Skip to content

Testing keycloak URL fails with PERMISSION_TOKEN_ERROR and HTTP 500

Error Details

WARN  [org.keycloak.events] (default task-45) type=PERMISSION_TOKEN_ERROR, realmId=RBAC, clientId=app-client, 
      userId=null, ipAddress=172.17.0.1, error=invalid_token, 
	  reason='HTTP 500 Internal Server Error', auth_method=oauth_credentials, audience=app-client, 
	  grant_type=urn:ietf:params:oauth:grant-type:uma-ticket, permission=6df4c1d4-f740-4331-a8b6-b4839e36c2e3#scopes:view, 

Problem Description

If you start a Keycloak server as described in the quarkus authorization samples – both HTTP 8180 and HTTPS 8543 ports are available. If you now configure your auth-server-url in application.properties using http like:

quarkus.oidc.auth-server-url=http://localhost:8280/auth/realms/RBAC

but you use https in your curl script to retrieve the Token – you finally end up with above PERMISSION_TOKEN_ERROR error when running any valid HTTP request . The request itself fails with HTTP 401.

Curl request to get the token

curl --insecure -X POST https://localhost:8543/auth/realms/RBAC/protocol/openid-connect/token --user app-client:0a32b2ad-7b58-4c5b-bffe-7d3673fe70a3 -H 'content-type: application/x-www-form-urlencoded' -d 'username=testadmin&password=xxx&grant_type=password'

Fix

  • Keep quarkus.oidc.auth-server-url and your REST URL in sync by using the sampe protocol
  • Use for both either http or https

Reference

Published inKeycloakQuarkus

Be First to Comment

Leave a Reply