Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keycloak Dev Services #30138

Closed
iskhakovt opened this issue Jan 3, 2023 · 7 comments · Fixed by #30155
Closed

Keycloak Dev Services #30138

iskhakovt opened this issue Jan 3, 2023 · 7 comments · Fixed by #30155
Labels
area/devservices area/keycloak area/mandrel kind/bug Something isn't working
Milestone
2.15.3.Final

Comments

@iskhakovt
Copy link

iskhakovt commented Jan 3, 2023
edited

Describe the bug

Keycloak Dev Services issuer doesn't match the expected configuration:

Caused by: org.jose4j.jwt.consumer.InvalidJwtException: JWT (claims-
{"exp":1672438567,"iat":1672437967,"jti":"f3694e7b-2d19-434c-8c26-273af214b030",
"iss":"http://localhost:45713/realms/quarkus","sub":"7da16905-87c9-436d-ba43-3bcb720914aa",
"typ":"Bearer","azp":"quarkus-app","session_state":"ef58267d-1c3f-4a4e-8966-fe720b427d95",
"scope":"microprofile-jwt","sid":"ef58267d-1c3f-4a4e-8966-fe720b427d95","upn":"alice","groups":["admin","user"]})
rejected due to invalid claims or other invalid content. Additional details: [[12] Issuer (iss) claim value
(http://localhost:45713/realms/quarkus) doesn't match expected value of http://keycloak-fardw:8080/realms/quarkus]

As far as I understand, in case of using a shared network we set the keycloak host to localhost while keycloak.url resolves into keycloak-[a-zA-Z0-9]5.

Expected behavior

KEYCLOAK_QUARKUS_HOSTNAME / KEYCLOAK_WILDFLY_FRONTEND_URL is set to the shared network hostname.

Actual behavior

KEYCLOAK_QUARKUS_HOSTNAME / KEYCLOAK_WILDFLY_FRONTEND_URL is hardcoded to localhost.

How to Reproduce?

I'm using this config mainly because I didn't manage to get OidcIdentityProvider to work with ServerInterceptor for grpc (due to the lack of RoutingContext):

mp.jwt.verify.publickey.location=${keycloak.url}/realms/quarkus/protocol/openid-connect/certs
mp.jwt.verify.issuer=${quarkus.oidc.auth-server-url}
smallrye.jwt.path.groups=realm_access/roles

Output of uname -a or ver

Linux ip-172-28-46-89 5.15.0-1021-aws #25~20.04.1-Ubuntu SMP Thu Sep 22 13:59:08 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Output of java -version

openjdk 17.0.5 2022-10-18

GraalVM version (if different from Java)

From quay.io/quarkus/ubi-quarkus-mandrel-builder-image:22.3-java17

Quarkus version or git rev

2.15.1.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Gradle 7.4

Additional information

No response
@iskhakovt iskhakovt added the kind/bug Something isn't working label Jan 3, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Jan 3, 2023

/cc @Karm(mandrel), @galderz(mandrel), @geoand(devservices), @pedroigor(keycloak), @sberyozkin(keycloak), @stuartwdouglas(devservices), @zakkak(mandrel)

@sberyozkin
Copy link
Member

@iskhakovt

Can you please try mp.jwt.verify.issuer=${client.quarkus.oidc.auth-server-url} ?

@iskhakovt
Copy link
Author

@sberyozkin that worked! Should it be updated in https://quarkus.io/guides/security-jwt#integration-testing-keycloak? ${keycloak.url} resolves into the wrong one.

@sberyozkin
Copy link
Member

sberyozkin commented Jan 3, 2023
edited

@iskhakovt Thanks,

Should it be updated in https://quarkus.io/guides/security-jwt#integration-testing-keycloak? ${keycloak.url} resolves into the wrong one.

Sure, with the shared network, client.quarkus.oidc.auth-server-url points to an address outside of the docker network (as explained by @geoand ), which is also why the frontend URL is set, in case of DevServices for KC to localhost.

Can you clarify please why it is a shared network setup in your case (to get a better doc message),
In quarkus tests it happens if we have

<dependency>
           <groupId>io.quarkus</groupId>
            <artifactId>quarkus-container-image-jib</artifactId>
</dependency>

and
<quarkus.container-image.build>true</quarkus.container-image.build> is set

@iskhakovt
Copy link
Author

Not sure why that happens. :)

It doesn't happen on my local machine, but it does in CircleCI, using a machine executor (which should be just an aws node).

