Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keycloak/Quarkus Issues: Dev and Prod #35599

Closed
tmulle opened this issue Aug 28, 2023 · 13 comments · Fixed by #35888
Closed

Keycloak/Quarkus Issues: Dev and Prod #35599

tmulle opened this issue Aug 28, 2023 · 13 comments · Fixed by #35888
Labels
area/keycloak kind/bug Something isn't working
Milestone

Comments

@tmulle
Copy link
Contributor

tmulle commented Aug 28, 2023

Describe the bug

So I notice a few things with the Keycloak application itself, both in dev mode and prod.

Dev Mode:

  1. The Swagger UI won't let me log in with "client_credentials" I get a "Failed to load" error after entering my client-id and secrect.
Screenshot 2023-08-28 at 8 45 05 AM
TypeError: Load failed
  1. Random times I'd get the Keycloak page saying "Invalid redirect_uri" when trying to log using the Swagger UI clicking on the Authorize button.

Import existing Realm:

The client secret is not imported when importing an existing realm. This causes me to have to regenerate the secret and update all running applications in production. This is not good when we deploy a new server using our realm configuration.

The realms are created from the same version of Quarkus Keycloak. I've tried both 21.x and 22.x and the same thing.
The Dev Services in Quarkus 3.3.0 shows the same behavior.

I saw this post on Keycloak Github and wondering if this is by design or a bug? It effects the Dev Service as well as it doesn't import my client secrets It just makes the secret '******'

keycloak/keycloak#9201

Expected behavior

I should be able to log into Keycloak and also have all my information imported from an existing realm.

Actual behavior

No response

How to Reproduce?

Import issue:

  1. Create a realm on Quarkus Keycloak (21.x, 22.x)
  2. Create a client with a secret
  3. Export the realm
  4. Either use Dev Services or Standalone Keycloak to import the exported
  5. Look in the Clients -> <Your client> -> Credentials tab and notice the secret field contains "*******" and not your secret.

Dev UI/ Swagger:

  1. Try to log into your keycloak instance using client_credentials by clicking the Authorize button.
  2. I get an error and can't log in

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

3.3.0

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

@tmulle tmulle added the kind/bug Something isn't working label Aug 28, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Aug 28, 2023

/cc @pedroigor (keycloak), @sberyozkin (keycloak)

@tmulle tmulle changed the title Keycloak Issues: Dev and Prod Keycloak/Quarkus Issues: Dev and Prod Aug 28, 2023
@sberyozkin
Copy link
Member

@tmulle
Thanks, let me clarify:

  1. Devmode, when you have Quarkus launching its own Keycloak container

SwaggerUI has its own script logic and can't be used independently to login to Keycloak DevService, you have to use Swagger UI from inside OpenId Connect card, you select the provider link, login to Keycloak, and there will be a Swagger UI link there:

https://quarkus.io/guides/security-openid-connect-dev-services#test-with-swagger-graphql

The token acquired as part of the SPA login (or if you configure Keycloak devservices, the client credentials grant, https://quarkus.io/guides/security-openid-connect-dev-services#client-credentials-grant) will be wired in via a local storage hack, to Swagger UI. Click on Swagger UI link and start testing, just avoid Swagger UI Authorize option as it will ignore and reset the token acquired by DevUI

  1. Prod - any issues related to Swagger UI and prod instance of Keycloak are not related to Quarkus, indeed, please follow up with them in the Keycloak repository.

I think, as far as this issue is concerned, once you confirm you can use Swagger UI from the OIDC card as described above, we can close the issue, can you please confirm it ?

@sberyozkin
Copy link
Member

sberyozkin commented Aug 28, 2023

@tmulle

SwaggerUI has its own script logic and can't be used independently to login to Keycloak DevService,

Well it might work, but only the DevService for Keycloak with the Swagger UI used from inside the OIDC card as described above guarantees it will work with the default dev services container.

