keycloakquarkusbearer-tokenquarkus-oidc

Error on my Quarkus API + keycloak Idp (bearer only mode)


I'm trying to make an Quarkus API (OpenAPI - Resteasy) with authentication (bearer-only mode). Here's my Quarkus config :

# OIDC Configuration
quarkus.oidc.auth-server-url=https://my_idp/auth/realms/MY_REALM
quarkus.oidc.client-id=my_keycloak_client
quarkus.oidc.tls.verification=none

# Enable Policy Enforcement
quarkus.keycloak.policy-enforcer.enable=true
...

And my keycloak client :

client protocol : openid-connect
access_type : bearer-only
A secret is also defined for this client (but I think it doesn't need to beused in that case)

On startup (mvn compile quarkus:dev), I got the following error :

Failed to start application (with profile dev): org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 400 / Bad Re
quest / Response from server: {"error":"invalid_client","error_description":"Invalid client credentials"}

(I've check my clientID was fine)

I've read the official guide : https://quarkus.io/guides/security-openid-connect and other google articles but not found any resource that describes this usecase.

Did I miss something ? This API was previously done with Spring Boot and everything was allright.

Thanks,

Christophe


Solution

  • My solution : Finally (my bad), this was because I've used the keycloak policy enforcement mechanism. I drop the dependency "keycloak-authorization" (and the associated configuration).

    Only the oidc dependency was mandatory with the following application.properties :

    # OIDC Configuration
    quarkus.oidc.auth-server-url=https://idp/auth/realms/REALM
    quarkus.oidc.client-id=CLIENT_ID
    quarkus.oidc.tls.verification=none
    quarkus.http.auth.permission.permit1.paths=/*
    quarkus.http.auth.permission.permit1.policy=authenticated
    quarkus.http.auth.permission.dev.paths=/q/dev
    quarkus.http.auth.permission.dev.policy=permit
    
    

    I'd used https://quarkus.io/guides/security-keycloak-authorization guide instead of the https://quarkus.io/guides/security-openid-connect one.

    Regards