Run command:

./gradlew quarkusBuild quarkusIntTest \
  -Dquarkus.package.type=native \
  -Dquarkus.native.container-build=true -Dquarkus.container-image.build=true \
  -Dquarkus.docker.dockerfile-native-path=src/main/docker/Dockerfile.native-micro \
  -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel-builder-image:22.3-java17 \
  -x check -x test

Dependencies:

dependencies {
  implementation enforcedPlatform("io.quarkus.platform:quarkus-bom:${quarkusVersion}")

  implementation 'io.quarkus:quarkus-arc'
  implementation 'io.quarkus:quarkus-core-deployment'
  implementation 'io.quarkus:quarkus-container-image-docker'
  implementation 'io.quarkus:quarkus-grpc'
  implementation 'io.quarkus:quarkus-kotlin'

  implementation 'io.quarkus:quarkus-hibernate-reactive-panache'
  runtimeOnly 'io.quarkus:quarkus-reactive-pg-client'

  implementation 'io.quarkus:quarkus-oidc'
  implementation 'io.quarkus:quarkus-smallrye-jwt'
  implementation 'io.quarkus:quarkus-smallrye-jwt-build'

  implementation 'org.jboss.slf4j:slf4j-jboss-logmanager'
  implementation 'org.jetbrains.kotlin:kotlin-reflect'
  implementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'

  testImplementation 'io.quarkus:quarkus-junit5'
  testImplementation 'io.quarkus:quarkus-junit5-mockito'
  testImplementation 'io.quarkus:quarkus-test-security'
  testImplementation 'org.assertj:assertj-core:3.23.1'

  integrationTestImplementation 'io.quarkus:quarkus-junit5'
  integrationTestImplementation 'io.quarkus:quarkus-test-keycloak-server'

  if (project.osdetector.os == 'osx') {
    runtimeOnly "io.netty:netty-resolver-dns-native-macos:4.1.86.Final:osx-${project.osdetector.arch}"
  }
}

Host:

$ docker system info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.9.1-docker)
  compose: Docker Compose (Docker Inc., v2.10.2)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 ...
 Server Version: 20.10.18
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.15.0-1021-aws
 Operating System: Ubuntu 20.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.625GiB
 Name: ip-172-28-35-16
 ID: DDEY:ISRM:27AY:WCFS:CGZ6:2HVQ:OX2S:2QGV:UZVG:4GBH:GSOW:H5E4
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

@sberyozkin
Copy link
Member

Thanks @iskhakovt.

Hey @geoand Can you please explain what is the general prerequisite for having a Quarkus application and a container like the one launched from DevServices for Keycloak have a shared docker network.

Is it Ok to say in the smallrye-jwt testing docs something simple like this:

If your Quarkus application is running in a docker container then it may share a network interface with the Keycloak docker container launched by DevServices for Keycloak.

In such cases, set 'mp.jwt.verify.issuer=${client.quarkus.oidc.auth-server-url}' instead of 'mp.jwt.verify.issuer=${quarkus.oidc.auth-server-url}'

?

@sberyozkin sberyozkin mentioned this issue Jan 3, 2023
Merged
@quarkus-bot quarkus-bot bot added this to the 2.16 - main milestone Jan 3, 2023
@geoand
Copy link
Contributor

geoand commented Jan 4, 2023

@sberyozkin seems like already addressed it 😎

@gsmet gsmet modified the milestones: 2.16 - main, 2.15.3.Final Jan 5, 2023
benkard added a commit to benkard/mulkcms2 that referenced this issue Jan 14, 2023
@benkard
Update all non-major dependencies to v2.15.3.final (mulk/mulkcms2!5)
9d9f42d 
This MR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.15.2.Final` -> `2.15.3.Final` |
| [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.15.2.Final` -> `2.15.3.Final` |

---

### Release Notes

<details>
<summary>quarkusio/quarkus</summary>

### [`v2.15.3.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.15.3.Final)

[Compare Source](quarkusio/quarkus@2.15.2.Final...2.15.3.Final)

