Keycloak integration

[ondrej-m]

I am trying to integrate keycloak into the Apache Karaf environment. I follow https://hawt.io/docs/keycloak-integration/ with importing https://github.com/hawtio/hawtio/tree/3.x/examples/keycloak-integration
But I ran into a problem with keycloak-direct-access.

Apache karaf logs:
2023-07-27T15:55:54,561 | WARN | qtp2034224808-237 | DirectAccessGrantsLoginModule | 161 - org.ops4j.pax.keycloak.pax-keycloak-core - 0.2.0 | Login failed. Invalid status: 401, OAuth2 error. Error: invalid_grant, Error description: Invalid user credentials
Keycloak logs:
2023-07-27 13:44:33,558 WARN [org.keycloak.events] (executor-thread-23) type=LOGIN_ERROR, realmId=hawtio-demo, clientId=ssh-jmx-admin-client, userId=d9f6415f-f7c7-4ab0-8b15-b5cff2be9d7c, ipAddress=172.21.51.171, error=invalid_user_credentials, auth_method=openid-connect, grant_type=password, client_auth_method=client-secret, username=token, authSessionParentId=b33689a7-d56d-48b4-a77a-2fc2d803bada, authSessionTabId=QSjdXgwtQIw

Why username=token?

Hawtio version: 2.17.5
Karaf version: 4.4.3
Keycloak version: 21.1.2

I will be grateful for any advice.

[ondrej-m]

This is incredibly unhelpful community! RedHat/Keycloack - Never more!

[oscerd]

Did you try with 2.17.6?

[ondrej-m]

Did you try with 2.17.6?

Yes, i tried it with this version too. No difference.

[oscerd]

Because hawtio 2.17.5 was using Karaf 4.3.x while 2.17.6 is using 4.4.x like your configuration

[ondrej-m]

Thank you for your response.
I'll try it with version 2.17.6 and provide you with feedback. I initially assumed that 4.4.x was okay, based on the pom.xml where [4.0,5) is mentioned.

With configuration bellow, the authentiaction throught keycloak is working with direct-access, but i had to set hawtio.keycloakEnabled to false.

feature:repo-add mvn:org.ops4j.pax.keycloak/pax-keycloak-features/0.2.0/xml/features
feature:install pax-keycloak

echo "hawtio.keycloakEnabled = false" >> /opt/karaf/etc/system.properties

cat > /opt/karaf/etc/keycloak-direct-access.json <<EOF
{
"realm": "emans-iam",
"auth-server-url": "https://keycloak.service.local:8181/",
"ssl-required": "external",
"resource": "ssh",
"credentials": {
"secret": "..."
},
"use-resource-role-mappings": true,
"confidential-port": 0
}
EOF
it is working with realm example from:
https://github.com/jboss-fuse/karaf-quickstarts/blob/7.x.redhat-7-x/security/keycloak/fuse-keycloak.adoc

[oscerd]

I'm not actively working on hawtio, so it was just an idea.

[tadayosi]

@ondrejmrekaj

If you set hawtio.keycloakEnabled to false, the Keycloak integration is just disabled. So if you have still hawtio authentication enabled, it should require username/password based authentication. If you are using examples provided by Red Hat, it's better to ask Red Hat support for help.

We are focusing on Spring Boot and Quarkus support, so it's getting harder and harder to covert Karaf support.

[ondrej-m]

I tried it with older version of hawtio, with flag hawtio=enable.
Here is the result: