quarkus icon indicating copy to clipboard operation
quarkus copied to clipboard

Published 20 hours ago verified publisher icon quarkusio

Dev Services for Keycloak: Client and users aren't created

Open nicolasduminil opened this issue 9 months ago • 11 comments

Describe the bug

The documentation states:

%dev.quarkus.keycloak.devservices.users.duke=dukePassword %dev.quarkus.keycloak.devservices.roles.duke=reader %dev.quarkus.keycloak.devservices.users.john=johnPassword %dev.quarkus.keycloak.devservices.roles.john=reader,writer

This configuration creates two users: * duke with a dukePassword password and a reader role * john with a johnPassword password and reader and writer roles ... To customize the client ID and secret, you can use the quarkus.oidc.client-id and quarkus.oidc.credentials.secret properties.

However, using the mentioned properties, the associated users, password and client isn't created in the Keycloak dev instance.

Expected behavior

Expecting than running Keycloak in dev mode and connecting as admin, to find the mentioned usesr and client created in the given realm.

Actual behavior

Neither the user, nor the client is created.

How to Reproduce?

Step to reproduce:

  1. Go to the security-keycloak-authorization-quickstart in Quarkus Quick Starts.
  2. Modify the file src/main/resources/application.properties to add the following lines:
%dev.quarkus.keycloak.devservices.users.duke=dukePassword
%dev.quarkus.keycloak.devservices.roles.duke=reader
%dev.quarkus.keycloak.devservices.users.john=johnPassword
%dev.quarkus.keycloak.devservices.roles.john=reader,writer
  1. Run in dev mode: mvn quarkus:dev
  2. Wait for the Keycloak server to start
  3. Type d
  4. In the DEV UI, click on Keycloak Admin link in the OpenID Connect pane.
  5. Log to Keycloak as admin/admin.
  6. Select the quarkus realm.
  7. Click on Clients
  8. Observe that the client having backend-service as an ID doesn't exist.
  9. Click on Users
  10. Observe that there aren't any users named Duke and John.
  11. Click on Realm roles.
  12. Observe that there aren't any roles reader and writer.

Output of uname -a or ver

Linux nicolas-XPS-15-9570 6.8.0-52-generic #53-Ubuntu SMP PREEMPT_DYNAMIC Sat Jan 11 00:06:25 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Output of java -version

java version "21.0.3" 2024-04-16 LTS Java(TM) SE Runtime Environment (build 21.0.3+7-LTS-152) Java HotSpot(TM) 64-Bit Server VM (build 21.0.3+7-LTS-152, mixed mode, sharing)

Quarkus version or git rev

3.17

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.5 (57804ffe001d7215b5e7bcb531cf83df38f93546) Maven home: /opt/apache-maven-3.9.5 Java version: 21.0.3, vendor: Oracle Corporation, runtime: /usr/lib/jvm/jdk-21-oracle-x64 Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "6.8.0-52-generic", arch: "amd64", family: "unix"

Additional information

N/A

nicolasduminil avatar Feb 11 '25 17:02 nicolasduminil

/cc @geoand (devservices), @pedroigor (keycloak), @sberyozkin (keycloak)

quarkus-bot[bot] avatar Feb 11 '25 17:02 quarkus-bot[bot]

Have added the following property to application.properties file:

quarkus.keycloak.devservices.realm-path=my-realm.json

Where my-realm.json is located in src/test/resources. Running mvn quarkus:dev and looking in the Keycloak log file, I'm seeing this:

 Changes detected in configuration. Updating the server image.
 Updating the configuration and installing your custom providers, if any. Please wait.
 2025-02-12 14:33:03,783 INFO  [io.qua.dep.QuarkusAugmentor] (main) Quarkus augmentation completed in 6071ms
 Server configuration updated and persisted. Run the following command to review the configuration:

        kc.sh show-config

 Next time you run the server, just run:

        kc.sh start --http-enabled=true --hostname-strict=false --spi-user-profile-declarative-user-profile-config-file=/opt/  keycloak/upconfig.json --optimized

 2025-02-12 14:33:07,149 INFO  [org.infinispan.CONTAINER] (ForkJoinPool.commonPool-worker-1) ISPN000556: Starting  user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
 2025-02-12 14:33:07,457 WARN  [org.jgroups.stack.Configurator] (ForkJoinPool.commonPool-worker-1) JGRP000014: ThreadPool.thread_dumps_threshold has been deprecated: ignored
 2025-02-12 14:33:07,466 INFO  [org.infinispan.CLUSTER] (ForkJoinPool.commonPool-worker-1) ISPN000078: Starting JGroups channel `ISPN` with stack `udp`
 2025-02-12 14:33:07,468 INFO  [org.jgroups.JChannel] (ForkJoinPool.commonPool-worker-1) local_addr: 095bf75c-e44f-4e9f-bc4d-a809a7320264, name: 1a904b4f860e-29982
 2025-02-12 14:33:07,472 WARN  [org.jgroups.protocols.UDP] (ForkJoinPool.commonPool-worker-1) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
 2025-02-12 14:33:07,472 WARN  [org.jgroups.protocols.UDP] (ForkJoinPool.commonPool-worker-1) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB
 2025-02-12 14:33:07,473 WARN  [org.jgroups.protocols.UDP] (ForkJoinPool.commonPool-worker-1) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
 2025-02-12 14:33:07,473 WARN  [org.jgroups.protocols.UDP] (ForkJoinPool.commonPool-worker-1) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB
 2025-02-12 14:33:07,478 INFO  [org.jgroups.protocols.FD_SOCK2] (ForkJoinPool.commonPool-worker-1) server listening on *.27203
 2025-02-12 14:33:07,720 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
 2025-02-12 14:33:08,352 INFO  [org.keycloak.quarkus.runtime.storage.legacy.liquibase.QuarkusJpaUpdaterProvider] (main) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml
 2025-02-12 14:33:09,482 INFO  [org.jgroups.protocols.pbcast.GMS] (ForkJoinPool.commonPool-worker-1) 1a904b4f860e-29982: no members discovered after 2002 ms: creating cluster as coordinator
 2025-02-12 14:33:09,489 INFO  [org.infinispan.CLUSTER] (ForkJoinPool.commonPool-worker-1) ISPN000094: Received new cluster view for channel ISPN: [1a904b4f860e-29982|0] (1) [1a904b4f860e-29982]
 2025-02-12 14:33:09,540 INFO  [org.infinispan.CLUSTER] (ForkJoinPool.commonPool-worker-1) ISPN000079: Channel `ISPN` local address is `1a904b4f860e-29982`, physical addresses are `[172.17.0.4:42739]`

