Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Since Keycloak 24 required action "verify profile" is enabled by default, preventing access token retrieval from dev service #42543

Closed
HerrDerb opened this issue Aug 14, 2024 · 3 comments
Closed

Since Keycloak 24 required action "verify profile" is enabled by default, preventing access token retrieval from dev service #42543

HerrDerb opened this issue Aug 14, 2024 · 3 comments
Labels
area/config area/devservices area/keycloak kind/bug Something isn't working

Comments

@HerrDerb
Copy link
Contributor

HerrDerb commented Aug 14, 2024
edited
Loading

Describe the bug

Since keycloak 24, it seems not possible anymore to get the access token to a configured dev service user with the KeycloakTestClient.

Config:

quarkus.keycloak.devservices.users.myUser=myUser

when trying to get the access token for a test api call, it will return null

new io.quarkus.test.keycloak.client.KeycloakTestClient().getAccessToken("myUser") // returns null

In the logs you find

 [io.qua.oid.dep.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1270961945) Keycloak: 2024-08-14 09:50:38,077 WARN  [org.keycloak.events] (executor-thread-1) type="LOGIN_ERROR", realmId="d71127eb-d9bf-436b-bf93-9ebfcf8226dd", clientId="my-client", userId="null", ipAddress="172.17.0.1", error="resolve_required_actions", auth_method="openid-connect", grant_type="password", client_auth_method="client-secret", username="myUuser"

I remember that since keycloak 24 the "verify profile" required action is enabled by default, which in this case probably prevents a successful login.

By setting the keycloak dev image to 23.x, everything works as expected. When using keycloak 24 or greater and pausing the test, disabling the "verify profile" required action before the login call, everything works as expected.

How to Reproduce?

With keycloak image 24.x or greater for dev service:

  1. Configure dev service user like so quarkus.keycloak.devservices.users.myUser=myUser
  2. Enable keycloak dev service logs
  3. Try to get access token during test for user using new io.quarkus.test.keycloak.client.KeycloakTestClient
@HerrDerb HerrDerb added the kind/bug Something isn't working label Aug 14, 2024
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Aug 14, 2024

/cc @geoand (devservices), @pedroigor (keycloak), @radcortez (config), @sberyozkin (keycloak), @stuartwdouglas (devservices)

@HerrDerb HerrDerb changed the title Since Keycloak 24 dev service config based realms have "required actions" enabled, thus preventing access token retrieval Since Keycloak 24 required action "very profile" is enabled by default, thus preventing to get access token with KeycloakTestClient from dev service Aug 14, 2024
@HerrDerb HerrDerb changed the title Since Keycloak 24 required action "very profile" is enabled by default, thus preventing to get access token with KeycloakTestClient from dev service Since Keycloak 24 required action "very profile" is enabled by default, preventing access token retrieval from dev service Aug 14, 2024
@HerrDerb HerrDerb changed the title Since Keycloak 24 required action "very profile" is enabled by default, preventing access token retrieval from dev service Since Keycloak 24 required action "verify profile" is enabled by default, preventing access token retrieval from dev service Aug 14, 2024
@sberyozkin
Copy link
Member

@HerrDerb As far as I recall, you use a custom image, right ? That was indeed the problem for updating to Keycloak 24, but it is not a Quarkus issue AFAIK.
FYI, for the default dev service, this is what we had to do:

#40662

As far as I recall, Pedro was also explaining you can disable it with the admin client API, using the UP config, etc

Have a look please, but IMHO we shuld close this issue

@HerrDerb
Copy link
Contributor Author

HerrDerb commented Aug 14, 2024
edited
Loading

Adding --spi-user-profile-declarative-user-profile-config-file looks like a solution for us 👍thanks you 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/config area/devservices area/keycloak kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sberyozkin @HerrDerb