Closed PiotrRaszkowski closed 2 years ago
/cc @pedroigor, @sberyozkin
@PiotrRaszkowski Keycloak 18.0.0 is not supported yet, specifically if the uploaded realm contains scripts, see https://github.com/quarkusio/quarkus/pull/25109
CC @pedroigor
@PiotrRaszkowski Can you try to disable tests or toggle broken only
mode when running in dev mode?
I was able to reproduce the problem and it seems related to tests running and causing some instability when rendering the dev UI.
@sberyozkin Quarkus 2.8.2.Final + Keycloak 17.0.0 -> same problem, Quarkus 2.8.0.Final + Keycloak 17.0.0 -> no problem. So yes, maybe Keycloak 18.0.0 is not supported yet but it is not related to Keycloak version.
@pedroigor
With broken only
mode there is no big difference, with second or third request/refresh I am able to open DEV UI but it is turbo slow.
With quarkus.test.continuous-testing=disabled
I still have this errors as the first request, but then it is working fine, I was able to log in to Keycloak it it wasn't slow. This could be a temp workaround but... for someone continuous-testing might be a nice feature...
@PiotrRaszkowski @pedroigor I have reproduced on the main branch as well, and it is only keycloak-authorization
which is affected, oidc bearer and oidc web-app quickstarts are good, I'm sure it is to do with /q/dev
not being treated as a public resource (given HttpAuthorizer
is referenced in the logs), however, adding
quarkus.http.auth.permission.public.paths=/q/dev/*
quarkus.http.auth.permission.public.policy=permit
does not help, nor
quarkus.keycloak.policy-enforcer.paths.2.path=/q/dev/*
quarkus.keycloak.policy-enforcer.paths.2.enforcement-mode=DISABLED
I'm not sure why it has started failing now but was working in 2.8.0
I was wrong, with or without these properties, since there are no annotations, it is deduced correctly it is a public resource.
Something has changed at the Vert.x level or Dev UI level.
@stuartwdouglas @phillip-kruger Can you have a look please when get a chance ? It can be reproduced on main
, build it and go to quarkus-quickstarts/security-keycloak-authorization-quickstarts
and do mvn quarkus:dev
and try to access http://localhost:8080/q/dev/
.
I have confirmed in the debug mode that KeycloakPolicyEnforcerAuthorizer
(which is HttpSecurityPolicy
) will be invoked and PERMIT
will be returned here.
So it is the only thing which is different from the other OIDC quickstarts where Dev UI
is accessed, that HttpAuthorizer
is involved here to check HttpSecurityPolicy
.
@PiotrRaszkowski has confirmed it works with 2.8.0 but started failing with 2.8.2
Describe the bug
I tried to configure my application with the provided guide https://quarkus.io/guides/security-keycloak-authorization.
I was unable to open the DEV UI for the first try. After 2-3 page refresh requests it was possible to open it but the DEV UI was very slow, I was unable to login to KeyCloak.
Expected behavior
DEV UI works fine.
Actual behavior
How to Reproduce?
Steps how to reproduce:
Build simple application with dependencies:
quarkus.hibernate-orm.dialect=org.hibernate.dialect.MariaDBDialect
quarkus.hibernate-orm.log.sql=true quarkus.hibernate-orm.log.bind-parameters=true quarkus.log.min-level=TRACE
quarkus.liquibase.migrate-at-start=true
%prod.quarkus.oidc.auth-server-url=https://localhost:8543/realms/quarkus quarkus.oidc.client-id=backend-service quarkus.oidc.credentials.secret=secret quarkus.oidc.tls.verification=none
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.devservices.realm-path=quarkus-realm.json quarkus.keycloak.devservices.image-name=quay.io/keycloak/keycloak:18.0.0