keycloak-hasura-connector icon indicating copy to clipboard operation
keycloak-hasura-connector copied to clipboard

Published 20 hours ago verified publisher icon 0xHexE

Access Denied with Bearer Token

Open dome4 opened this issue 5 years ago • 3 comments
trafficstars

Describe the bug I created the two clients as described in the documentation. Nevertheless, access to the GraphQL API is denied. I have debugged the connector and found out that the access token of the client in the connector is not validated and therefore access is denied (kauth = {}). Is keycloak-connect suitable for a bearer only api? The two articles on Stackoverflow do not read like this:

  • https://stackoverflow.com/questions/42394475/authenticate-a-rest-api-using-keycloak-access-token-received-from-authorization

  • https://stackoverflow.com/questions/48274251/keycloak-access-token-validation-end-point/51047525#51047525

To Reproduce Steps to reproduce the behavior:

  1. Create clients as described in docu

Expected behavior The access token of the frontend_app can be used to access the graphql api.

Desktop (please complete the following information):

  • OS: Ubuntu 16.04
  • Browser: Firefox
  • Version: 71.0

Setup

  • Keycloak Server: 7.0.0
  • Hasura: 1.0.0

dome4 avatar Dec 21 '19 23:12 dome4

Mostly issue is with keycloak url If you specify the keycloak url as localhost it will not work instead use ip of the keycloak docker container ip or hostname.

0xHexE avatar Dec 26 '19 17:12 0xHexE

In case anyone else runs into this, I had the same problem and it was indeed b/c of the URL's. I was running keycloak, hasura, and the connector in minikube and port forwarding to the containers so I could access locally. The hasura connector would fail running in the cluster but it validated the token when I ran the hasura-connector locally as a node process. It turns out the keycloak connect middleware compares the URL of the keycloak server in the parsed token and the keycloak URL that is configured for the connector. If they don't match, it declares the token invalid. B/C the token was being issued by a port-forwarded keycloak, the token had the url http://localhost:8080/ but I was trying to point the connector at the dns entry for keycloak in the cluster http://keycloak-http.default.svc.cluster.local. Long story short, make sure the URL's are all lined up. Port forwarding can throw it off.

    } else if (token.content.iss !== this.realmUrl) {
      reject(new Error('invalid token (wrong ISS)'));
    }

AdamFerguson avatar Sep 15 '20 22:09 AdamFerguson

@AdamFerguson Thanks for the feedback... I'm getting "X-Hasura-Role": "anonymous" when testing the port forwarded service. But i'm getting the expected body response if i run the service locally (and test against a valid token).

jtiagodev avatar Sep 21 '20 20:09 jtiagodev