 UPDATE SUMMARY
 Run:                        134
 Previously run:               0
 Filtered out:                 0
 -------------------------------
 Total change sets:          134

 2025-02-12 14:33:10,493 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 1a904b4f860e-29982, Site name: null
 2025-02-12 14:33:10,641 INFO  [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm
 2025-02-12 14:33:12,107 INFO  [org.keycloak.services] (main) KC-SERVICES0009: Added user 'admin' to realm 'master'
 2025-02-12 14:33:12,173 INFO  [io.quarkus] (main) Keycloak 25.0.6 on JVM (powered by Quarkus 3.8.5) started in 8.267s.   Listening on: http://0.0.0.0:8080. Management interface listening on http://0.0.0.0:9000.
 2025-02-12 14:33:12,173 INFO  [io.quarkus] (main) Profile prod activated. 
 2025-02-12 14:33:12,174 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, vertx]

I'm not seeing any trace showing that the realm definition file is loaded. Running the kc.sh show-config, as suggested, displays:

Current Mode: production
Current Configuration:
    kc.config.built =  true (SysPropConfigSource)
    kc.db =  dev-file (Persisted)
    kc.log-console-output =  default (classpath keycloak.conf)
    kc.run.in.container =  true (ENV)
    kc.version =  25.0.6 (SysPropConfigSource)

nicolasduminil avatar Feb 12 '25 14:02 nicolasduminil

@nicolasduminil Adding client and users option is only there to support basic cases where no actual realms with the user definitions are available, so instead of default alice and bob one could register fred which is probably not very useful...

As far as loading custom realms is concerned, it works well to the best of my knowledge, we have a lot of tests using custom realms, if it does not then it would make sense to create another issue as it is not really related to this issue

sberyozkin avatar Feb 12 '25 15:02 sberyozkin

@sberyozkin

Adding client and users option is only there to support basic cases where no actual realms with the user definitions are available, so instead of default alice and bob one could register.

These basic cases don't work, as explained.

... it works well to the best of my knowledge, we have a lot of tests using custom realms ...

Actually it doesn't, as you can notice by reproducing the issue, as documented, using your own test (Quick Starts).

nicolasduminil avatar Feb 12 '25 16:02 nicolasduminil

@sberyozkin

Adding client and users option is only there to support basic cases where no actual realms with the user definitions are available, so instead of default alice and bob one could register.

These basic cases don't work, as explained.

... it works well to the best of my knowledge, we have a lot of tests using custom realms ...

Actually it doesn't, as you can notice by reproducing the issue, as documented, using your own test (Quick Starts).

https://quarkus.io/guides/all-config#quarkus-devservices-keycloak_quarkus-keycloak-devservices-users-users says This map is used for user creation when no realm file is found at the realm-path. and Keycloak Authorization Quickstart is sets the realm path https://github.com/quarkusio/quarkus-quickstarts/blob/681d8000a9322d7e3b2fd74d113c1aec55c592c8/security-keycloak-authorization-quickstart/src/main/resources/application.properties#L6.

I appreciate that you took time to nicely describe the issue and go into details, thank you. This is documented behavior. If you think that users should be created even for custom realms, it would be a feature request. This is not a bug. If you still believe there is a bug, please provide more information, thank you.

michalvavrik avatar Feb 16 '25 11:02 michalvavrik

I appreciate that you took time to nicely describe the issue and go into details, thank you. This is documented behavior. If you think that users should be created even for custom realms, it would be a feature request.

Michal, this would raise the complexity a lot, users have a link to KeyCloak admin... We discussed it early, there is N things that can be created in the realm, so if users have a realm they should edit it via the keycloak admin page

sberyozkin avatar Feb 17 '25 16:02 sberyozkin

Let's keep this issue restricted to verifying that the realm created by default only can accept the users configured in the quarkus.keycloak.devservices.users map, fixing it if required

sberyozkin avatar Feb 17 '25 16:02 sberyozkin

OK, @michalvavrik, thanks for analyzing it, so, you noticed that @nicolasduminil updated the application.properties where the realm is already configured...

I think then this issue is invalid, let's confirm if users are created in the default realm, I'll have a look soon

sberyozkin avatar Feb 17 '25 17:02 sberyozkin

I think this is invalid @sberyozkin, sure let's verify first.

michalvavrik avatar Feb 17 '25 19:02 michalvavrik

I think then this issue is invalid, let's confirm if users are created in the default realm, I'll have a look soon

Were you able to confirm @sberyozkin ?

geoand avatar Mar 11 '25 07:03 geoand

@sberyozkin what is the status of this?

geoand avatar Apr 29 '25 10:04 geoand

Closing for lack of updates

geoand avatar May 30 '25 14:05 geoand