able to regularly maintain this package.

k-mitevski commented 1 year ago

@yannicschroeer Thank you for the quick answer. I'll try a bit more to see if I can manage to get it working with the latest version. To which provider did you switch? Any suggestions for a good alternative to Keycloak?

yannicschroeer commented 1 year ago

@k-mitevski We decided that we do not necessarily require a self-hosted solution and went with Auth0 from there on. AWS Cognito is also a viable solution. Both come with way less headache, as long as you do not need heavy customisation. If one of the requirements is self-hosting though, I think there is still no better solution out there

k-mitevski commented 1 year ago

Thanks for your input @yannicschroeer.