##### Complete changelog

-   [#&#8203;30255](quarkusio/quarkus#30255) - Introduce a JSON Stream parser for the reactive rest client
-   [#&#8203;30242](quarkusio/quarkus#30242) - Throw an IllegalStateException with basic info about the provider that failed to provide a resource
-   [#&#8203;30227](quarkusio/quarkus#30227) - SmallRye GraphQL 1.9.1/2.0.1 + config property to control Federation
-   [#&#8203;30218](quarkusio/quarkus#30218) - OIDC documentation fixes
-   [#&#8203;30200](quarkusio/quarkus#30200) - Ensure that Kotlin implementation of QuarkusApplication works properly
-   [#&#8203;30195](quarkusio/quarkus#30195) - Log graphql.execution.AbortExecutionException when it occurs
-   [#&#8203;30190](quarkusio/quarkus#30190) - 2.15.2.Final breaks command mode with main class extends from QuarkusApplication in kotlin
-   [#&#8203;30187](quarkusio/quarkus#30187) - Bump xstream from 1.4.19 to 1.4.20
-   [#&#8203;30183](quarkusio/quarkus#30183) - Fixing typos in security overview doc
-   [#&#8203;30177](quarkusio/quarkus#30177) - Properly handle SSE comments in RESTEasy Reactive client and server code
-   [#&#8203;30172](quarkusio/quarkus#30172) - Codestarts - Fix flattening of log levels
-   [#&#8203;30169](quarkusio/quarkus#30169) - NullPointerException when sending SSE with comment only
-   [#&#8203;30161](quarkusio/quarkus#30161) - Align behavior for getDeferredIdentity and getIdentity in TestIdentityAssociation
-   [#&#8203;30160](quarkusio/quarkus#30160) - Different behavior in TestIdentityAssociation for getDeferredIdentity and getIdentity
-   [#&#8203;30157](quarkusio/quarkus#30157) - Gradle quarkusDev: don't use test classes dir for app classes
-   [#&#8203;30155](quarkusio/quarkus#30155) - Show how to verify smallrye-jwt issuer in a shared network
-   [#&#8203;30154](quarkusio/quarkus#30154) - Remove remaining references to javax classes
-   [#&#8203;30152](quarkusio/quarkus#30152) - Improve error handling of AbortExecutionException in smallrye-graphql extension
-   [#&#8203;30146](quarkusio/quarkus#30146) - Properly segregate Json MessageBodyReader/Writer classes for server and client
-   [#&#8203;30145](quarkusio/quarkus#30145) - GraphQL federation directives, which allow multiple values, do not match Apollo contract
-   [#&#8203;30142](quarkusio/quarkus#30142) - When disabling name and version for label selectod in k8s, don't remove from labels
-   [#&#8203;30138](quarkusio/quarkus#30138) - Keycloak Dev Services
-   [#&#8203;30132](quarkusio/quarkus#30132) - Register REST Client body parameters for reflection
-   [#&#8203;30119](quarkusio/quarkus#30119) - Enable/disable GraphQL Federation automatically (+ add a config property for it)
-   [#&#8203;30100](quarkusio/quarkus#30100) - Setting `add-version-to-label-selectors: false` removes the app.kubernetes.io/version label
-   [#&#8203;30078](quarkusio/quarkus#30078) - Quarkus Kotlin Native Reactive REST Client not working properly
-   [#&#8203;30061](quarkusio/quarkus#30061) - Adding Kotlin Tests Breaks Kotlin/Java project
-   [#&#8203;30044](quarkusio/quarkus#30044) - Resteasy Reactive Rest Client fails to re-construct large chunks of streamed json (stream+json) and fails deserialization
-   [#&#8203;29998](quarkusio/quarkus#29998) - Bump to smallrye-config 2.13.1
-   [#&#8203;29918](quarkusio/quarkus#29918) - smallrye-config: Converter<Int> throws IllegalStateException
-   [#&#8203;29609](quarkusio/quarkus#29609) - Remove Reflection replacements, now supported by GraalVM

</details>

<details>
<summary>quarkusio/quarkus-platform</summary>

### [`v2.15.3.Final`](quarkusio/quarkus-platform@2.15.2.Final...2.15.3.Final)

[Compare Source](quarkusio/quarkus-platform@2.15.2.Final...2.15.3.Final)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/devservices area/keycloak area/mandrel kind/bug Something isn't working
Projects
None yet
Milestone
2.15.3.Final
Development

Successfully merging a pull request may close this issue.

Show how to verify smallrye-jwt issuer in a shared network sberyozkin/quarkus
4 participants
@sberyozkin @gsmet @iskhakovt @geoand