Not able to get users in backstage by using janus Keycloak backend plugin for Backstage. getting 401

[kulkarnijanhavi]

Description : I am using janus Keycloak backend plugin for Backstage for getting users from keycloak and showcase them backstage app. But I am getting following error in backstage console.

error Request failed with status code 401

I am using this command to start keycloak on port 8080.

podman run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:22.0.3 start-dev

Getting following error for keycloak

type=CLIENT_LOGIN_ERROR, realmId=ca698df5-850a-4f62-a17d-1c054243d6b9, clientId=myclient, userId=null, ipAddress=10.0.2.100, error=client_not_found, grant_type=client_credentials

I have cross checked the client credentials and those are correct.

Steps to reproduce the behavior:

1. Create backstage app : https://backstage.io/docs/getting-started/
2. Setup keycloak : https://www.keycloak.org/getting-started/getting-started-podman
3. Create new realm, client under new realm and users
4. For client make sure Client authentication is enabled and Service accounts roles is enabled
5. add following realm-management client roles to client:

query-groups query-users manage-users

6. Install keycloak plugin for backstage by janus and follow all the steps : https://janus-idp.io/plugins/keycloak/
7. update app-config.yaml with keycloak credentials (realm, clientId and client secret)
8. run backstage app by using yarn dev

Expected behavior: I should be able to see all the users in backstage app (Catalog->User)

Screenshots :

[Zaperex]

@kulkarnijanhavi sorry for the late reply, I noticed in your steps you said you configured the following

update app-config.yaml with keycloak credentials (realm, clientId and client secret)

I tested this out locally with the following configurations, and I got the same issue as you did.

catalog:
  providers:
    keycloakOrg:
      default:
        baseUrl: http://localhost:8080
        realm: backstage
        clientId: backstage-testing
        clientSecret: <token>

Based on your reproduction steps, I'm assuming you did not configure the loginRealm? I was able to ingest the entities properly by adding the loginRealm configuration:

catalog:
  providers:
    keycloakOrg:
      default:
        baseUrl: http://localhost:8080
        realm: backstage
+       loginRealm: backstage 
        clientId: backstage-testing
        clientSecret: <token>

[hmargarido]

Same issue here

[Zaperex]

@hmargarido what are you configurations like?

[RaulGrosmam]

Hi, same problem here.

Here's my configs:

app-config.yaml:

catalog:
  rules:
    - allow: [Component, Group, User, Template, System, API, Resource]

  providers:
    keycloakOrg:
      default:
        baseUrl: https://mykeycloak/auth
        loginRealm: myrealm
        realm: myrealm
        clientId: backstage
        clientSecret: mysecret

log

02/02/2024 15:42:312024-02-02T18:42:31.849Z catalog error Error while syncing Keycloak users and groups Request failed with status code 401 type=plugin class=KeycloakOrgEntityProvider taskId=KeycloakOrgEntityProvider:default:refresh taskInstanceId=9fdf10ac-a6ca-4db5-aa8c-b1e4cc31fc1e name=Error stack=Error: Request failed with status code 401
02/02/2024 15:42:31    at createError (/app/node_modules/@keycloak/keycloak-admin-client/node_modules/axios/lib/core/createError.js:16:15)
02/02/2024 15:42:31    at settle (/app/node_modules/@keycloak/keycloak-admin-client/node_modules/axios/lib/core/settle.js:17:12)
02/02/2024 15:42:31    at IncomingMessage.handleStreamEnd (/app/node_modules/@keycloak/keycloak-admin-client/node_modules/axios/lib/adapters/http.js:322:11)
02/02/2024 15:42:31    at IncomingMessage.emit (node:events:529:35)
02/02/2024 15:42:31    at endReadableNT (node:internal/streams/readable:1400:12)
02/02/2024 15:42:31    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) status=401

I'm using the Legacy configuration configuration.

[Zaperex]

@RaulGrosmam Can I ask what version of keycloak you are using? The /auth context shouldn't be required if you're using keycloak 17 or higher. Can you try removing the /auth for your baseUrl configuration? Hmm on second thought, that would return a 404 error if you were using /auth in a newer version of keycloak.

[RaulGrosmam]

Our Keycloak version is below 17. But for testing, I've tried to remove /auth, the error still the same :(

Follow Keycloak log:

03/02/2024 15:57:2815:57:28,349 WARN [org.keycloak.events] (default task-1) type=CLIENT_LOGIN_ERROR, realmId=myrealm, clientId=backstage, userId=null, ipAddress=200.159.36.60, error=invalid_client, grant_type=client_credentials, client_auth_method=client-secret

[Zaperex]

Hi @RaulGrosmam , I tested with a local instance of Keycloak 16.1.1 and it worked fine for me:

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:16.1.1

and the following configurations:

catalog:
  providers:
    keycloak:
      default:
        baseUrl: http://localhost:8080/auth
        realm: backstage
        loginRealm: backstage
        clientId: backstage
        clientSecret: Xj8H5ahnsCrbxsMru1bjPVKQK0LsKMSd

I setup a test realm called backstage and generated a client with clientId backstage, set it's access-type to confidential and enabled service accounts:

Then I added the following realm-management roles for the service account:

Then grabbed the client secret from the credentials tab to use for the backstage configurations

Can I ask if your configurations differed at all from my configurations?

[RaulGrosmam]

I didn't have a Service Account Enable. Now it's working. Many thanks!

[rhdh-bot]

This issue has been closed due to the fact that the Janus community is being sunset.

For future plugin issues, please use https://github.com/backstage/community-plugins/issues

For future showcase issues, please use https://issues.redhat.com/browse/RHIDP

For more information on the sunset, see:

https://janus-idp.io/blog/2024/07/05/future-of-janus-community https://issues.redhat.com/browse/RHIDP-3690 https://issues.redhat.com/browse/RHIDP-1018