search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.8k stars 2.68k forks source link

Keycloak not exchange token in devmode #37742

Open jedla97 opened 11 months ago

jedla97 commented 11 months ago

Describe the bug

When logging from dev ui to Keycloak provider in browser this error appear:

Failed to exchange code for tokens. Error message: Method [io.quarkus.quarkus-oidc.exchangeCodeForTokens] failed: {"error":"invalid_grant","error_description":"Code not valid"}

This happening only with Keycloak 23+ and previous version working fine (Tried latest version only change the Keycloak version to 22 and it work.). In reproducer are some test and they working so I thing it's only affecting the dev ui. This error causing it's no possible to test secured endpoints as they return 403.

Log from Quarkus:

2023-12-14 14:26:53,780 INFO  [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-2) Using authorization_code grant to get a token from 'http://localhost:32785/realms/quarkus/protocol/openid-connect/token' with client id 'backend-service'
2023-12-14 14:26:53,788 INFO  [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-2) Using authorization_code grant to get a token from 'http://localhost:32785/realms/quarkus/protocol/openid-connect/token' with client id 'backend-service'
2023-12-14 14:26:53,806 ERROR [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-2) Token can not be acquired from OpenId Connect provider: java.lang.RuntimeException: {"error":"invalid_grant","error_description":"Code not valid"}
2023-12-14 14:26:53,812 ERROR [io.qua.dev.run.jso.JsonRpcCodec] (vert.x-eventloop-thread-2) Error in JsonRPC Call: java.lang.RuntimeException: {"error":"invalid_grant","error_description":"Code not valid"}
        at io.quarkus.oidc.runtime.devui.OidcDevServicesUtils.getBodyAsString(OidcDevServicesUtils.java:209)
        at io.smallrye.context.impl.wrappers.SlowContextualFunction.apply(SlowContextualFunction.java:21)
        at io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor.onItem(UniOnItemTransform.java:36)
        at io.smallrye.mutiny.vertx.AsyncResultUni.lambda$subscribe$1(AsyncResultUni.java:35)
        at io.smallrye.mutiny.vertx.DelegatingHandler.handle(DelegatingHandler.java:25)
        at io.vertx.ext.web.client.impl.HttpContext.handleDispatchResponse(HttpContext.java:397)
        at io.vertx.ext.web.client.impl.HttpContext.execute(HttpContext.java:384)
        at io.vertx.ext.web.client.impl.HttpContext.next(HttpContext.java:362)
        at io.vertx.ext.web.client.impl.HttpContext.fire(HttpContext.java:329)
        at io.vertx.ext.web.client.impl.HttpContext.dispatchResponse(HttpContext.java:291)
        at io.vertx.ext.web.client.impl.HttpContext.lambda$null$7(HttpContext.java:507)
        at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:277)
        at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:259)
        at io.vertx.core.impl.EventLoopContext.lambda$runOnContext$0(EventLoopContext.java:43)
        at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:566)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:833)

Expected behavior

Not show error and be able to test endpoints with correct behavioral.

Actual behavior

Showing error and when testing with dev ui only return 403 even if user has access.

How to Reproduce?

  1. git clone https://github.com/quarkusio/quarkus-quickstarts.git
  2. cd security-keycloak-authorization-quickstart
  3. mvn clean quarkus:dev -Dquarkus.platform.version=3.6.3
  4. Go to http://localhost:8080/q/dev-ui/io.quarkus.quarkus-oidc/keycloak-provider
  5. Login with any user (I used admin:admin)
  6. Error appear

Output of uname -a or ver

Linux fedowa 6.5.9-300.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Oct 25 21:39:20 UTC 2023 x86_64 GNU/Linux

Output of java -version

openjdk version "17.0.7" 2023-04-18 OpenJDK Runtime Environment GraalVM CE 22.3.2 (build 17.0.7+7-jvmci-22.3-b18) OpenJDK 64-Bit Server VM GraalVM CE 22.3.2 (build 17.0.7+7-jvmci-22.3-b18, mixed mode, sharing)

Quarkus version or git rev

main, 3.6.2, 3.6.3

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.3 (21122926829f1ead511c958d89bd2f672198ae9f)

Additional information

No response

quarkus-bot[bot] commented 11 months ago

/cc @pedroigor (keycloak), @sberyozkin (keycloak)

sberyozkin commented 11 months ago

@jedla97 I've just tested it after rebuilding main, with quickstarts/security-keycloak-authorization-quickstart, logged in as admin:admin, got 200 after typing /api/admin in the test service area

sberyozkin commented 11 months ago

@jedla97 Keycloak 23.0.1 is used. Can you please rebuild main and retry ?

jedla97 commented 11 months ago

@sberyozkin I try and found the problem. It's fine with Firefox but it failing in Chrome. Also quickly download Vivaldi and the error is there also. So I assume that there is problem somewhere with chromium or Quarkus/Keycloak-chromium compatibility.