Cannot get roles with oidc on web application

[wjsgzcn]

Describe the bug
following the guide of https://quarkus.io/guides/security-openid-connect-web-authentication, and I find there is no role based permission control here like https://quarkus.io/guides/security-openid-connect, so I just add @RolesAllowed to some methods and visit, then I get a "Forbidden" text response, but the user logged in is in the role. then I print the roles by "identity.getRoles().size()", and no roles found.

Expected behavior
The roles of user can be read in web applications.

Actual behavior
The roles of user cannot be read, size = 0, and @RolesAllowed method cannot visit even the user has the role.

To Reproduce
Steps to reproduce the behavior:

1. application.properties

quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test
quarkus.oidc.client-id=webapi1
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated

2. Resource

@Path("/hello")
public class GreetingResource {

    @Inject
    SecurityIdentity identity;

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String hello() {
        return "hello" + identity.getPrincipal().getName() + identity.getRoles().size();
    }

    @GET
    @RolesAllowed("user")
    @Produces(MediaType.TEXT_PLAIN)
    @Path("user")
    public String user() {
        return "user";
    }

    @GET
    @RolesAllowed("admin")
    @Produces(MediaType.TEXT_PLAIN)
    @Path("admin")
    public String admin() {
        return "admin";
    }
}

3. Configure the keycloak server, and realm, client, user, role
   user "admin" is in "admin" role

4. Run application, and visit http://localhost:8080/hello, input username and password in login page of well-configured keycloak server, login as user "admin"
   visit successfully, but the response is "helloadmin0", no roles return.

5. Visit http://localhost:8080/hello/admin
   return "Forbidden"

[sberyozkin]

@wjsgzcn Which token claim contains the roles info ?

[sberyozkin]

@wjsgzcn This is how the KC roles are checked: https://github.com/quarkusio/quarkus/blob/master/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java#L71

We can add more checks if needed (CC @pedroigor, hi Pedro, I recall you were mentioning KC could have the roles in some other claim ? )

[wjsgzcn]

@wjsgzcn Which token claim contains the roles info ?

I don't know which claim, but the same code and same keycloak realm for service application works well.

[sberyozkin]

@wjsgzcn It is interesting. So in the web-app we check id token, in the service - access token.
@pedroigor Can Keycloak be configured to set the same roles in the id token ?

[sberyozkin]

One thing which I suggested earlier but did not get to yet is that in the code flow, we let the users to nominate the AT be used for the rbac/principal; AT in the code flow is for the client application itself to invoke some API on behalf of a user, but if the application is not interested in it and AT is used to represent the user, then I guess we can allow for such a variation too

[sberyozkin]

@wjsgzcn We have a test where id token has the roles checked but I'm not sure how it is set in Keycloak.
I believe if you enable an MP JWT feature somehow then it will work, please check

[sberyozkin]

@wjsgzcn Did you get a chance to enable MP JWT in Keycloak and retry ? Thanks

[pedroigor]

@sberyozkin Sorry. Yes, you can enable MP JWT client scope so that tokens are issued using the MP JWT semantics. @wjsgzcn See https://www.keycloak.org/docs/latest/server_admin/#protocol.

@sberyozkin I guess this one is not a bug then ?

[sberyozkin]

Hi @pedroigor I'm planning to do a PR a bit later which can let the users use the access token as the source of the roles in the code flow, I'll CC you :-)

[sberyozkin]

@wjsgzcn Starting from 1.7.0 it will be possible to use the access token as the source of the roles in the web-app applications with quarkus.oidc.roles.source=accesstoken (default is idtoken)