Components:
- Keycloak:11
- Hawkbit-mysql
Runtime:
- Docker ( Docker compose )
Hi, I use Keycloak 11 to integrate OpenId to Hawkbit. This works with Management API but not with the Management UI.
I followed the instuctions in the docs and added the application.properties.
The flow that is used is the authorization_code, which is expected by Hawkbit.
DOCKER-COMPOSE
Here are my env. vars of my compose file:
- spring.security.oauth2.client.registration.oidc.client-id=hawkbit-client
- spring.security.oauth2.client.registration.oidc.client-secret= XXX
- spring.security.oauth2.client.registration.oidc.scope=openid,profile
- spring.security.oauth2.client.provider.oidc.issuer-uri=http://keycloak:8080/auth/realms/master
- spring.security.oauth2.client.provider.oidc.authorization-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
- spring.security.oauth2.client.provider.oidc.token-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/token
- spring.security.oauth2.client.provider.oidc.user-info-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/userinfo
- spring.security.oauth2.client.provider.oidc.jwk-set-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/certs
- spring.security.oauth2.client.registration.oidc.authorization-grant-type=authorization_code
In addition, I changed the port of hawkbit in my compose by
ports:
- 8081:8080
KEYCLOAK:
My Client uses the direct access grant and the standard flow. My user has the Client Role READ_TARGET and SYSTEM_ADMIN
LOGS:
I enabled more fine grained logs and there is communication between Keycloak and Hawkbit. But when I execute the login with the Management UI, it fails.
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 13 of 16 in additional filter chain; firing Filter: 'OAuth2AuthorizationCodeGrantFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 14 of 16 in additional filter chain; firing Filter: 'SessionManagementFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 15 of 16 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 16 of 16 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/UI/UIDL/'; against '/UI/login/**'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/UI/UIDL/'; against '/UI/UIDL/**'
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /UI/UIDL/?v-uiId=0; Attributes: [permitAll]
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6de64288, returned: 1
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 reached end of additional filter chain; proceeding with original chain
2021-01-15 09:18:09.719 DEBUG 1 --- [tp1234905692-18] o.s.s.authentication.ProviderManager : Authentication attempt using org.eclipse.hawkbit.autoconfigure.security.InMemoryUserManagementAutoConfiguration$TenantDaoAuthenticationProvider
2021-01-15 09:18:10.076 DEBUG 1 --- [tp1234905692-18] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@694b6660
2021-01-15 09:18:10.078 DEBUG 1 --- [tp1234905692-18] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2021-01-15 09:18:10.081 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2021-01-15 09:18:10.082 DEBUG 1 --- [tp1234905692-18] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.JpaSystemManagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.JpaSystemManagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYSTEM_CODE')', filter: 'null', filterTarget: 'null']]
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Previously Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@2233a89d
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950, returned: 1
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.JpaSystemManagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.JpaSystemManagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYSTEM_CODE')', filter: 'null', filterTarget: 'null']]
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Previously Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@73f49ea6
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950, returned: 1
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object
MY thoughts:
I am pretty confused about what is going on as there is no exception thrown, neither in hawkbit nor in keycloak. Keycloak does, also with fine grained logs enabled, not even logs an auth request.
It is also confusing that, even with oauth enabled, I still can log in with the standard user admin admin. I don't think it is a problem with keycloak as per logs the connection is created and the config via the wellknown endpoint is used.
QUESTIONS:
- Is there something else I have to configure in Keycloak?
- Is there another environment variable to use?
- I have seen that the hawkbit project uses
Spring boot 2.1.4.RELEASEas parent. ( Althought there was a pull request today with an update to 2.4. Is there a known issue in the version?
Sounds like login into hawkBit UI is technically working but you don't see any menu item in the navigation bar. If so try to add "READ_REPOSITORY" to your user's client roles.
No, as you explained everything should be in place: A client (with access type = "confidential", so you get secret), roles to the client and last but not least assign client roles to your user - done
EDIT: Make sure you set a proper redirect URL for you client as well (e.g. http://localhost:8081/*)
No, my working setup looks similar to yours. I set the following props to hawkBit:
Both Spring Boot versions are working fine with OAuth2. The mentioned Boot upgrade is required due to the fact that Boot 2.1.x will be out of life soon