keycloakquarkusquarkus-oidc

New Keycloak Realm not providing roles for app login

I'm working on setting up Keycloak to be my auth provider, using OIDC. My app is written using Quarkus.

I am creating a new realm using the following steps:

  1. Enter Keycloak Admin Console
  2. Under realm dropdown, hit "Create Realm". Name it oqm.
  3. Realm Settings -> General
    1. Realm ID changed to oqm
    2. Display name and HTML Display name set to Open QuarterMaster
    3. User-managed access turned on
    4. Hit "Save"
  4. Realm Settings -> Login. Turn on:
    • User Registration
    • Forgot Password
    • Remember Me
    • Email as Username?
    • Edit Username
  5. Authentication -> Policies -> Password Policy. Add the following policies:
    • Minimum Length of 8
    • Not username
    • Not email
    • Special chars
    • Uppercase letters
    • Lowercase letters
    • Digits
  6. Create Client
    1. Clients -> Create Client
    2. Client id: oqm-app
    3. Name: Open QuarterMaster App
    4. Always display in UI
    5. Client authentication on
    6. "Standard flow", "Direct access grants", "Implicit flow", and "Service Account Roles" all on
    7. Valid redirect URIs: *
    8. Valid post logout redirect URIs: +
    9. Create
  7. Add roles
    • inventoryAdmin -> Role to enable inventory administration. Can import/export inventory data.
    • inventoryView -> Role to enable viewing inventory.
    • inventoryEdit -> Role to enable editing inventory.
    • itemCheckout -> Role to enable checking out (and back in) items.
  8. Add groups with roles:
    • users
      • inventoryView
      • inventoryEdit
      • itemCheckout
    • admins as child group of users
      • inventoryAdmin
  9. Realm Settings -> User Registration -> Default Groups
    1. Add admins to default group (I have also tried adding all roles as default)

However, when I create a user and login, the app returns a 403, with the following log output:

12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.CodeAuthenticationMechanism |vert.x-eventloop-thread-3 ]():: Session cookie is present, starting the reauthentication
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider        |vert.x-eventloop-thread-3 ]():: Starting creating SecurityIdentity
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider        |vert.x-eventloop-thread-3 ]():: Verifying the JWT token with the local JWK keys
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils                   |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'groups' at the path segment 'groups'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils                   |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'realm_access/roles' at the path segment 'realm_access'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils                   |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'resource_access/oqm-app/roles' at the path segment 'resource_access'

It seems to me that the roles never make it into the jwt? I am modeling my realm after the one provided by Quarkus' keycloak dev service, which works when I add the roles required to the users provided there.

Content of "KEYCLOAK_IDENTITY" from jwt.io:

{
  "exp": 1691800027,
  "iat": 1691764027,
  "jti": "ef4a49f0-db0d-49f8-a2a2-36bd35cdb4ef",
  "iss": "http://localhost:32769/realms/oqm",
  "sub": "a1f2f54d-35b9-4e94-b673-0fbec79d7c33",
  "typ": "Serialized-ID",
  "session_state": "08730e5a-7f3b-4731-8062-c0083bfef614",
  "sid": "08730e5a-7f3b-4731-8062-c0083bfef614",
  "state_checker": "5F2Y4AL-QC1KUOwTLBXEGK_ZrHdlq9na6d0_joCJTaQ"
}

I would think I should see username/email/name as well as roles, but none are present? This is the only cookie that resembles a jwt, except maybe q_session*, but it is split up. I am wondering about the "two token" thing, I was expecting to see two jwt's, one identity and one auth?

I can obviously sign in fine, as going to keykloak's account page shows my user's info, just not have the right info passed to my app in the tokens.

Solution

  • Figured it out, needed to: Clients -> oqm-app -> Client Scopes, set microprofile-jwt to "default".

    More detail on the thought process, though I basically needed to compare the two realm json's to figure it out: https://github.com/keycloak/keycloak/discussions/22398