Quarkus: Disabled keycloak.policy-enforcer.paths is not publicly accessible

Created on 25 May 2020  路  5Comments  路  Source: quarkusio/quarkus

I tried to run the keycloak-authorization example from the quarkus repository. The policy enforcer config is as follows:

# Enable Policy Enforcement
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.enforcement-mode=ENFORCING
-----
-----
# Disables policy enforcement for a path
quarkus.keycloak.policy-enforcer.paths.4.path=/api/public
quarkus.keycloak.policy-enforcer.paths.4.enforcement-mode=DISABLED

When I tried to access /api/public without any authorization, it is showing 401 Unauthorized error. So my question is whether this is an expected behavior? From what I have understood, since enforcement-mode is set to DISABLED, the API should be accessible by public without any authorization. I need to build some APIs which should be publicly available. How can I get this behaviour?

Also when I repeatedly access this api, I get "java.lang.IllegalStateException: Request has already been read" time to time.

arekeycloak-authorization kinbug triagduplicate
Source
picture aksth

Most helpful comment

Thanks, @tomekzar, and @aksth.

Indeed, there is something wrong when running in dev-mode. I'll look at that.

I'll close this one and fix the dev-mode issue with #9565.

picture pedroigor on 25 May 2020
👍2

All 5 comments

@aksth Are you running it in the dev mode ? See #9565

sberyozkin picture sberyozkin on 25 May 2020

Yes I'm running it in dev mode. In #9565, @tomekzar was able to run the application using java -jar. But when I try to run my application using java -jar I'm getting following error:

2020-05-25 17:57:45,416 ERROR [io.qua.application] (main) Failed to start application: java.lang.RuntimeException: Could not find resource
    at org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:91)
    at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:232)
    at org.keycloak.authorization.client.resource.ProtectedResource.findByUri(ProtectedResource.java:280)
    at org.keycloak.adapters.authorization.PolicyEnforcer.configureDefinedPaths(PolicyEnforcer.java:177)
    at org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:160)
    at org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:76)
    at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.init(KeycloakPolicyEnforcerAuthorizer.java:116)
    at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.setup(KeycloakPolicyEnforcerRecorder.java:18)
    at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup28.deploy_0(KeycloakPolicyEnforcerBuildStep$setup28.zig:109)
    at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup28.deploy(KeycloakPolicyEnforcerBuildStep$setup28.zig:36)
    at io.quarkus.runner.ApplicationImpl.doStart(ApplicationImpl.zig:174)
    at io.quarkus.runtime.Application.start(Application.java:89)
    at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:90)
    at io.quarkus.runtime.Quarkus.run(Quarkus.java:61)
    at io.quarkus.runtime.Quarkus.run(Quarkus.java:38)
    at io.quarkus.runtime.Quarkus.run(Quarkus.java:106)
    at io.quarkus.runner.GeneratedMain.main(GeneratedMain.zig:29)
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 401 / Unauthorized / Response from server: {"error":"unauthorized_client","error_description":"Public client not allowed to retrieve service account"}
    at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
    at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
    at org.keycloak.authorization.client.util.TokenCallable.obtainAccessToken(TokenCallable.java:121)
    at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:57)
    at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:296)
    at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38)
    at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:225)
    at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:222)
    at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:230)
    ... 15 more
aksth picture aksth on 25 May 2020

@aksth In my Keycloak setup realm client used by the application is set as confidential in and has enabled service account; maybe it's the missing part in the setup of yours?

tomekzar picture tomekzar on 25 May 2020
👍1

@tomekzar That was it. I was able to run by java -jar. @sberyozkin The original problem I mentioned
doesn't occur in non-debug mode just like as mentioned in #9565.

aksth picture aksth on 25 May 2020

Thanks, @tomekzar, and @aksth.

Indeed, there is something wrong when running in dev-mode. I'll look at that.

I'll close this one and fix the dev-mode issue with #9565.

pedroigor picture pedroigor on 25 May 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Rashmini picture Rashmini  路  3Comments
gsmet picture gsmet  路  3Comments
emmanuelbernard picture emmanuelbernard  路  3Comments
dansiviter picture dansiviter  路  3Comments
enbohm picture enbohm  路  3Comments