I'm working on setting up Keycloak to be my auth provider, using OIDC. My app is written using Quarkus.
I am creating a new realm using the following steps:
oqm
.oqm
Open QuarterMaster
oqm-app
Open QuarterMaster App
*
+
inventoryAdmin
-> Role to enable inventory administration. Can import/export inventory data.
inventoryView
-> Role to enable viewing inventory.
inventoryEdit
-> Role to enable editing inventory.
itemCheckout
-> Role to enable checking out (and back in) items.
users
inventoryView
inventoryEdit
itemCheckout
admins
as child group of users
inventoryAdmin
admins
to default group (I have also tried adding all roles as default)However, when I create a user and login, the app returns a 403, with the following log output:
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.CodeAuthenticationMechanism |vert.x-eventloop-thread-3 ]():: Session cookie is present, starting the reauthentication
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider |vert.x-eventloop-thread-3 ]():: Starting creating SecurityIdentity
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider |vert.x-eventloop-thread-3 ]():: Verifying the JWT token with the local JWK keys
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'groups' at the path segment 'groups'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'realm_access/roles' at the path segment 'realm_access'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'resource_access/oqm-app/roles' at the path segment 'resource_access'
It seems to me that the roles never make it into the jwt? I am modeling my realm after the one provided by Quarkus' keycloak dev service, which works when I add the roles required to the users provided there.
Content of "KEYCLOAK_IDENTITY" from jwt.io:
{
"exp": 1691800027,
"iat": 1691764027,
"jti": "ef4a49f0-db0d-49f8-a2a2-36bd35cdb4ef",
"iss": "http://localhost:32769/realms/oqm",
"sub": "a1f2f54d-35b9-4e94-b673-0fbec79d7c33",
"typ": "Serialized-ID",
"session_state": "08730e5a-7f3b-4731-8062-c0083bfef614",
"sid": "08730e5a-7f3b-4731-8062-c0083bfef614",
"state_checker": "5F2Y4AL-QC1KUOwTLBXEGK_ZrHdlq9na6d0_joCJTaQ"
}
I would think I should see username/email/name as well as roles, but none are present? This is the only cookie that resembles a jwt, except maybe q_session*
, but it is split up. I am wondering about the "two token" thing, I was expecting to see two jwt's, one identity and one auth?
I can obviously sign in fine, as going to keykloak's account page shows my user's info, just not have the right info passed to my app in the tokens.
Figured it out, needed to: Clients -> oqm-app -> Client Scopes, set microprofile-jwt to "default".
More detail on the thought process, though I basically needed to compare the two realm json's to figure it out: https://github.com/keycloak/keycloak/discussions/22398