How do I exclude resources from keycloak policy enforcer in quarkus?

by

I’m working on quarkus 3.3.2, using a keycloak bearer token to connect to some apis. Here’s my configuration:

# keycloak
# OIDC Configuration
%prod.quarkus.oidc.auth-server-url=https://keycloak....
%test.quarkus.oidc.auth-server-url=https://keycloak....
%dev.quarkus.oidc.auth-server-url=https://keycloak....
quarkus.oidc.client-id=my-client
%prod.quarkus.oidc.credentials.secret=...
%test.quarkus.oidc.credentials.secret=...
%dev.quarkus.oidc.credentials.secret=...
quarkus.oidc.tls.verification=required
quarkus.keycloak.policy-enforcer.enable=true

In order to use AuthzClient, the property quarkus.keycloak.policy-enforcer.enable is set to true:

quarkus.keycloak.policy-enforcer.enable=true

This works so far, but the quarkus application itself also supplies some public resources (like health check etc.), which should not be protected by keycloak. But by requesting these resources, I always get errors like this:

2023-09-25 16:31:02,956 ERROR [org.key.ada.aut.PolicyEnforcer] (vert.x-worker-thread-1) Could not lazy load resource with path [/css/enunciate.css] from server: org.keycloak.authorization.client.AuthorizationDeniedException: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_clientId","error_description":"Client application [my-client] is not registered as a resource server."}
    at org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
    at org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
    at org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
    at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:233)
    at org.keycloak.authorization.client.resource.ProtectedResource.findByMatchingUri(ProtectedResource.java:292)
    at org.keycloak.adapters.authorization.PathConfigMatcher.matches(PathConfigMatcher.java:81)
    ...
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_clientId","error_description":"Client application [my-client] is not registered as a resource server."}
    at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:103)
    at org.keycloak.authorization.client.util.HttpMethodResponse$3.execute(HttpMethodResponse.java:68)
    at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:227)
    at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:223)
    at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:231)
    ... 19 more

This is, what I mainly tried to omit these errors, following the advice on https://quarkus.io/guides/security-authorize-web-endpoints-reference.

quarkus.http.auth.permission.public.paths=/,/css/enunciate.css,/favicon.ico
quarkus.http.auth.permission.public.policy=permit
quarkus.http.auth.permission.public.methods=GET,HEAD,POST,PUT,OPTION,PATCH

But it doesn’t have any impact.

I then tried it with explicitly enforcing the resource which needs authentication:

quarkus.keycloak.policy-enforcer.paths.1.path=/tlnv-restservice/api,/tlnv-restservice/api/*
quarkus.keycloak.policy-enforcer.paths.1.enforcement-mode=ENFORCING

This led to:

2023-09-25 16:37:31,775 ERROR [io.qua.run.Application] (Quarkus Main Thread) Failed to start application (with profile [dev]): java.lang.RuntimeException: Failed to start quarkus
    at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
    ... 
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 403 / Forbidden / Response from server: {"error":"invalid_clientId","error_description":"Client application [my-client] is not registered as a resource server."}
    at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:103)
    at org.keycloak.authorization.client.util.HttpMethodResponse$3.execute(HttpMethodResponse.java:68)
    at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:227)
    at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:223)
    at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:231)
    ... 23 more

It seems, as if the keycloak policy enforcer regards every resource as a client resource to by enforced.
So how can I exclude them to be considered as resources of the keycloak client and to be lazy loaded by the keycloak policy enforcer?

Leave a Comment