Can't use REST API

[chih-chen]

Hi!

I configured the OIDC authentication using Keycloak IDP and works like a charm!
But when trying to access the REST API, I get an html response saying: You need to enable JavaScript to run this app.

I think that the problem is maybe related to the OIDC authentication, since it needs the browser to perform the authorization code flow. But shouldn't it accept a Bearer Token generated by the Keycloak directly?

Any help would be appreciated! Thanks!

Here is the full configuration:

micronaut:
  security:
    enabled: true
    oauth2:
      enabled: true
      clients:
        keycloak:
          client-id: "akhq"
          openid:
            issuer: "http://keycloak/realms/internal"
    redirect:
      login-success: "/ui"
    token:
      jwt:
        signatures:
          secret:
            generator:
              secret: ${JWT_SECRET}
  server:
    port: 8080
    context-path: "/akhq"
akhq:
  security:
    default-group: no-roles
    oidc:
      enabled: true
      providers:
        keycloak:
          label: "Login with keycloak"
          username-field: preferred_username
          use-oidc-claim: true
          default-group: reader
  connections:
    local:
      properties:
        bootstrap.servers: "kafka:9092"

[tchiotludo]

What is the url you are trying to reach on the api ?
The You need to enable JavaScript to run this app. seems to explain that you are not reaching api endpoint start start with /api

[chih-chen]

This is the curl request:

curl -i --location 'http://localhost:8080/akhq/api/local/topic/my_topic/data' \
--header 'Content-Type: application/json;charset=UTF-8' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJzUnY5OFFlVjlnX3EzM1BneTVreTBZWHdtRVFaZzEtV0s3WnNvcmJRT1FZIn0.eyJleHAiOjE2ODc3MzkyNzAsImlhdCI6MTY4NzczODk3MCwiYXV0aF90aW1lIjoxNjg3NzM2MjE3LCJqdGkiOiI4ZTM1MjE5My1jMjBmLTRkNTQtYWUyYy03NjE5ZTY4YTFiMzkiLCJpc3MiOiJodHRwOi8va2V5Y2xvYWsvcmVhbG1zL2NhanUtaW50ZXJuYWwiLCJzdWIiOiIyMGFmNzNmMy1jNTYxLTQ3NmItYmY2Ny1mMjI2YjljOGNkMGYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJha2hxIiwic2Vzc2lvbl9zdGF0ZSI6IjZmYWIyNDlhLTM3ZGItNGY4OC05MDA5LWQ4MWMxYTQ5MmU3NCIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWQiOiI2ZmFiMjQ5YS0zN2RiLTRmODgtOTAwOS1kODFjMWE0OTJlNzQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInJvbGVzIjpbInRvcGljL2NvbmZpZy91cGRhdGUiLCJ0b3BpYy9kYXRhL2RlbGV0ZSIsInRvcGljL2RlbGV0ZSIsInRvcGljL2RhdGEvaW5zZXJ0IiwiZ3JvdXAvZGVsZXRlIiwidG9waWMvcmVhZCIsIm5vZGUvY29uZmlnL3VwZGF0ZSIsInRvcGljL2luc2VydCIsIm5vZGUvcmVhZCIsImdyb3VwL3JlYWQiLCJncm91cC9vZmZzZXRzL3VwZGF0ZSIsInRvcGljL2RhdGEvcmVhZCJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJjaGloIiwiZ2l2ZW5fbmFtZSI6IiIsImZhbWlseV9uYW1lIjoiIn0.ZlFOwikRVkFBqgzoAd4ufEzxMB7fJQUIJWBqZmBCiFkPLmVCI-VqigxK_UO0_cY99ixVCJXLUwTP0EKlu-8QkuMNLKS1H7JqKyjEWfy_apdOHBEzJk7-r-5hqSqih4lFgh3kj4DHMkLELShBB8bpm-wm3ams8kXMEHKN6b5ed7fWmhtVMQGZWpGMKk5NXfF1T1J9DGkSCczPXS3RqkGmE2jb74sK0UrzgtPrGvK6eWiM7-lGNiByHQwRsBkZK82cWjqUeQshc15PQZNw821hfjMZ2eTXqkxeBkXyw_LgnUk51dHyLgJKu57kahuRVV3Ko5AGePKYzMSPt55n5busJQ' \
--data '{
    "partition": null,
    "key": "",
    "value": "{}",
    "keySchema": "",
    "valueSchema": "",
    "multiMessage": false,
    "keyValueSeparator": ":",
    "headers": []
}'

Please note that the Bearer token is the JWT token from the Keycloak idp. I've checked that the AKHQ application generates a new token based on the IDP token to retrieve the roles information and set the AKHQ token as header named Cookie=JWT xyz....
If I use the JWT token from Keycloak, I get the response: You need to enable JavaScript to run this app., but when using the JWT generated by the AKHQ application, it works fine.

The question is: I'm authenticating via Keycloak, how do I get the AKHQ token to access the REST API?

Thanks for the help!

[matikepa]

After logging into the AKHQ web interface, your browser stores the JWT token generated by AKHQ as a cookie.
You can extract this from your browser's developer tools. The token is the value of the JWT cookie.

Once you have the AKHQ JWT token, use it in the Authorization header of your curl command:

export YOUR_AKHQ_JWT_TOKEN=’superLongTokenExtractedFromCookieUnderJWTvalue’

curl -sH "Authorization: Bearer ${YOUR_AKHQ_JWT_TOKEN}” \
 -H "Accept: application/json” \
 http://localhost:8080/api/cluster-name/node