OIDC "Permission must not be empty" with imported test realm since 3.5.0

[HerrDerb]

Describe the bug

In certain projects, we use a realm.json to initialize the keycloak dev instance for our tests.
This did work fine prior 3.5.0

Since 3.5.0 we do get an exception as soon as we try to send an authorized request to a REST api during a test:

Caused by: java.lang.IllegalArgumentException: Permission name must not be empty
                at io.quarkus.security.StringPermission.validateAndTrim(StringPermission.java:48)
                at io.quarkus.security.StringPermission.<init>(StringPermission.java:26)
                at io.quarkus.oidc.runtime.OidcUtils.transformScopesToPermissions(OidcUtils.java:314)
                at io.quarkus.oidc.runtime.OidcUtils$1.<init>(OidcUtils.java:288)
                at io.quarkus.oidc.runtime.OidcUtils.addTokenScopesAsPermissions(OidcUtils.java:286)
                at io.quarkus.oidc.runtime.OidcUtils.setSecurityIdentityPermissions(OidcUtils.java:281)
                at io.quarkus.oidc.runtime.OidcUtils.validateAndCreateIdentity(OidcUtils.java:270)
                at io.quarkus.oidc.runtime.OidcIdentityProvider.createSecurityIdentityWithOidcServer(OidcIdentityProvider.java:284)

As nothing is noted as a breaking change concerning oidc in 3.5.0 and the imported realm.json seems valid, I must assume that this is bug?

PS: Mabey our keycloak "test tool" to add users, roles etc. could be distilled and integrated in quarkus?

How to Reproduce?

Run tests:
https://github.com/HerrDerb/quarkus-issue/tree/oidc-3-5-0-issue

Switch to Quarkus version 3.4.3 and the test will succeed.

[quarkus-bot]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

Might be related to my previous fix related to treating scopes like read:data correctly, my guess is there is extra space or may be an unusual scope value that has not been taken into the consideration

[HerrDerb]

In this very case the scope value is [""] which maybe unwanted slips on this line:

quarkus/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java

Line 287 in 778123a

if (!scopes.isEmpty()) {

[michalvavrik]

In this very case the scope value is [""]

yes, I could reproduce it thanks to your quality reproduce, I'll provide fix today, thanks for reporting it!

[michalvavrik]

PS: Mabey our keycloak "test tool" to add users, roles etc. could be distilled and integrated in quarkus?

please let's treat it as a separate issue (maybe you can open enhancement issue), because this fix needs to be backported and discussion over this would only slow process down

[HerrDerb]

please let's treat it as a separate issue (maybe you can open enhancement issue), because this fix needs to be backported and discussion over this would only slow process down

Absolutly, I did not intend to include this in the solution of this issue.

[HerrDerb]

Sweet, thanks 🥳