keycloakquarkus-oidc

Why is quarkus.oidc.credentials.secret being ignored?

I have a SPA (Vue.js) that communicates via REST with a Quarkus Resource API . I am using my own Keycloak for Authentication/Authorization.

In Keycloak I have two clients in my realm:

Client ID: frontend-client
Access Type: public
Standard Flow enabled


Client ID: backend-client
Access Type: bearer-only
Secret: mySecret

My application.properties for my Quarkus API:

quarkus.oidc.auth-server-url=https://localhost:8082/auth/realms/myrealm
#quarkus.oidc.client-id=backend-service
#quarkus.oidc.credentials.secret=mySecret

My SPA uses the Standard Flow to authenticate with Keycloak and then redirects to my app ✅

Then I can make requests to my API and everything works despite quarkus.oidc.client-id and quarkus.oidc.credentials.secret being commented out ! Why is that? It also works when those lines are not commented out but with false values. 😳

Why is Quarkus ignoring those lines, and, more importantly, why does it work?

UPDATE Adding the dependency

<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-keycloak-authorization</artifactId>
</dependency>

Allows me to add this to application.properties:

quarkus.keycloak.policy-enforcer.enable=true

It now leads to this error:

{"error":"invalid_client","error_description":"Bearer-only not allowed"}

But at least now the secret is not being ignored, and providing a wrong secret leads to the correct error.

Follow-up question: Why is bearer-only not allowed?

Solution

  • I'm guessing that because your Quarkus application use a bearer only client, it will only check the authenticity of the bearer token using the signature.

    Since it will not make any call to Keycloak for additional verifications, it will not use the client id and client secret in your properties.

    You need to change the type of the client to confidential if you want quarkus to use that.

    By the way, in the quarkus quickstart for protecting service applications : the keycloak client use a confidential client, and bearer only is set to false : https://github.com/quarkusio/quarkus-quickstarts/blob/main/security-openid-connect-quickstart/config/quarkus-realm.json#L395