redpipe icon indicating copy to clipboard operation
redpipe copied to clipboard
verified publisher icon FroMage

keycloack roles

Open johnfg2610 opened this issue 7 years ago • 8 comments

Hey, I have been testing out redpipe the last day or so and have set it up with keycloack is there any way to make it use keycloack roles with the RequiresPermissions annotation? maybe related to this error im receiving:

Mar 25, 2018 9:14:56 PM io.vertx.ext.auth.oauth2.impl.OAuth2TokenImpl
WARNING: Cannot decode token:
java.lang.RuntimeException: Not enough or too many segments
	at io.vertx.ext.jwt.JWT.decode(JWT.java:259)
	at io.vertx.ext.auth.oauth2.impl.OAuth2TokenImpl.decodeToken(OAuth2TokenImpl.java:102)
	at io.vertx.ext.auth.oauth2.impl.OAuth2TokenImpl.init(OAuth2TokenImpl.java:124)
	at io.vertx.ext.auth.oauth2.impl.OAuth2TokenImpl.<init>(OAuth2TokenImpl.java:83)
	at io.vertx.ext.auth.oauth2.impl.flow.AuthCodeImpl.lambda$getToken$0(AuthCodeImpl.java:81)
	at io.vertx.ext.auth.oauth2.impl.flow.AbstractOAuth2Flow.lambda$getToken$0(AbstractOAuth2Flow.java:135)
	at io.vertx.ext.auth.oauth2.impl.OAuth2API.lambda$null$1(OAuth2API.java:121)
	at io.vertx.core.http.impl.HttpClientResponseImpl$BodyHandler.notifyHandler(HttpClientResponseImpl.java:302)
	at io.vertx.core.http.impl.HttpClientResponseImpl.lambda$bodyHandler$0(HttpClientResponseImpl.java:192)
	at io.vertx.core.http.impl.HttpClientResponseImpl.handleEnd(HttpClientResponseImpl.java:256)
	at io.vertx.core.http.impl.Http1xClientConnection$StreamImpl.endResponse(Http1xClientConnection.java:376)
	at io.vertx.core.http.impl.Http1xClientConnection.handleResponseEnd(Http1xClientConnection.java:456)
	at io.vertx.core.http.impl.Http1xClientHandler.handleMessage(Http1xClientHandler.java:115)
	at io.vertx.core.http.impl.Http1xClientHandler.handleMessage(Http1xClientHandler.java:32)
	at io.vertx.core.net.impl.VertxHandler.lambda$channelRead$1(VertxHandler.java:146)
	at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:337)
	at io.vertx.core.impl.ContextImpl.executeFromIO(ContextImpl.java:195)
	at io.vertx.core.net.impl.VertxHandler.channelRead(VertxHandler.java:144)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:438)
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:284)
	at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:253)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:141)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:886)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.lang.Thread.run(Thread.java:748)

Thanks, John

johnfg2610 avatar Mar 25 '18 19:03 johnfg2610

Yes, this application shows how to use keycloak roles with the annotation: https://github.com/FroMage/redpipe/tree/master/redpipe-example-wiki-keycloak-jooq

Did you follow this example?

http://redpipe.net/#authentication also has info.

Also, my JWT for vertx 3.5.0 does not have the right line-info, so I assume you're running 3.5.1?

FroMage avatar Mar 26 '18 09:03 FroMage

I followed http://redpipe.net/#authentication and yes I am running 3.5.1 is there anything else I need to do?

    override fun setupRoutes(router: Router) {
        //good solution to loading resources from the web root folder
        router.route("/webroot/*").handler(StaticHandler.create().setCachingEnabled(true))
        super.setupRoutes(router)
    }

    override fun setupAuthenticationRoutes(): AuthProvider {
        val keycloackConfig = AppGlobals.get().config.getJsonObject("keycloack")
        val authWeb = KeycloakAuth.create(AppGlobals.get().vertx, keycloackConfig)
        val authApi = KeycloakAuth.create(AppGlobals.get().vertx, OAuth2FlowType.PASSWORD, keycloackConfig)

        // FIXME: URL
        val authHandler = OAuth2AuthHandler.create(authWeb as OAuth2Auth, "http://localhost:9000/callback")
        val router = AppGlobals.get().router
        // FIXME: crazy!!
        val authProvider = AuthProvider.newInstance(authWeb.getDelegate())
        router.route().handler(UserSessionHandler.create(authProvider))

        authHandler.setupCallback(router.get("/callback"))

        val jwtAuth = JWTAuth.create(AppGlobals.get().vertx,
                JWTAuthOptions(
                        JWTOptions(
                                JsonObject().put("keyStore", AppGlobals.get().config.getJsonObject("keystore")))))

        AppGlobals.get().setGlobal(JWTAuth::class.java, jwtAuth)
        val jwtAuthHandler = JWTAuthHandler.create(jwtAuth, "/wiki/api/token")

        // FIXME: just use different routers
        router.route().handler { ctx ->
            if (!ctx.request().uri().startsWith("/wiki/api/"))
                authHandler.handle(ctx)
            else
                jwtAuthHandler.handle(ctx)
        }

        return AuthProvider.newInstance(authApi.delegate)
    }

this is all the code from the overriden server instance(its kotlin)

johnfg2610 avatar Mar 26 '18 10:03 johnfg2610

So I tried with vertx 3.5.1 and it works here. This is with keycloack 3.3.0.CR2 and 3.3.0.Final. What version of keycloak did you try?

FroMage avatar Mar 27 '18 14:03 FroMage

Also, what does your conf/config.json look like?

FroMage avatar Mar 27 '18 14:03 FroMage

i have keycloak 4.0.0.beta1(il try downgrading shortly it may be that) my config.json

{
  "scan": ["io.github.johnfg10"],
  "keycloack":{
    "realm": "jtube",
    "auth-server-url": "http://localhost:8081/auth",
    "ssl-required": "external",
    "resource": "jtube",
    "credentials": {
      "secret": "3******f-8e*a-*c1f-a*02-****f3ab78**"
    },
    "use-resource-role-mappings": true,
    "confidential-port": 0,
    "policy-enforcer": {}
  }
}

johnfg2610 avatar Mar 27 '18 15:03 johnfg2610

sorry it took a few days ive been a little bit busy but ive downgraded to 3.4.3-final that also doesnt work. i have just tested 3.3.0.final and il upload the settings i have on keycloak image

johnfg2610 avatar Mar 29 '18 10:03 johnfg2610

So I have the following settings different:

Consent required: off Direct Access Grants Enabled: on Service Accounts Enabled: off Authorization enabled: off Valid redirect URIs: http://localhost:9000/callback/*

The rest are the same.

FroMage avatar Apr 04 '18 13:04 FroMage

ive tried with the same settings and am still encountering the same errors

johnfg2610 avatar Apr 15 '18 15:04 johnfg2610