Open SetoKaiba opened 1 year ago
/cc @pedroigor (oidc), @sberyozkin (oidc)
@SetoKaiba I'm not sure I understand, openid
scope is needed for the authorization code flow. Do those documented steps how to test fail for you ?
I didn't try @RolesAllowed approach.
But for the below documentation. https://quarkus.io/guides/security-keycloak-authorization#testing-the-application At least, for this, I use the keycloak to centralize the authorization. My service will return 401 without scope=openid.
Because I'm writing a standalone application without keycloak-js. So I have to generate the access token myself. I use the way the documentation mentioned. I use that access token unable to access to my service. Then I compared the two token response. I found that the keycloak-js one is with scope openid. But mine doesn't. My access is working again after I added &scope=openid.
@SetoKaiba I've re-tested quarkus-quickstarts/security-keycloak-authorization-quickstart
(which does not use @RolesAllowed
but the authorization policy configured in the realm) and it works as expected.
I'm not sure why openid
scope is needed when the password grant is used to get a token as this scope is nothing to do with the password
grant - it is the OIDC authorization code flow or implicit flow level scope. keycloak.js
must be using either the authorization code flow or may be implicit and therefore it uses openid
.
I appreciate this is what you have to do, add an openid
scope for your setup to work, but the docs you linked to describe how to test quarkus-qucikstarts/security-keycloak-authorization-quickstart
, where the token is acquired using a password grant, which is a core and (deprecated) lower level, OAuth2 grant where openid
is an unknown concept. So require users to add this scope even if they don't need it to successfully test quarkus-qucikstarts/security-keycloak-authorization-quickstart
would be confusing IMHO
Thank you. I found out the problem. This require the openid scope. This is not set in the example but it's mentioned in the doc. So I use it to get more user info. Then I found the problem today with the password grant workflow. Should this be mentioned or is it a common sense for the developers with OIDC?
quarkus.oidc.authentication.user-info-required=true
@SetoKaiba I see, if you use the code flow then Quarkus itself will add this scope, or if it is SPA then keycloak.js will do it. However, for testing, where AT is retrived manually (DevServices for Keycloak will add it itself) and if this token is expected to support the UserInfo retrieval, then indeed, I see why this scope has to be added.
This warrants a Note for sure, to the keycloak authorization and oidc bearer token docs. Would you like to add such a note to both docs, just beneath the example showing how to get the token with curl ?
I'd like to.
For the guides of the website, is the repo path below that I should add a note and create a PR to?
https://github.com/quarkusio/quarkusio.github.io/tree/develop/_guides
I found that there's security related adoc in the main repo as well. But some guides in the mainsite is missing here.
https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
Which one should I create a PR to add the note? Thank you.
@SetoKaiba Thanks, https://github.com/quarkusio/quarkus/blob/main/docs/src/main/asciidoc/security-keycloak-authorization.adoc#testing-the-application is the section you linked, so at the very end of this section, please add a note showing how to request a token if this token will have to support the UserInfo retrieval in the tested application.
And please do the same here: https://github.com/quarkusio/quarkus/blob/main/docs/src/main/asciidoc/security-oidc-bearer-token-authentication-tutorial.adoc#test-the-application
Describe the bug
https://quarkus.io/guides/security-openid-connect#testing-the-application
username=alice&password=alice&grant_type=password
should change tousername=alice&password=alice&grant_type=password&scope=openid
Or the token response scope will be only with "profile email". No "openid". Then the authorization will fail.
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response