[2.6.x] Update keycloakjs and use access_token instead of id_token fo…

…r oidc code path (#5371) * Update keycloakjs version to avoid cyclic redirect Nonce support in urls was removed in Keycloak 25 to be fully oidc compatible. But this change is not compatible with old keycloakjs version. Apicurio used a very old version and was broken after this keycloak release. * Use access_token not id_token for Bearer auth If the oidc client auth library is used (instead of the default keycloakjs on) the id_token is used as Bearer Token. This is not standard compatible. ID Tokens only contain user information and should never be used for authentications.
Apicurio · Nov 22, 2024 · 61f69db · 61f69db
1 parent 2dff775
commit 61f69db
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 30 deletions.
diff --git a/ui/package-lock.json b/ui/package-lock.json
diff --git a/ui/package.json b/ui/package.json
@@ -69,7 +69,7 @@
     "@rhoas/app-services-ui-components": "2.30.0",
     "ace-builds": "1.18.0",
     "axios": "0.27.2",
-    "keycloak-js": "21.1.1",
+    "keycloak-js": "26.0.0",
     "mobx": "6.9.0",
     "moment": "2.29.4",
     "oidc-client-ts": "2.2.3",

diff --git a/ui/src/services/auth/auth.service.ts b/ui/src/services/auth/auth.service.ts
@@ -76,7 +76,7 @@ export class AuthService implements Service {
         const configOptions: any = only(KC_CONFIG_OPTIONS, this.config.authOptions());
         const initOptions: any = only(KC_INIT_OPTIONS, this.config.authOptions());
 
-        this.keycloak = Keycloak(configOptions);
+        this.keycloak = new Keycloak(configOptions);
 
         const addRoles: ((user: AuthenticatedUser) => void) = (user) => {
             if (this.keycloak.resourceAccess) {
@@ -182,7 +182,7 @@ export class AuthService implements Service {
     public getToken = () => this.keycloak.token;
 
     public getOidcToken = () => {
-        return this.oidcUser.id_token;
+        return this.oidcUser.access_token;
     };
 
     public isAuthenticationEnabled(): boolean {