Direct use of Swagger UI is a Swagger UI specific and/or Keycloak issue if a given grant authentication does not work

@tmulle
Copy link
Contributor Author

tmulle commented Aug 28, 2023

@sberyozkin

Ok thanks.. I see the new UI you mentioned.

However, when I set it up for client_credentials and enter my valid client_id and client_secret and click the Test button, it always fails with an error "Unauthorized Client or Credentials"

I know they are good because I can log in using Postman with the same URL and credentials the DEV service UI is trying to use.

I can use Postman to get the access token and use it in my backend services just fine. So I know the creds are good.

Debugging the code below, the call is returning a 401 Unauthorized.

I tried different paths of '/' , '/*' and even an exact path I hit in Postman and nothing works.
The instructions aren't clear what kind of service endpoint I need to use.

It fails with the error:

2023-08-28 18:16:27,048 ERROR [io.qua.dev.run.jso.JsonRpcCodec] (vert.x-eventloop-thread-2) Error in JsonRPC Call: java.lang.RuntimeException: {"error":"unauthorized_client","error_description":"Invalid client or Invalid client credentials"}
        at io.quarkus.oidc.runtime.devui.OidcDevServicesUtils.getAccessTokenFromJson(OidcDevServicesUtils.java:219)
        at io.quarkus.oidc.runtime.devui.OidcDevServicesUtils.lambda$getClientCredAccessToken$1(OidcDevServicesUtils.java:87)
        at io.smallrye.context.impl.wrappers.SlowContextualFunction.apply(SlowContextualFunction.java:21)
        at io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor.onItem(UniOnItemTransform.java:36)
        at io.smallrye.mutiny.vertx.AsyncResultUni.lambda$subscribe$1(AsyncResultUni.java:35)
        at io.smallrye.mutiny.vertx.DelegatingHandler.handle(DelegatingHandler.java:25)
        at io.vertx.ext.web.client.impl.HttpContext.handleDispatchResponse(HttpContext.java:397)
        at io.vertx.ext.web.client.impl.HttpContext.execute(HttpContext.java:384)
        at io.vertx.ext.web.client.impl.HttpContext.next(HttpContext.java:362)
        at io.vertx.ext.web.client.impl.HttpContext.fire(HttpContext.java:329)
        at io.vertx.ext.web.client.impl.HttpContext.dispatchResponse(HttpContext.java:291)
        at io.vertx.ext.web.client.impl.HttpContext.lambda$null$7(HttpContext.java:507)
        at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:264)
        at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:246)
        at io.vertx.core.impl.EventLoopContext.lambda$runOnContext$0(EventLoopContext.java:43)
        at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174)

Any ideas?

@pedroigor
Copy link
Contributor

@tmulle That is how partial export should work to avoid leaking sensitive data at runtime. You can use the export command to run a full export and achieve what you want. When running a full export it is safer to assume the user intention. As you noticed, the behavior has been there (correctly, IMO) for a long time.

@sberyozkin
Copy link
Member

sberyozkin commented Aug 29, 2023

@tmulle I've tried both client (client_credentials) and password grants in Dev UI in quarkus-quickstarts/security-openid-connect-quickstart and in both cases the token can be acquired, though for some reasons can't be verified, I'll have a look

@sberyozkin
Copy link
Member

@tmulle I've fixed the typo related to the client credential or password token verification when Dev UI is used to acquire the tokens.
However, you are saying that you can't even get the token from OIDC Dev UI with the client credentials grant.

However, when I set it up for client_credentials and enter my valid client_id and client_secret and click the Test button, it always fails with an error "Unauthorized Client or Credentials"

This client id and secret should already be setup by Dev UI - these are values which are configured in application.properties or Dev UI will generate them itself if none are setup. Using some other clientid/secret pairs which may be available in the Keycloak realm is not currently supported but I'll have a look

@sberyozkin
Copy link
Member

@tmulle

Using some other clientid/secret pairs which may be available in the Keycloak realm is not currently supported but I'll have a look

It actually works as expected, if one enters custom client/secret they are passed to Keycloak correctly.

However, when I set it up for client_credentials and enter my valid client_id and client_secret and click the Test button, it always fails with an error "Unauthorized Client or Credentials"

Can you share your application.properties, and custom realm, and what clientd/secret you type ? (I'm assuming it is a test realm, if not, please create the one)

@sberyozkin
Copy link
Member

@tmulle Is either the client id or secret which you enter has capital case letters ? If yes then #35687 will fix it

@tmulle
Copy link
Contributor Author

tmulle commented Sep 1, 2023

So, I've tried everything and I still can't get it to work.
I even tried resetting the client secret to lower case since my original one has mixture of upper and lower.

I tried adding the client-id and secret in my application properties and leaving them out.

The weird thing is that when I try to hit a service endpoint in my application that isn't authenticated I still get a 401.

Here is the debug log from the dev services when I try to log in using the OIDC provider link:

2023-09-01 13:12:19,937 INFO  [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-3) Using a client_credentials grant to get a token token from 'http://localhost:32848/realms/license-server/protocol/openid-connect/token' with client id 'cli-app'
2023-09-01 13:12:19,986 INFO  [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-3) Test token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3cWh1eml6WklyT25qNnVTR2R3ODlDLXdJMm1pak84VzR1eHpmM0stRVNBIn0.eyJleHAiOjE2OTM1ODg2MzksImlhdCI6MTY5MzU4ODMzOSwianRpIjoiNTZjMmY3ODQtMDk2OS00YzI2LTk0MjUtNGI5NDQxZDFhMmViIiwiaXNzIjoiaHR0cDovL3RtdWxsZS13cy5lbmcucmFqYW50LmNvbS9yZWFsbXMvbGljZW5zZS1zZXJ2ZXIiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzMyZGY4YWItNjdmYS00NzhkLTkxMmQtZmFhNzc2M2UyZTNlIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY2xpLWFwcCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtbGljZW5zZS1zZXJ2ZXIiLCJsaWNlbnNlLWhpc3RvcnktcmVhZCIsImxpY2Vuc2UtYXNzaWduIiwibGljZW5zZS1jcmVhdGUiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwibGljZW5zZS10cmFuc2ZlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE3Mi4xNy4wLjEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtY2xpLWFwcCIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTcuMC4xIiwiY2xpZW50X2lkIjoiY2xpLWFwcCJ9.Mhr4y75S2wc_IazMM5yc_k4hqJIv2tdW1LIVUsQ1aJS5SDeRfgj3MZCLsM63d9pOpxi2rcYDubCwaG-voBLuL0J6IRWPkUmgctnalDOzzygpWW5nVvhyjCpHlckEoEHea5TFs7EmUGzv9yxx7-EYvUOMvhdGEEPboLM_GpNc3EpYCG5IgxbCry77zax-YHqFHT6Szmzn7MmElKT4x99QUIFOEqokHFP0u3CkpxG8nqCdAj44BhE-O_ocYCktZZ637wDsasUN7W6b5XYQmC-VteEMQ4P3A6lNkMVR7JLKtlBemmdkOiesGh8lX7lOL1G3fU4NHYkfQYQpvB_l5TBDAQ

2023-09-01 13:12:19,987 INFO  [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-3) Sending token to 'http://localhost:8080/api/v1/license/906169af-116b-4342-a982-df76c551fa11'
2023-09-01 13:12:19,998 INFO  [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-3) Result: 401

I'll attach my realm I'm testing.. it's a service user with client-id cli-app.

license-server-realm.txt

This is the OIDC portion of my application.properties:

I don't have a client-id or client-secret defined because my quarkus application just receives Bearer tokens.

