-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provider crash when adding keycloak_default_roles on new realm #919
Comments
Keycloak version: v22.0.5. Local setup, single pod. Below script can be used to reproduce the scenario. As it turns out, bound to the access token used, GET-ing the realm using same access token used to create it, returns a minimal response. After fetching a new access token, the full realm JSON is returned. Test script and outputShell script creating, then repeatedly fetching the realm: #!/bin/sh
set -e
kc_host=$KC_HOST
kc_client_id=$KC_CLIENT_ID
kc_client_secret=$KC_CLIENT_SECRET
realm=$1
get_token() {
token=$(curl -X POST "$kc_host/realms/master/protocol/openid-connect/token" --http1.1 \
-d "client_id=$kc_client_id" \
-d "client_secret=$kc_client_secret" \
-d 'grant_type=client_credentials' \
-k -s | jq -r '.access_token')
echo $token
}
create_realm() {
token=$1
response=$(curl -X POST "$kc_host/admin/realms" --http1.1 \
-H "Authorization: Bearer $token" \
-H "Content-Type: application/json" \
-d '{"realm":"'$realm'","enabled":true}' \
-k -s)
echo $response
}
get_realm() {
token=$1
qs=$2
response=$(curl -X GET "$kc_host/admin/realms/${realm}${qs}" --http1.1 \
-H "Authorization: Bearer $token" \
-k -s)
echo $response
}
delete_realm() {
token=$1
response=$(curl -X DELETE "$kc_host/admin/realms/${realm}" --http1.1 \
-H "Authorization: Bearer $token" \
-k -s)
echo $response
}
parse() {
cat |jq -M '{"realm": .realm, "defaultRole.id": .defaultRole.id }'
}
echo
echo "Creating realm $realm"
token=$(get_token)
create_realm $token
echo
echo "Getting realm $realm"
echo $(get_realm $token |parse)
echo
echo "Sleep & getting realm"
sleep 2
echo $(get_realm $token |parse)
echo
echo "Cache busting query string & getting realm"
random_string=$(xxd -l4 -ps /dev/urandom)
echo $(get_realm $token "?random=${random_string}" |parse)
echo
echo "New access token & getting realm"
token=$(get_token)
echo $(get_realm $token |parse)
echo
echo "Cache busting query string & getting realm"
random_string=$(xxd -l4 -ps /dev/urandom)
echo $(get_realm $token "?random=${random_string}" |parse)
echo
echo "Deleting realm"
delete_realm $token Sample output:
|
Hello, I saw corrections in the PRs and it seems good. There is a way to include it in the next patchs version of the provider? |
TL;DR:
Starting from Keycloak v22, GET-ing a realm with same access token used to create it, returns an incomplete 200 instead of 403.
Because of that, not receiving a
403
, the roken refresh is no longer triggered. This part (which explicitly mentions the 403 after realm create scenario): https://github.com/mrparkers/terraform-provider-keycloak/blob/master/keycloak/keycloak_client.go#L338Since this behaviour change is present in Keycloak versions 22...23.0.4 it's probably needed to address this.
Having
keycloak_default_roles
on a newly created realm causes a provider crash. If the realm already exists all works fine.Sample code:
Crash:
The text was updated successfully, but these errors were encountered: