quarkus-bot[bot]
commented
1 year ago /cc @pedroigor, @sberyozkin
Closed StephenOTT closed 1 year ago
quarkus-bot[bot]
commented
1 year ago /cc @pedroigor, @sberyozkin
sberyozkin
commented
1 year ago DevServices for Keycloak do not enable some default authorization policies, it is not really possible to do so with the KC admin api. The only way to use DevServices for KC with keycloak-authorization is to use a realm file where it is already all configured. See quarkus-quickstart/security-keycloak-authorization. I believe we should close this issue
StephenOTT
commented
1 year ago @sberyozkin if i understand your intent:
Using https://github.com/quarkusio/quarkus-quickstarts/blob/main/security-keycloak-authorization-quickstart/config/quarkus-realm.json and adding the property config:
quarkus.keycloak.devservices.realm-path=quarkus-realm.json
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.lazy-load-paths=falseshould result in key cloak starting up in dev services with functional configs?
If yes, then no the above does not work.
StephenOTT
commented
1 year ago okay after some further testing, i see the configs missing:
to make it ~work, the jks and realm json config must be provided (such as in the resources folder):
https://github.com/quarkusio/quarkus-quickstarts/blob/main/security-keycloak-authorization-quickstart/config/keycloak-keystore.jks and https://github.com/quarkusio/quarkus-quickstarts/blob/main/security-keycloak-authorization-quickstart/config/quarkus-realm.json
and the full configs need to be used:
quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=secret
quarkus.oidc.tls.verification=none
quarkus.keycloak.devservices.realm-path=quarkus-realm.json
quarkus.oidc.token.issuer=any
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.lazy-load-paths=falseIs there explanation on what the realm was configured for / why and the properties being used?
is the realm configured with sensible defaults or was crated as a quick demo with non-prod-ready defaults?
sberyozkin
commented
1 year ago @StephenOTT
s the realm configured with sensible defaults or was crated as a quick demo with non-prod-ready defaults?
I think so, yes. Let me close this issue now
mirkarlar
commented
6 months ago Spend a lot of time on this yesterday. Got a brainwave this morning, realm-file is never read. This is because its in de config directory at top-level in stead of in the src-tree somewhere. Moving the quarkus-realm.json file to src/main/resources/ did the trick.
Opening a new issue as this comment was make in April and still seeing the same behaviour when starting quarkus with io.quarkus:quarkus-keycloak-authorization'
Fails with
Failed to start application (with profile dev): org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_clientId","error_description":"Client application [quarkus-app] is not registered as a resource server."}Original comment:
So it looks like the issue is back?
Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_clientId","error_description":"Client application [quarkus-app] is not registered as a resource server."}This is due to the nature how keycloak is setup as the default role, "quarkus-app" seems to be not configured to use
Authorization Enabled, so the error is reasonable, however enabling a policy enforcerquarkus.keycloak.policy-enforcer.enable=truealready throws tons of errors when accessing e.g.
/q/dev.When using all lines stated above quarkus sadly can not even start properly, and you can not access any /q/ related path at all.
Originally posted by @janknobloch in https://github.com/quarkusio/quarkus/issues/9565#issuecomment-1106418391