# The OpenID Connect (OIDC) flow, which Keycloak uses,
# relies on redirects, and those redirects need to match the URLs
# that are registered with the OIDC provider, in this case, Keycloak.
# If you registered "localhost" as the URL when you set up your client
# in Keycloak and then try to use an IP address in the Quarkus OIDC configuration,
# the URLs will not match, causing the token validation to fail.
#
# Keycloak (note this needs to be an ip address because
#The issuer in the token: Keycloak puts the URL of the server, the issuer, in the issued tokens.
# The Quarkus OIDC extension validates the issuer.
# If the issuer in the token does not match the OIDC server URL configured
# in your Quarkus application, validation will fail.
#quarkus.oidc.auth-server-url=http://172.20.21.1:8888/realms/rajant
%prod.quarkus.oidc.auth-server-url=http://${KEYCLOAK_SERVER_PORT:localhost:40002}/realms/${KEYCLOAK_REALM:license-server}
#quarkus.oidc.client-id=${OIDC_CLIENT:cli-app}
#quarkus.oidc.credentials.secret=${OIDC_SECRET:secret}
#quarkus.oidc.roles.role-claim-path=${OIDC_ROLES_CLAIM_PATH:resource_access/license-server-backend/roles}
quarkus.keycloak.devservices.realm-path=license-server-realm.json
quarkus.oidc.devui.grant.type=client```

@sberyozkin
Copy link
Member

@tmulle OK, thanks, so the logs show that you can actually acquire the token, but you must be hitting the unfortunate typo which was fixed, #35685, Quarkus 3.3.2 will be released soon, so once it is, please retry and it should work. Lets keep the issue open until you confirm it works, cheers

@tmulle
Copy link
Contributor Author

tmulle commented Sep 6, 2023

@sberyozkin ok it looks like 3.3.2 partially fixes my issue. There is still the password issue with Upper/Lowercase.

  1. If I use the password "secret" for my client things work (partially). But if I try something like "PassWord!" it doesn't work. It tells me invalid client or credentials but I see them clearly in Keycloak UI.
2023-09-06 10:11:50,828 INFO  [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-3) Using a client_credentials grant to get a token token from 'http://localhost:63533/realms/license-server/protocol/openid-connect/token' with client id 'cli-app'
2023-09-06 10:11:50,887 ERROR [io.qua.oid.run.dev.OidcDevServicesUtils] (vert.x-eventloop-thread-3) Token can not be acquired from OpenId Connect provider: java.lang.RuntimeException: {"error":"unauthorized_client","error_description":"Invalid client or Invalid client credentials"}
2023-09-06 10:11:50,893 ERROR [io.qua.dev.run.jso.JsonRpcCodec] (vert.x-eventloop-thread-3) Error in JsonRPC Call: java.lang.RuntimeException: {"error":"unauthorized_client","error_description":"Invalid client or Invalid client credentials"}
        at io.quarkus.oidc.runtime.devui.OidcDevServicesUtils.getAccessTokenFromJson(OidcDevServicesUtils.java:219)
        at io.quarkus.oidc.runtime.devui.OidcDevServicesUtils.lambda$getClientCredAccessToken$1(OidcDevServicesUtils.java:87)
        at io.smallrye.context.impl.wrappers.SlowContextualFunction.apply(SlowContextualFunction.java:21)
        at io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor.onItem(UniOnItemTransform.java:36)
        at io.smallrye.mutiny.vertx.AsyncResultUni.lambda$subscribe$1(AsyncResultUni.java:35)
        at io.smallrye.mutiny.vertx.DelegatingHandler.handle(DelegatingHandler.java:25)
        at io.vertx.ext.web.client.impl.HttpContext.handleDispatchResponse(HttpContext.java:397)
  1. The Swagger UI link in the OIDC Provider screen doesn't work. Once I get the token and click it it tells me Unknown Error. So, if I go into the Dev UI - Swagger UI and try an authorized endpoint it appears the token is working.

