Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided

[monneyboi]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

I'm trying to create a Client Role in Keycloak for using a RabbitMQ Topic exchange. RabbitMQ allows for variable expansion based on token claims, using roles like rabbitmq.write:*/q-{vhost}-*/u-{sub}-*

When i try to create this Client Role though, keycloak appears to substitute the {sub}, for which it has no value, resulting in a HTTP 500.

I can find no documentation on the substitution behaviour. Is there a way i can disable this substitution?

Version

24.0

Regression

• The issue is a regression

Expected behavior

The Client Role gets created.

Actual behavior

No role gets created, the server returns a HTTP 500 and outputs:

2024-03-04 20:24:08,136 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-22) Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided sub
        at org.jboss.resteasy.reactive.common.jaxrs.UriBuilderImpl.replaceParameter(UriBuilderImpl.java:635)
        at org.jboss.resteasy.reactive.common.jaxrs.UriBuilderImpl.buildCharSequence(UriBuilderImpl.java:562)
        at org.jboss.resteasy.reactive.common.jaxrs.UriBuilderImpl.buildString(UriBuilderImpl.java:534)
        at org.jboss.resteasy.reactive.common.jaxrs.UriBuilderImpl.buildFromValues(UriBuilderImpl.java:747)
        at org.jboss.resteasy.reactive.common.jaxrs.UriBuilderImpl.build(UriBuilderImpl.java:741)
        at org.keycloak.services.resources.admin.RoleContainerResource.createRole(RoleContainerResource.java:205)
        at org.keycloak.services.resources.admin.RoleContainerResource$quarkusrestinvoker$createRole_190d62669e914fdb6072e019d245fdf3f1acb997.invoke(Unknown Source)
        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:840)

How to Reproduce?

• Create a client
• Create a Client Role with this {pattern} in the name

Anything else?

No response

[graziang]

Hi, when you build the URL to return in the response location here, UriBuilder tries to resolve the parameters of the template contained in the role name.
This can be easily fixed by avoiding template resolution when encoding the role name.

[keycloak-github-bot]

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.

[jonkoops]

@mposolda this sounds like something that would justify a backport to 24, no?

[graziang]

@jonkoops I agree as just yesterday a related issue #28203 was opened, preparing the PR for backport.

[jonkoops]

Thanks @graziang!