Docs: Dev Services and UI for OpenID Connect discrepancies

[michalvavrik]

Describe the bug

I read https://quarkus.io/version/main/guides/security-openid-connect-dev-services and saw few discrepancies:

• https://quarkus.io/version/main/guides/security-openid-connect-dev-services#dev-services-for-keycloak says run your app without configuring quarkus.oidc properties .. and you will see

  2021-11-02 17:14:24,864 INFO  [org.tes.con.wai.str.HttpWaitStrategy] (build-10) /unruffled_agnesi: Waiting for 60 seconds for URL: http://localhost:32781 (where port 32781 maps to container port 8080)
  ...

  I don't see it, I did: quarkus create app oidc --extensions=resteasy-reactive,oidc, cd oidc, quarkus dev and saw:

  ...
  [INFO] --- quarkus:3.6.1:dev (default-cli) @ oidc ---
  [INFO] Invoking resources:3.3.1:resources (default-resources) @ oidc
  [INFO] Copying 2 resources from src/main/resources to target/classes
  [INFO] Invoking quarkus:3.6.1:generate-code (default) @ oidc
  [INFO] Invoking compiler:3.11.0:compile (default-compile) @ oidc
  [INFO] Nothing to compile - all classes are up to date
  [INFO] Invoking resources:3.3.1:testResources (default-testResources) @ oidc
  [INFO] skip non existing resourceDirectory /tmp/oidc/src/test/resources
  [INFO] Invoking quarkus:3.6.1:generate-code-tests (default) @ oidc
  [INFO] Invoking compiler:3.11.0:testCompile (default-testCompile) @ oidc
  [INFO] Nothing to compile - all classes are up to date
  Listening for transport dt_socket at address: 5005
  2023-12-11 17:48:04,047 INFO  [io.qua.oid.dep.dev.key.KeycloakDevServicesProcessor] (build-53) Dev Services for Keycloak started.
  __  ____  __  _____   ___  __ ____  ______ 
  --/ __ \/ / / / _ | / _ \/ //_/ / / / __/ 
  -/ /_/ / /_/ / __ |/ , _/ ,< / /_/ /\ \   
  --\___\_\____/_/ |_/_/|_/_/|_|\____/___/   
  2023-12-11 17:48:05,104 INFO  [io.quarkus] (Quarkus Main Thread) oidc 1.0.0-SNAPSHOT on JVM (powered by Quarkus 3.6.1) started in 12.736s. Listening on: http://localhost:8080
  2023-12-11 17:48:05,106 INFO  [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.
  2023-12-11 17:48:05,107 INFO  [io.quarkus] (Quarkus Main Thread) Installed features: [cdi, oidc, resteasy-reactive, security, smallrye-context-propagation, vertx]
  ...

  I tried it twice in case there is just some temporary logging that disappears, but I can't see it. If there is something specific I should do to see it, I'd like to know. Or I shouldn't be expected to see it.

• https://quarkus.io/version/main/guides/security-openid-connect-dev-services#introduction links to /q/dev which redirects to /q/dev-ui. I think it should be latter as that is same as https://quarkus.io/version/main/guides/dev-ui uses.

• https://quarkus.io/version/main/guides/security-openid-connect-dev-services#dev-services-for-keycloak image says Keycloak provider but text says Provider: Keycloak

• https://quarkus.io/version/main/guides/security-openid-connect-dev-services#keycloak-authorization-code-grant says If you set quarkus.oidc.devui.grant.type=code in application.properties (this is a default value) but I can't see it as a default value here https://quarkus.io/guides/all-config#quarkus-oidc_quarkus.oidc.devui.grant.type and looking at

https://github.com/quarkusio/quarkus/blob/9d9cb794218b61b1213dae3c43176c0cb6d99250/extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/devservices/OidcDevUIProcessor.java#L115

I can see it is default, but looking at

https://github.com/quarkusio/quarkus/blob/9d9cb794218b61b1213dae3c43176c0cb6d99250/extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/devservices/keycloak/KeycloakDevUIProcessor.java#L56

I'm not sure what the default is there. If indeed code is default, then shouldn't it be documented somewhere else as well?

• https://quarkus.io/version/main/guides/security-openid-connect-dev-services#develop-service-applications says By default, the Keycloak page can be used to support the development of a Quarkus OIDC service application but Keycloak page is not on OIDC card in http://localhost:8080/q/dev-ui/extensions, should it be Keycloak provider page?
• in the same section, there is a typo in the word redirected, see authorization code flow after Keycloak redorected the user back to it.
• I can't get my head around , example, in sentence Next, after selecting Log into Single Page Application, you will be redirected to Keycloak to authenticate, example, as alice:alice and then returned to the page representing the SPA: is that intentional? Maybe it's fine, I don't know.
• same section contains text that should probably be image Finally, you can select a Log Out image::dev-ui-keycloak-logout.png
• https://quarkus.io/version/main/guides/security-openid-connect-dev-services#password-grant logged messages also show following log message

...
2021-07-19 17:58:11,407 INFO  [io.qua.oid.dep.dev.key.KeycloakDevConsolePostHandler] (security-openid-connect-quickstart-dev.jar) (DEV Console action) Using password grant to get a token from 'http://localhost:32818/realms/quarkus/protocol/openid-connect/token' for user 'alice' in realm 'quarkus' with client id 'quarkus-app'
...

but these messages are now logged by io.quarkus.oidc.runtime.devui.OidcDevServicesUtils

• https://quarkus.io/version/main/guides/security-openid-connect-dev-services#develop-web-app-applications text Set a relative service endpoint path, click on Sign In To Service does not correspond to image text Log into your Web Application
• https://quarkus.io/version/main/guides/security-openid-connect-dev-services#running-the-tests contains typo (missing C letter) in link Testing OpenID onnect Service Applications with Dev Services
• dash in https://quarkus.io/version/main/guides/security-openid-connect-dev-services#keycloak-initialization is probably a typo with alice given both admin and user roles and bob - the user role.
• two asterisks in following sentence are probably a typo, I don't understand their meaning This configuration creates two users: duke with a dukePassword password and a reader role john with a johnPassword password and reader and writer roles
• both image (color is blue, should be black) and text Sign in to Keycloak around Also, the Keycloak page offers an option to Sign In To Keycloak To Configure Realms using a Keycloak Admin option in the right top corner: should be probably updated as I didn't find such sign in text
• logging message at https://quarkus.io/version/main/guides/security-openid-connect-dev-services#dev-ui-all-oidc-providers should be updated as logger class is io.quarkus.oidc.deployment.devservices.OidcDevUIProcessor
• link in the same section Dev UI page might use /q/dev-ui instead of /q/dev, not an issue though
• there is a typo in Add http://localhost:8080/q/dev-ui/io.quarkus.quarkus-oidc/`providerName-provider` as one of the supported redirect and logout URLs rendering makes it look strange with half of provider colored differently

Expected behavior

Consider discrepancies.

Actual behavior

See issue description.

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot[bot]]

/cc @geoand (devservices), @stuartwdouglas (devservices)

[sberyozkin]

@michalvavrik The log output is now collapsed once the container has started, so that output is there initially but unfortunately hard to see

[sberyozkin]

As far as the code grant is concerned, keycloak dev service specific property has been deprecated so the code allows to use another property such that if someone uses the deprecated property it still works. OIDC ui processor is only invoked when dev service is disabled so it can't depend on the Keycloak dev service specific property.

[michalvavrik]

@michalvavrik The log output is now collapsed once the container has started, so that output is there initially but unfortunately hard to see

Understand, maybe it depends on how quick one's machine is, but if it is common not so see it (I tried again because of code flow default value check) I think text probably shouldn't raise my expectations. I'll leave you to decide.

As far as the code grant is concerned, keycloak dev service specific property has been deprecated so the code allows to use another property such that if someone uses the deprecated property it still works. OIDC ui processor is only invoked when dev service is disabled so it can't depend on the Keycloak dev service specific property.

I tried it again and when I click to login I can see response_type=code in Keycloak query and later I can see it in Quarkus log, so you are right:

2023-12-12 08:43:03,152 INFO  [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-3) Using authorization_code grant to get a token from 'http://localhost:32771/realms/quarkus/protocol/openid-connect/token' with client id 'quarkus-app

But my initial point is still there: you mentioned here at one line of guide that code is default, but where else can I find it? Can you add some note to configuration property description or considering there is no default value, can you at document it, for example with defaultValueDocumentation:

        /**
         * Grant type which will be used to acquire a token to test the OIDC 'service' applications
         */
        @ConfigItem(defaultValueDocumentation = "code is default unless XYZ")
        public Optional<Type> type;