@sberyozkin
Copy link
Member

sberyozkin commented Sep 12, 2023

Hi @tmulle #35888 fixes the SwaggerUI problem for client creds, this one in particular is not used often from DevUI, so a few typos introduced during the migration were not caught, so thanks for catching them.

The capital case password problem can not be reproduced. I've tried both code flow and client creds, you can confirm it with empty application properties and

quarkus.oidc.credentials.secret=PassWord!
quarkus.keycloak.devservices.grant.type=client

in DevUI, follow Keycloak Admin link, login as admin:admin, confirm a quarkus-app client's password is PassWord!, now go to SPA, and try the client credential form.

Note #35888 will resolve this issue once merged. If something still does not work after it is merged then please open more specific issues, it will be easier to handle them.

Thanks

@quarkus-bot quarkus-bot bot added this to the 3.5 - main milestone Sep 12, 2023
@gsmet gsmet modified the milestones: 3.5 - main, 3.4.0 Sep 13, 2023
benkard pushed a commit to benkard/quarkus-googlecloud-jsonlogging that referenced this issue Sep 24, 2023
…oud-jsonlogging!18)

This MR contains the following updates:

| Package | Type | Update | Change |
|---------|------|--------|--------|
| [io.quarkus:quarkus-extension-processor](https://github.com/quarkusio/quarkus) |  | minor | `3.3.2` -\> `3.4.1` |
| [io.quarkus:quarkus-extension-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.3.2` -\> `3.4.1` |
| [io.quarkus:quarkus-bom](https://github.com/quarkusio/quarkus) | import | minor | `3.3.2` -\> `3.4.1` |
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.3.2` -\> `3.4.1` |
| [org.eclipse.parsson:parsson](https://github.com/eclipse-ee4j/parsson) | compile | patch | `1.1.2` -\> `1.1.4` |
| [io.smallrye.common:smallrye-common-constraint](http://smallrye.io) ([source](https://github.com/smallrye/smallrye-common)) | compile | patch | `2.1.0` -\> `2.1.2` |

---

### Release Notes

<details>
<summary>quarkusio/quarkus</summary>

### [`v3.4.1`](https://github.com/quarkusio/quarkus/releases/tag/3.4.1)

[Compare Source](quarkusio/quarkus@3.4.0...3.4.1)

##### Major changes

- [\#​35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway

##### Complete changelog

- [\#​36000](quarkusio/quarkus#36000) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /docs
- [\#​35999](quarkusio/quarkus#35999) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /bom/application
- [\#​35990](quarkusio/quarkus#35990) - Don't ignore empty SSE events in client
- [\#​35987](quarkusio/quarkus#35987) - Improve the way HTTP authorizer logs exceptions
- [\#​35981](quarkusio/quarkus#35981) - Fix link to AWS Lambda SnapStart in documentation
- [\#​35979](quarkusio/quarkus#35979) - Add `@ConfigDocEnumValue` & `@ConfigDocDefault` to writing-extensions guide
- [\#​35977](quarkusio/quarkus#35977) - Recompute cached value when the Redis connection fails
- [\#​35975](quarkusio/quarkus#35975) - OIDC: AuthenticationRedirectionException after successful login
- [\#​35968](quarkusio/quarkus#35968) - Warn when wrong token proxy is accessed
- [\#​35966](quarkusio/quarkus#35966) - SSE: Reactive SseEventSource client doesn't consume empty events
- [\#​35964](quarkusio/quarkus#35964) - OIDC: NPE when accessing IdToken when Bearer access token is sent
- [\#​35959](quarkusio/quarkus#35959) - Log invalid CORS origin and method
- [\#​35958](quarkusio/quarkus#35958) - \[GraalVM 24.0\] Hibernate ORM elasticsearch native integration tests fail with return type mismatch
- [\#​35956](quarkusio/quarkus#35956) - Fix return type of hibernate-search substitution
- [\#​35949](quarkusio/quarkus#35949) - Properly initialize reactive Pool beans
- [\#​35938](quarkusio/quarkus#35938) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /bom/application
- [\#​35937](quarkusio/quarkus#35937) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /independent-projects/tools
- [\#​35926](quarkusio/quarkus#35926) - Fix use of multiple `@ClientXXX` annotations in REST Client Reactive
- [\#​35925](quarkusio/quarkus#35925) - Add a property to bypass cache mechanism in case of Redis failure
- [\#​35919](quarkusio/quarkus#35919) - Honor OIDC logout requests when ID token has expired
- [\#​35914](quarkusio/quarkus#35914) - Prevent recording configuration coming from Gradle
- [\#​35900](quarkusio/quarkus#35900) - Fix RESTEasy CDI dependency issue
- [\#​35899](quarkusio/quarkus#35899) - Add note about unsupported `@Lock` in Spring Data JPA
- [\#​35895](quarkusio/quarkus#35895) - Update liquibase to 4.23.2, liquibase-mongodb to 4.23.1
- [\#​35889](quarkusio/quarkus#35889) - UriInfo can not be injected in presence of quarkus-rest-client dependency
- [\#​35886](quarkusio/quarkus#35886) - OTel Scope.close() warning improvement
- [\#​35885](quarkusio/quarkus#35885) - Applying the QE feedback for the Logging guide
- [\#​35884](quarkusio/quarkus#35884) - Application fails to start when eactive restclient uses both ClientExceptionMapper and ClientObjectMapper
- [\#​35883](quarkusio/quarkus#35883) - Bring back the HTTP console commands
- [\#​35879](quarkusio/quarkus#35879) - Quarkus 3.4.0.CR1 does not have HTTP commands in dev mode
- [\#​35858](quarkusio/quarkus#35858) - NullPointerException when entity primary key has the type `byte[]`
- [\#​35777](quarkusio/quarkus#35777) - Add a note about HR not being a replacement for ORM
- [\#​35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway
- [\#​35728](quarkusio/quarkus#35728) - OIDC logout not working for virtual callback paths, if id_token is expired but session cookie is present
- [\#​35690](quarkusio/quarkus#35690) - Upgrade to Hibernate ORM 6.2.9.Final and HR 2.0.5.Final
- [\#​35655](quarkusio/quarkus#35655) - Flyway does not work without default datasource 3.3
- [\#​35528](quarkusio/quarkus#35528) - flyway with one supported and one unsupported Db throws exception at startup

### [`v3.4.0`](https://github.com/quarkusio/quarkus/releases/tag/3.4.0)

[Compare Source](quarkusio/quarkus@3.3.3...3.4.0)

