0

Components:

  • Keycloak:11
  • Hawkbit-mysql

Runtime:

  • Docker ( Docker compose )

Hi, I use Keycloak 11 to integrate OpenId to Hawkbit. This works with Management API but not with the Management UI.

I followed the instuctions in the docs and added the application.properties. The flow that is used is the authorization_code, which is expected by Hawkbit.

DOCKER-COMPOSE

Here are my env. vars of my compose file:

 - spring.security.oauth2.client.registration.oidc.client-id=hawkbit-client
      - spring.security.oauth2.client.registration.oidc.client-secret= XXX
      - spring.security.oauth2.client.registration.oidc.scope=openid,profile
      - spring.security.oauth2.client.provider.oidc.issuer-uri=http://keycloak:8080/auth/realms/master
      - spring.security.oauth2.client.provider.oidc.authorization-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
      - spring.security.oauth2.client.provider.oidc.token-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/token
      - spring.security.oauth2.client.provider.oidc.user-info-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/userinfo
      - spring.security.oauth2.client.provider.oidc.jwk-set-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/certs
      - spring.security.oauth2.client.registration.oidc.authorization-grant-type=authorization_code

In addition, I changed the port of hawkbit in my compose by

ports:

  • 8081:8080

KEYCLOAK:

My Client uses the direct access grant and the standard flow. My user has the Client Role READ_TARGET and SYSTEM_ADMIN

LOGS:

I enabled more fine grained logs and there is communication between Keycloak and Hawkbit. But when I execute the login with the Management UI, it fails.

2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.AnonymousAuthenticationFilter  : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy        : /UI/UIDL/?v-uiId=0 at position 13 of 16 in additional filter chain; firing Filter: 'OAuth2AuthorizationCodeGrantFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy        : /UI/UIDL/?v-uiId=0 at position 14 of 16 in additional filter chain; firing Filter: 'SessionManagementFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy        : /UI/UIDL/?v-uiId=0 at position 15 of 16 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy        : /UI/UIDL/?v-uiId=0 at position 16 of 16 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/UI/UIDL/'; against '/UI/login/**'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/UI/UIDL/'; against '/UI/UIDL/**'
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /UI/UIDL/?v-uiId=0; Attributes: [permitAll]
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6de64288, returned: 1
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorization successful
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor    : RunAsManager did not change Authentication object
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy        : /UI/UIDL/?v-uiId=0 reached end of additional filter chain; proceeding with original chain
2021-01-15 09:18:09.719 DEBUG 1 --- [tp1234905692-18] o.s.s.authentication.ProviderManager     : Authentication attempt using org.eclipse.hawkbit.autoconfigure.security.InMemoryUserManagementAutoConfiguration$TenantDaoAuthenticationProvider
2021-01-15 09:18:10.076 DEBUG 1 --- [tp1234905692-18] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@694b6660
2021-01-15 09:18:10.078 DEBUG 1 --- [tp1234905692-18] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2021-01-15 09:18:10.081 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.ExceptionTranslationFilter     : Chain processed normally
2021-01-15 09:18:10.082 DEBUG 1 --- [tp1234905692-18] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.JpaSystemManagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.JpaSystemManagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYSTEM_CODE')', filter: 'null', filterTarget: 'null']]
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Previously Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@2233a89d
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950, returned: 1
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.JpaSystemManagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.JpaSystemManagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYSTEM_CODE')', filter: 'null', filterTarget: 'null']]
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Previously Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@73f49ea6
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950, returned: 1
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object

MY thoughts:

I am pretty confused about what is going on as there is no exception thrown, neither in hawkbit nor in keycloak. Keycloak does, also with fine grained logs enabled, not even logs an auth request. It is also confusing that, even with oauth enabled, I still can log in with the standard user admin admin. I don't think it is a problem with keycloak as per logs the connection is created and the config via the wellknown endpoint is used.

QUESTIONS:

  1. Is there something else I have to configure in Keycloak?
  2. Is there another environment variable to use?
  3. I have seen that the hawkbit project uses Spring boot 2.1.4.RELEASE as parent. ( Althought there was a pull request today with an update to 2.4. Is there a known issue in the version?
FishingIsLife
  • 1,972
  • 3
  • 28
  • 51

1 Answers1

0

This works with Management API but not with the Management UI

Sounds like login into hawkBit UI is technically working but you don't see any menu item in the navigation bar. If so try to add "READ_REPOSITORY" to your user's client roles.

Is there something else I have to configure in Keycloak?

No, as you explained everything should be in place: A client (with access type = "confidential", so you get secret), roles to the client and last but not least assign client roles to your user - done

EDIT: Make sure you set a proper redirect URL for you client as well (e.g. http://localhost:8081/*)

Is there another environment variable to use?

No, my working setup looks similar to yours. I set the following props to hawkBit:

spring.security.oauth2.client.registration.oidc.client-id=hawkbit
spring.security.oauth2.client.registration.oidc.client-secret=cd161bd1-1e4f-448a-a257-2394615f4e98
spring.security.oauth2.client.provider.oidc.issuer-uri=http://localhost:8080/auth/realms/master
spring.security.oauth2.client.provider.oidc.authorization-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
spring.security.oauth2.client.provider.oidc.token-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/token
spring.security.oauth2.client.provider.oidc.user-info-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo
spring.security.oauth2.client.provider.oidc.jwk-set-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/certs

I have seen that the hawkbit project uses Spring boot 2.1.4.RELEASE as parent

Both Spring Boot versions are working fine with OAuth2. The mentioned Boot upgrade is required due to the fact that Boot 2.1.x will be out of life soon

schabdo
  • 1
  • 2
  • Thanks for your reply. I cannot login via the management ui when I use my oauth user. It only works with the admin admin default account. In general, I would expect a redirect to my keycloak login uri when I hit the /UI/login endpoint. Is that correct? Or is there a nested client within hawkbit that manages the login process under the hood? It is also pretty strange to me. – FishingIsLife Jan 29 '21 at 19:29
  • Now I got your point. Indeed, that's the way it is designed: The root "/" will always forward to Keycloak and "/UI/login" will still show basic user login without OAuth2. So nothing wrong with your config or setup – schabdo Feb 01 '21 at 07:44
  • Ok, I'll give this a try. Is that mentioned anywhere in the pull request or the docs? – FishingIsLife Feb 01 '21 at 08:03
  • I think change was introduced within https://github.com/eclipse/hawkbit/pull/945. Unfortunately docs are not the best when it comes to OICD – schabdo Feb 02 '21 at 09:45