Error on my Quarkus API + keycloak Idp (bearer only mode)

Question

I'm trying to make an Quarkus API (OpenAPI - Resteasy) with authentication (bearer-only mode). Here's my Quarkus config :

# OIDC Configuration
quarkus.oidc.auth-server-url=https://my_idp/auth/realms/MY_REALM
quarkus.oidc.client-id=my_keycloak_client
quarkus.oidc.tls.verification=none

# Enable Policy Enforcement
quarkus.keycloak.policy-enforcer.enable=true
...

And my keycloak client :

client protocol : openid-connect
access_type : bearer-only
A secret is also defined for this client (but I think it doesn't need to beused in that case)

On startup (mvn compile quarkus:dev), I got the following error :

Failed to start application (with profile dev): org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 400 / Bad Re
quest / Response from server: {"error":"invalid_client","error_description":"Invalid client credentials"}

(I've check my clientID was fine)

I've read the official guide : https://quarkus.io/guides/security-openid-connect and other google articles but not found any resource that describes this usecase.

Did I miss something ? This API was previously done with Spring Boot and everything was allright.

Thanks,

Christophe

Answer 1

My solution : Finally (my bad), this was because I've used the keycloak policy enforcement mechanism. I drop the dependency "keycloak-authorization" (and the associated configuration).

Only the oidc dependency was mandatory with the following application.properties :

# OIDC Configuration
quarkus.oidc.auth-server-url=https://idp/auth/realms/REALM
quarkus.oidc.client-id=CLIENT_ID
quarkus.oidc.tls.verification=none
quarkus.http.auth.permission.permit1.paths=/*
quarkus.http.auth.permission.permit1.policy=authenticated
quarkus.http.auth.permission.dev.paths=/q/dev
quarkus.http.auth.permission.dev.policy=permit

I'd used https://quarkus.io/guides/security-keycloak-authorization guide instead of the https://quarkus.io/guides/security-openid-connect one.

Regards