Comments (2)
It appears as if there is a caching issue in Keycloak. I'm not sure if that's expected behaviour from Keycloak's part
It's not caching, it's returning an incomplete 200
instead of a 403
by keycloak from v22 upwards: keycloak/keycloak#26301
Keycloak version: v22.0.5. Local setup, single pod.
Below script can be used to reproduce the scenario. As it turns out, bound to the access token used, GET-ing the realm using same access token used to create it, returns a minimal response.
After fetching a new access token, the full realm JSON is returned.
Test script and output
Shell script creating, then repeatedly fetching the realm:
#!/bin/sh
set -e
kc_host=$KC_HOST
kc_client_id=$KC_CLIENT_ID
kc_client_secret=$KC_CLIENT_SECRET
realm=$1
get_token() {
token=$(curl -X POST "$kc_host/realms/master/protocol/openid-connect/token" --http1.1 \
-d "client_id=$kc_client_id" \
-d "client_secret=$kc_client_secret" \
-d 'grant_type=client_credentials' \
-k -s | jq -r '.access_token')
echo $token
}
create_realm() {
token=$1
response=$(curl -X POST "$kc_host/admin/realms" --http1.1 \
-H "Authorization: Bearer $token" \
-H "Content-Type: application/json" \
-d '{"realm":"'$realm'","enabled":true}' \
-k -s)
echo $response
}
get_realm() {
token=$1
qs=$2
response=$(curl -X GET "$kc_host/admin/realms/${realm}${qs}" --http1.1 \
-H "Authorization: Bearer $token" \
-k -s)
echo $response
}
delete_realm() {
token=$1
response=$(curl -X DELETE "$kc_host/admin/realms/${realm}" --http1.1 \
-H "Authorization: Bearer $token" \
-k -s)
echo $response
}
parse() {
cat |jq -M '{"realm": .realm, "defaultRole.id": .defaultRole.id }'
}
echo
echo "Creating realm $realm"
token=$(get_token)
create_realm $token
echo
echo "Getting realm $realm"
echo $(get_realm $token |parse)
echo
echo "Sleep & getting realm"
sleep 2
echo $(get_realm $token |parse)
echo
echo "Cache busting query string & getting realm"
random_string=$(xxd -l4 -ps /dev/urandom)
echo $(get_realm $token "?random=${random_string}" |parse)
echo
echo "New access token & getting realm"
token=$(get_token)
echo $(get_realm $token |parse)
echo
echo "Cache busting query string & getting realm"
random_string=$(xxd -l4 -ps /dev/urandom)
echo $(get_realm $token "?random=${random_string}" |parse)
echo
echo "Deleting realm"
delete_realm $token
Sample output:
Creating realm foobar
Getting realm foobar
{ "realm": "foobar", "defaultRole.id": null }
Sleep & getting realm
{ "realm": "foobar", "defaultRole.id": null }
Cache busting query string & getting realm
{ "realm": "foobar", "defaultRole.id": null }
New access token & getting realm
{ "realm": "foobar", "defaultRole.id": "8c1d35b3-6f1b-426d-85a2-e93dd06719d4" }
Cache busting query string & getting realm
{ "realm": "foobar", "defaultRole.id": "8c1d35b3-6f1b-426d-85a2-e93dd06719d4" }
Deleting realm
from terraform-provider-keycloak.
Related Issues (20)
- Feature Request: Support hardcoded attribute mapper for saml clients
- keycloak_openid_client_default_scopes there is no option to realm level
- No authentication provider found for id: registration-page-form
- Missing login realm settings HOT 1
- Support Keycloak option "Always display in UI" for clients HOT 1
- Unable to add realm client roles to new client as a composite HOT 1
- Changes to `custom_identity_provider_mapper` ignored when updating roles or groups HOT 1
- Possibility to change authentication registration recaptcha to REQUIRED and activate Recaptcha config
- Consistency: keycloak_openid_client_service_account_role for both realm and client roles
- Import `keycloak_authentication_flow` gives "Could not find flow with id" HOT 1
- Federation not working when created together with realm
- Data source: keycloak_roles
- Data source: keycloak_openid_client_client_policy
- Missing Field display_on_consent_screen: Inability to Toggle Off Display Content Screen When Consent Text is Void/Null
- Add endpoint discovery to realm
- Support for 'add_to_access_token_response' for OIDC User Session Notes HOT 1
- If possible, add warning to documentation for keycloak_user resource for possible GDPR issues
- Implement a data source to retrieve all realms
- Add support for `Exclude Issuer From Authentication Response` in `OpenID Connect Compatibility Modes`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-keycloak.