Perform token-exchange with Keycloak, and use it in a RestClient

[costvin15]

Hi

I'm trying to perform a token exchange using Keycloak in my Quarkus application. I have a realm, and inside it I have a Client and an Identity Provider (Google). What I'm trying to do is, given the access_token coming from Keycloak, perform token exchange to obtain a valid token for Google APIs. I was able to do this normally using curl.

As described in the documentation, I created a RestClient:

@RegisterRestClient(configKey="google-calendar-api")
@Dependent
@RegisterProvider(AccessTokenRequestReactiveFilter.class)
@Path("/calendars/primary")
public interface GoogleCalendarClient {
    @POST
    @Path("events")
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON)
    Uni<String> addEvent(Event event);
    public static class Event {
        public String summary;
        public String kind = "calendar#event";
        public Time start;
        public Time end;
    }

    @NoArgsConstructor
    public static class Time {
        public String dateTime;
        public String timeZone = "Europe/CET";

        public Time(String value) {
            dateTime = value;
	}
    }
}

And configured it as follows:

quarkus.oidc.auth-server-url=http://localhost:8545/realms/quarkus-realm

quarkus.keycloak.devservices.realm-path=keycloak.json

quarkus.oidc-client.auth-server-url=http://localhost:8545/realms/quarkus-realm
quarkus.oidc-client.client-id=origin-client
quarkus.oidc-client.credentials.secret=secret
quarkus.oidc-client.scopes=profile,openid,email
quarkus.oidc-client.grant.type=exchange
quarkus.oidc-client.google-calendar-api.grant.type=exchange

google-calendar-api/mp-rest/url=https://www.googleapis.com/calendar/v3
google-calendar-api/mp-rest/scope=javax.inject.Singleton

quarkus.oidc-client.early-tokens-acquisition=true
quarkus.oidc-client.grant-options.exchange.audience=origin-client
quarkus.oidc-token-propagation-reactive.client-name=google-calendar-api
quarkus.oidc-token-propagation-reactive.exchange-token=true

The problem I'm getting is, when I use AccessTokenRequestReactiveFilter to register the provider in my rest client, this client can't be initialized:

jakarta.ws.rs.ProcessingException: 'google-calendar-api' client configuration is not initialized

How should I register the Rest Client? Since all the configuration in application.properties is being done. Or is this error caused by a wrong configuration for the token-exchange?

[quarkus-bot[bot]]

/cc @pedroigor (keycloak), @sberyozkin (keycloak)

[costvin15]

After several tests, I found out where my mistakes were and fixed them.

[maxandersen]

Excellent. Want to share what causing issues and how you solved it? Someone else might bump into similar issue and find this post.

[sberyozkin]

Indeed, also, @costvin15, I doubt a Keycloak token can be exchanged against a non-Keycloak provider such as Google. I'm curious how it worked

[costvin15]

Hi @sberyozkin

I was able to exchange to a Google token using Keycloak. To do this, I created a Realm, and inside it I created a client and an identity provider (Google). Inside the Identity Provider, I enabled the Token Exchange permission and added a Policy to allow the Client that was created to perform the Token Exchange.

With this configuration done, I set up my Quarkus application as follows:

# Configure OIDC
quarkus.oidc.auth-server-url=${KEYCLOAK_URL}
quarkus.oidc.client-id=${KEYCLOAK_CLIENT_ID}
quarkus.oidc.credentials.secret=${KEYCLOAK_CLIENT_SECRET}

# Configure OIDC Client
quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc-client.grant.type=exchange
quarkus.oidc-client.grant-options.exchange.requested_issuer=google
quarkus.oidc-token-propagation-reactive.exchange-token=true

Finally, I created a RestClient to communicate with the Google API:

@AccessToken
@RegisterRestClient
@Path("/")
public interface GoogleSlidesClient {
    @GET
    @Path("/{presentationId}")
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON)
    Uni<Slide> getSlide(@PathParam("presentationId") String presentationId);

    @GET
    @Path("/{presentationId}/pages/{pageObjectId}/thumbnail")
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON)
    Uni<SlideThumbnail> getThumbnail(@PathParam("presentationId") String presentationId, @PathParam("pageObjectId") String pageObjectId);
}

com.viniciuscastro.slides.clients.GoogleSlidesClient/mp-rest/url=https://slides.googleapis.com/v1/presentations

When I perform a request on an endpoint that uses this RestClient by passing a Bearer Token from Keycloak in the Authorization header, RestClient automatically exchanges it with Keycloak for a Google Token Id. Enabling the RestClient logs makes this clearer:

Notice that in the second image, the token is completely different from the one I provided in the first image.

This is all explained in the documentation, except for the configuration: quarkus.oidc-client.grant-options.exchange.requested_issuer=google. It is requested_issuer that tells Keycloak which external service to use in the token-exchange. And I haven't found this configuration in any Quarkus documentation or in any issue here.

This code I developed is in the repository: https://github.com/costvin15/quarkus-oidc-client-with-token-exchange-using-keycloak

[sberyozkin]

@costvin15 Great, that is quite cool, but what exactly does it mean, exchanging a Keycloak token for the Google token ?

Do you mean that you have configured Keycloak to federate to Google to authenticate initially, and after the authentication has completed, you get the Keycloak ID and access tokens, but the downstream service does not understand Keycloak access tokens but only Google access tokens which is why you effectively get the original Google tokens ?

[costvin15]

@sberyozkin I'm using Keycloak to centralize everything that involves authentication and authorization, whether for my application or for Google.

The Google token that Keycloak obtains when performing the exchange is passed to Quarkus and used only when it uses RestClient to communicate with Google. All this is done automatically, thanks to quarkus-oidc and Keycloak.

My goal was to always use a single token in the API request from the frontend (the oauth2 token obtained when authenticating with Keycloak). Now I can log in, get information about the user, and communicate with Google using a single token.

So I need to pass a single JWT to my frontend.