Closed StephenOTT closed 1 year ago
/cc @pedroigor, @sberyozkin
DevServices for Keycloak do not enable some default authorization policies, it is not really possible to do so with the KC admin api. The only way to use DevServices for KC with keycloak-authorization is to use a realm file where it is already all configured. See quarkus-quickstart/security-keycloak-authorization. I believe we should close this issue
@sberyozkin if i understand your intent:
Using https://github.com/quarkusio/quarkus-quickstarts/blob/main/security-keycloak-authorization-quickstart/config/quarkus-realm.json and adding the property config:
quarkus.keycloak.devservices.realm-path=quarkus-realm.json
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.lazy-load-paths=false
should result in key cloak starting up in dev services with functional configs?
If yes, then no the above does not work.
okay after some further testing, i see the configs missing:
to make it ~work, the jks
and realm json config must be provided (such as in the resources folder):
https://github.com/quarkusio/quarkus-quickstarts/blob/main/security-keycloak-authorization-quickstart/config/keycloak-keystore.jks and https://github.com/quarkusio/quarkus-quickstarts/blob/main/security-keycloak-authorization-quickstart/config/quarkus-realm.json
and the full configs need to be used:
quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=secret
quarkus.oidc.tls.verification=none
quarkus.keycloak.devservices.realm-path=quarkus-realm.json
quarkus.oidc.token.issuer=any
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.lazy-load-paths=false
Is there explanation on what the realm was configured for / why and the properties being used?
is the realm configured with sensible defaults or was crated as a quick demo with non-prod-ready defaults?
@StephenOTT
s the realm configured with sensible defaults or was crated as a quick demo with non-prod-ready defaults?
I think so, yes. Let me close this issue now
Spend a lot of time on this yesterday. Got a brainwave this morning, realm-file is never read. This is because its in de config directory at top-level in stead of in the src-tree somewhere. Moving the quarkus-realm.json
file to src/main/resources/
did the trick.
Opening a new issue as this comment was make in April and still seeing the same behaviour when starting quarkus with io.quarkus:quarkus-keycloak-authorization'
Fails with
Failed to start application (with profile dev): org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_clientId","error_description":"Client application [quarkus-app] is not registered as a resource server."}
Original comment:
So it looks like the issue is back?
Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_clientId","error_description":"Client application [quarkus-app] is not registered as a resource server."}
This is due to the nature how keycloak is setup as the default role, "quarkus-app" seems to be not configured to use
Authorization Enabled
, so the error is reasonable, however enabling a policy enforcerquarkus.keycloak.policy-enforcer.enable=true
already throws tons of errors when accessing e.g.
/q/dev
.When using all lines stated above quarkus sadly can not even start properly, and you can not access any /q/ related path at all.
Originally posted by @janknobloch in https://github.com/quarkusio/quarkus/issues/9565#issuecomment-1106418391