##### Complete changelog

- [\#​35888](quarkusio/quarkus#35888) - Restore missing parameters in OIDC Dev UI client cred and password SwaggerUI/GraphQL handlers
- [\#​35870](quarkusio/quarkus#35870) - Use default Vert.x client settings in OTel exporters
- [\#​35866](quarkusio/quarkus#35866) - Automatic TLS support in new Vert.x based open telemetry implementation
- [\#​35862](quarkusio/quarkus#35862) - Only remove OTLP trace services when otlp is not configured
- [\#​35846](quarkusio/quarkus#35846) - Fixes aggregation of configurations with two different executions ids
- [\#​35844](quarkusio/quarkus#35844) - Improve description of the duration format in configuration documentation
- [\#​35840](quarkusio/quarkus#35840) - Updates Infinispan to 14.0.17.Final
- [\#​35831](quarkusio/quarkus#35831) - Quarkus aggregate configurations from different executions that share the same goal
- [\#​35822](quarkusio/quarkus#35822) - Check that embedded property types are marked as `@Embeddable`
- [\#​35817](quarkusio/quarkus#35817) - Improve Qute + Cache integration
- [\#​35804](quarkusio/quarkus#35804) - HTTP fix response compression support
- [\#​35792](quarkusio/quarkus#35792) - Do not include in the list of property names Kubernetes config fallbacks
- [\#​35789](quarkusio/quarkus#35789) - Improve OTel Sampler docs
- [\#​35786](quarkusio/quarkus#35786) - OpenTelemetry exporter (otlp) startup dependency error when running as a Docker container image
- [\#​35784](quarkusio/quarkus#35784) - Document the ability to automatically compress rotated log files
- [\#​35778](quarkusio/quarkus#35778) - Fix generic handling of ParamConverter
- [\#​35774](quarkusio/quarkus#35774) - RESTEasy Reactive fails to handle collections of parameterized types as parameter
- [\#​35764](quarkusio/quarkus#35764) - Do not include revision and host-specific info in MANIFEST.MF
- [\#​35762](quarkusio/quarkus#35762) - Delete temporary openshift files
- [\#​35759](quarkusio/quarkus#35759) - Upgrade Smallrye OpenAPI to 3.5.2
- [\#​35757](quarkusio/quarkus#35757) - Update liquibase from 4.20.0 to 4.23.1, liquibase-mongodb to 4.23.0
- [\#​35747](quarkusio/quarkus#35747) - Large files remain in /tmp after OpenShift deployments
- [\#​35726](quarkusio/quarkus#35726) - Improve matching of config properties to a root
- [\#​35722](quarkusio/quarkus#35722) - Since quarkus 3.3.0 a WARN message unrecognized configuration key "quarkus.kubernetes.route.expose" is logged
- [\#​35718](quarkusio/quarkus#35718) - Packs libraries alongside executable in function.zip
- [\#​35713](quarkusio/quarkus#35713) - AWS Lambda extension does not pack necessary .so files when AWT is used
- [\#​35710](quarkusio/quarkus#35710) - Fix potential NPE in HTTP proxying
- [\#​35706](quarkusio/quarkus#35706) - Azure-Functions crash when X-Forwarded headers are enabled java.lang.NullPointerException
- [\#​35599](quarkusio/quarkus#35599) - Keycloak/Quarkus Issues: Dev and Prod
- [\#​35598](quarkusio/quarkus#35598) - Improve Error-Message for missing Embedabbles
- [\#​35558](quarkusio/quarkus#35558) - Widen conditions under RESTEasy Reactive Server and RESTEasy Classic Client can work together
- [\#​12260](quarkusio/quarkus#12260) - Quarkus logging with compress option

### [`v3.3.3`](https://github.com/quarkusio/quarkus/releases/tag/3.3.3)

[Compare Source](quarkusio/quarkus@3.3.2...3.3.3)

##### Complete changelog

- Fixes CVE-2023-4853
- [\#​35490](quarkusio/quarkus#35490) - Build cache - Improve cachability of service binding tests

</details>

<details>
<summary>eclipse-ee4j/parsson</summary>

### [`v1.1.4`](eclipse-ee4j/parsson@1.1.3...1.1.4)

[Compare Source](eclipse-ee4j/parsson@1.1.3...1.1.4)

### [`v1.1.3`](https://github.com/eclipse-ee4j/parsson/releases/tag/1.1.3): Parsson 1.1.3

[Compare Source](eclipse-ee4j/parsson@1.1.2...1.1.3)

#### What's Changed

- 1\.1.2 release by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#89
- [\#​91](eclipse-ee4j/parsson#91): Stack overflow error caused by jakarta.json parsing of untrusted JSON String by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#92
- update build plugins by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#93
- improve compatibility with OSGi mediator by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#96
- [\#​77](eclipse-ee4j/parsson#77): JsonTokenizer.close() recycles its buffer for each call to close() by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#97
- [\#​90](eclipse-ee4j/parsson#90): MapUtil.handle does not support Array objects by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#98

