Piotr Gwiazda
Reputation: 12212
Quarkus web app cannnot authorize with JWT and Keycloak
I am trying to authorize a user using code grant flow in Keycloak to a Quarkus application. Here is the Quarkus configuration
# OIDC Configuration
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=web-application
quarkus.oidc.credentials.secret=ca21b304-XXX-XXX-XXX-51d38ef5da02
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=email
The client configuration for "web-application" has only Standard Flow enabled (for Code Grant Flow)
- I access http://localhost:8080/
- I'm redirected to Keycloak (url looks good with
scope=openid+email&response_type=code&client_id=web-application - I log in with sample user account
- I'm redirected back with the code
- Then I get an exception in Quarkus
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 401 / Unauthorized / Response from server: {"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at org.keycloak.authorization.client.util.TokenCallable.obtainAccessToken(TokenCallable.java:121)
at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:57)
at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:276)
at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:205)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:202)
at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:210)
The error in Keycloak is:
09:58:25,420 WARN [org.keycloak.events] (default task-30) type=CLIENT_LOGIN_ERROR, realmId=quarkus, clientId=web-application, userId=null, ipAddress=172.17.0.1, error=invalid_client, grant_type=client_credentials, client_auth_method=client-secret
Question: Why Quarkus tries to use "grant_type=client_credentials"? It should use the grant type = "authorization_code". This looks like a bug in Quarkus, but maybe there is a flag.
Upvotes: 1
Views: 4071
Answers (2)
Gerhard Powell
Reputation: 6175
"Service Account Enabled" is off. Enabling it should fix the issue.
Upvotes: 3
Jan Garaj
Reputation: 28656
Could you try:
quarkus.oidc.client-type=web-app
instead of:
quarkus.oidc.application-type=web-app
Source: https://quarkus.io/guides/security-openid-connect-web-authentication
Upvotes: 0
Related Questions
- Getting 401 Unauthorized when calling Quarkus app inside a Docker container with Keycloak authorization
- Keycloak 18 with Quarkus SSL configuration failed to use PKCS12 as keystore(*.p12)
- Why is Quarkus JWT Returning Unauthorized on Every Endpoint
- An error occured when injecting AuthzClient
- Why is quarkus.oidc.credentials.secret being ignored?
- Quarkus JWT authentication doesn't work as a native app
- Unable to create instance of JwtClaimsBuilder in Quarkus application
- Keycloak Admin Client with Quarkus?
- Quarkus, Keycloak and OIDC token refresh
- Quarkus and Keycloak/OIDC - NullPointerException