robsontenorio/laravel-keycloak-guard

Service account cannot authenticate

alanmatiasdev opened this issue · 2 comments

We recently migrated to using Keycloak as our central user authentication provider. I have been using the library without any problems to validate users in the apis without any problems. In fact, congratulations to you @robsontenorio.

In one of my applications, a monolith that still stores various information, I set the variable "KEYCLOAK_LOAD_USER_FROM_DATABASE" to true, due to excessive effort in refactoring the entire application to the new format.

The application worked perfectly and, this way, we won't need to rush to kill this legacy application, since the library authenticates users with the application's local database and everything works as before.

But, in a particular scenario, another application needs to fetch information from this monolith through a service account and, with the above variable set to true, the error occurs that the service account user was not found.

This behavior is correct and expected. It is defined right here.

if ($this->config['load_user_from_database']) {
$methodOnProvider = $this->config['user_provider_custom_retrieve_method'] ?? null;
if ($methodOnProvider) {
$user = $this->provider->{$methodOnProvider}($this->decodedToken, $credentials);
} else {
$user = $this->provider->retrieveByCredentials($credentials);
}
if (!$user) {
throw new UserNotFoundException("User not found. Credentials: ".json_encode($credentials));
}

So, how can I allow the service account to access my api when the database user search is active? Is there any way to do this? I thought about opening a pull request to include this case, but I understand that validating with this issue is a good way.

"error": {
		"message": "[Keycloak Guard] User not found. Credentials: {\"email\":\"service-account-api\"}",
		"trace": [
			{
				"file": "\/home\/company\/vendor\/robsontenorio\/laravel-keycloak-guard\/src\/KeycloakGuard.php",
				"line": 47,
				"function": "validate",
				"class": "KeycloakGuard\\KeycloakGuard",
				"type": "->"
			}
                 ]

Thanks.

@bralandealmeida

ServiceAcount are not a “real” user. And for sure it will fail to fetch from database.

See line 156. You can implement your own “user fetch” method. So you can “fake” it when it is ServiceAcount.

It has a mention on README

Thanks @robsontenorio. This worked perfectly!