Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: 8.0 Update 3
Affects Version/s: EAP-XP-5.0.0.GA, 8.0.z.GA
Component/s: Build System, Documentation, OpenShift, Security
Labels:
- intersmash

Blocked:
False
Blocked Reason:
None
Ready:
False
Affects:

Documentation (Ref Guide, User Guide, etc.), Migration, Compatibility/Configuration, User Experience
Affects Testing:

Regression
CDW blocker:
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
?
Target Release:

8.0.z.GA
Workaround:

Workaround Exists
Workaround Description:

Hide

Set the client .publicClient property in the client definition to true when creating the realm.

Show
Set the client .publicClient property in the client definition to true when creating the realm.
Steps to Reproduce:
Hide

1. Deploy a Keycloak instance
2. create one OIDC realm, and a related client
3. deploy a WildFly/EAP application service that connects to the Keycloak instance and perform login with an authorized user
4. HTTP 401 is received and the Keycloak logs report traces like:

type=CODE_TO_TOKEN_ERROR, realmId=basic-auth, clientId=basic-auth-service, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code
Show
1. Deploy a Keycloak instance 2. create one OIDC realm, and a related client 3. deploy a WildFly/EAP application service that connects to the Keycloak instance and perform login with an authorized user 4. HTTP 401 is received and the Keycloak logs report traces like: type=CODE_TO_TOKEN_ERROR, realmId=basic-auth, clientId=basic-auth-service, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The Keycloak/RHBK operator lets users provide realm import definitions so that applications can connect to delegate access control to resources for users in a given realm.

We have a test that started failing soon after migrating from RHSSO to RHBK. The test validates securing resources on OpenShift via OIDC based SSO, and it fails an authentication which is expected to be successful because the client .publicClient property is set to false by default now.

Something like the following error is traced by the RHBK instance logs:

 type=CODE_TO_TOKEN_ERROR, realmId=basic-auth, clientId=basic-auth-service, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code

This seems to be change in behavior causing a regression when compared to the RHSSO integration, which impacts users/customers experience when migrating the described configuration from RHSSO to RHBK.

BTW this is related to RHBK-1408

clones

JBEAP-27065 [QA](8.0.z) s2i Keycloak SAML integration - RequiredActions configuration prevents automatic registration of clients

is cloned by

JBEAP-27067 [QA](8.0.z) s2i Keycloak OIDC integration - APPLICATION_NAME env variable is not properly documented

Assignee:: Unassigned

Reporter:: Fabio Burzigotti

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/05/10 10:17 AM

Updated:: 2024/05/30 3:51 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates