keycloak-admin-client-reactive maps wrong id to AuthorizationResources

[joggeli34]

Describe the bug

When executing:

var authorizationResource = realmResource.clients().get(clientResourceId).authorization()
var defaultPermission = authorizationResource.permissions().resource().findByName("Default Permission");
var permissionId = defaultPermission.getId();
authorizationResource.permissions().resource() .findById(permissionId).remove()

The api called is

http://localhost:8082/admin/realms/testrealm/clients/{clientResourceId}/authz/resource-server/permission/resource/{clientResourceId}

Instead of:

http://localhost:8082/admin/realms/testrealm/clients/{clientResourceId}/authz/resource-server/permission/resource/{permissionId}

Which leads to a 404 as the id of the permission is wrong.
This only happens with the reactive version, not with the classic

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.14.2.Final

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot]

/cc @pedroigor, @sberyozkin

[sberyozkin]

@joggeli34 It might be a resteasy reactive client issue - can you create a reproducer please ? For example, you can clone integration-tests/keycloak-authorization and update it

[joggeli34]

I created a small reproducer in a small demo project (as I didn't get the integration-tests/keycloak-authorization running on my machine)

https://github.com/joggeli34/keycloak-client-demo/blob/master/src/test/java/com/example/KeycloakClientTest.java

The log when running the tests:

2022-12-07 10:58:02,366 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-1) Response: POST http://localhost:8181/realms/master/protocol/openid-connect/token, Status[200 OK], Headers[Referrer-Policy=no-referrer X-Frame-Options=SAMEORIGIN Strict-Transport-Security=max-age=31536000; includeSubDomains Cache-Control=no-store X-Content-Type-Options=nosniff Set-Cookie=KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/master/; HttpOnly Set-Cookie=KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/realms/master/; HttpOnly Pragma=no-cache X-XSS-Protection=1; mode=block Content-Type=application/json content-length=1818], Body:
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSdGtaSE1yamdZQ2swMC16Z1BDMnBFczV
2022-12-07 10:58:02,408 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-1) Request: DELETE http://localhost:8181/admin/realms/quarkus/clients/0ac5df91-e044-4051-bd03-106a3a5fb9cc/authz/resource-server/permission/resource/0ac5df91-e044-4051-bd03-106a3a5fb9cc Headers[Authorization=Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSdGtaSE1yamdZQ2swMC16Z1BDMnBFczVBbjcwSTVnbGVzemlTbmxTRUM0In0.eyJleHAiOjE2NzA0MDcxNDIsImlhdCI6MTY3MDQwNzA4MiwianRpIjoiZTBmYTg5MDItMzg4Zi00YTA5LWE3ZDAtYjhlNGFkNjRhZjM3IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgxL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiJlZDhiNDZiMC05NjY4LTQ0N2QtYjBlYi1hYzkxYTMwMmIzM2MiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiZDUwMjEyMzAtN2NhMy00ODYzLWIwNzAtYmQ3NGM2YTA1MTZlIiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInNpZCI6ImQ1MDIxMjMwLTdjYTMtNDg2My1iMDcwLWJkNzRjNmEwNTE2ZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.reg_T5Xf9M8Q8XNIgBgND_S9uFp03atl78gBIu3_6nayTQpMR8zUMYED_2U5NSRMz5med33stdkPFst8mCHPoEey5OfbjktKimRcFrfclhFu6ScGZab_kqS-3PpNwXILNPqWTcVqIz-kGorbnkJU_NzjTiQ1Aw0U0k3__JRSzWa6Zg3aeIqZtaSl6TMvrDdNZtcSbYHhPs_fJBTGxd_s7CayqOVotKLHUBoYUk7lzdHU8W7ShlZOxeQgQhffgb5y83OUilOIzzjvrl3NTK3QyOdQXZ0_OjCmeCCKZHM4gySBVLs7fYpylKqkxwyQOQJ-jpJ2Ql-5OC_85q-GD1SwfA User-Agent=Resteasy Reactive Client], Empty body
2022-12-07 10:58:02,479 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-1) Response: DELETE http://localhost:8181/admin/realms/quarkus/clients/0ac5df91-e044-4051-bd03-106a3a5fb9cc/authz/resource-server/permission/resource/0ac5df91-e044-4051-bd03-106a3a5fb9cc, Status[404 Not Found], Headers[Referrer-Policy=no-referrer Strict-Transport-Security=max-age=31536000; includeSubDomains X-XSS-Protection=1; mode=block X-Content-Type-Options=nosniff content-length=0], Body:

Which shows the url with two times the same id:
http://localhost:8181/admin/realms/quarkus/clients/0ac5df91-e044-4051-bd03-106a3a5fb9cc/authz/resource-server/permission/resource/0ac5df91-e044-4051-bd03-106a3a5fb9cc`

[sberyozkin]

@joggeli34 Does it require a custom realm file ? Can you update the test to set Realm ?

[sberyozkin]

@geoand Hi Georgios, can you have a look please at the template vars in the API sequence in the description, it looks like that when we have something like /{a}/{b} and {a} is supplied first then the follow up template vars are overridden with this {a} value even if the value for {b} is provided.

Example, here, https://github.com/joggeli34/keycloak-client-demo/blob/master/src/test/java/com/example/KeycloakClientTest.java#L34, client id is provided and it becomes the value for {clientResourceId}, clientResource there is probably a subresource.
Next this subresource proxy is called, https://github.com/joggeli34/keycloak-client-demo/blob/master/src/test/java/com/example/KeycloakClientTest.java#L36, providing the value for {permissionId} but it is ignored and the earlier provided {clientResourceValue} is picked up.
It can be tested even without Keycloak I guess.
@joggeli34 Can you check please what happens if you collapse these 2 separate calls into a single call sequence ? Probably will be the same result, but please check

[geoand]

I'll have a look

[geoand]

@Sgitario mind taking a look at this one?
This problem seems similar to #24991 but it seems like the fix for that one was not complete.

[geoand]

@Sgitario can you please take a look at this one? It seems rather serious.

Thanks

[Sgitario]

@Sgitario can you please take a look at this one? It seems rather serious.

Thanks

Taking a look

[Sgitario]

With the linked pull request, I did verify that the reproducer works fine now.