**Full Changelog**: eclipse-ee4j/parsson@1.1.2...1.1.3

</details>

<details>
<summary>smallrye/smallrye-common</summary>

### [`v2.1.2`](https://github.com/smallrye/smallrye-common/releases/tag/2.1.2)

[Compare Source](smallrye/smallrye-common@2.1.1...2.1.2)

- [\#​243](smallrye/smallrye-common#243) Release 2.1.2
- [\#​242](smallrye/smallrye-common#242) Fix substitutions for Windows OS
- [\#​241](smallrye/smallrye-common#241) GraalVM substitution problem on Windows
- [\#​240](smallrye/smallrye-common#240) Bump version.vertx from 4.4.4 to 4.4.5

### [`v2.1.1`](https://github.com/smallrye/smallrye-common/releases/tag/2.1.1)

[Compare Source](smallrye/smallrye-common@2.1.0...2.1.1)

- [\#​239](smallrye/smallrye-common#239) Release 2.1.1
- [\#​238](smallrye/smallrye-common#238) Allow reaper threads to be started at run time
- [\#​237](smallrye/smallrye-common#237) Bump io.sundr:sundr-maven-plugin from 0.100.1 to 0.100.3
- [\#​236](smallrye/smallrye-common#236) Bump org.apache.maven:maven-artifact from 3.9.3 to 3.9.4
- [\#​234](smallrye/smallrye-common#234) Bump version.graalvm from 22.3.2 to 23.0.1
- [\#​233](smallrye/smallrye-common#233) Bump module-info from 2.0 to 2.1
- [\#​232](smallrye/smallrye-common#232) Bump sundr-maven-plugin from 0.95.0 to 0.100.1
- [\#​231](smallrye/smallrye-common#231) Bump maven-artifact from 3.9.2 to 3.9.3
- [\#​230](smallrye/smallrye-common#230) Bump version.vertx from 4.4.3 to 4.4.4
- [\#​227](smallrye/smallrye-common#227) Bump smallrye-parent from 39 to 40
- [\#​226](smallrye/smallrye-common#226) Bump version.vertx from 4.4.1 to 4.4.3
- [\#​225](smallrye/smallrye-common#225) Bump sundr-maven-plugin from 0.94.0 to 0.95.0
- [\#​222](smallrye/smallrye-common#222) Bump maven-artifact from 3.9.0 to 3.9.2
- [\#​221](smallrye/smallrye-common#221) Port quiet(...) and cast(...) methods from wildfly-common
- [\#​220](smallrye/smallrye-common#220) Bump version.graalvm from 22.3.1 to 22.3.2
- [\#​218](smallrye/smallrye-common#218) Bump version.vertx from 4.4.0 to 4.4.1
- [\#​217](smallrye/smallrye-common#217) Bump asm from 9.4 to 9.5
- [\#​216](smallrye/smallrye-common#216) Support unsigned parameter range checks
- [\#​214](smallrye/smallrye-common#214) Bump version.vertx from 4.3.8 to 4.4.0

</details>

---

### Configuration

:date: **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

:vertical_traffic_light: **Automerge**: Enabled.

:recycle: **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

:ghost: **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

* [ ] If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
@aloubyansky aloubyansky modified the milestones: 3.4.0, 3.2.8.Final Oct 31, 2023
benkard pushed a commit to benkard/mulkcms2 that referenced this issue Nov 12, 2023
This MR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [io.hypersistence:hypersistence-utils-hibernate-62](https://github.com/vladmihalcea/hypersistence-utils) | compile | patch | `3.5.2` -> `3.5.3` |
| [org.hibernate.orm:hibernate-envers](https://hibernate.org/orm) ([source](https://github.com/hibernate/hibernate-orm)) | build | patch | `6.3.0.Final` -> `6.3.1.Final` |
| [org.hibernate.orm:hibernate-core](https://hibernate.org/orm) ([source](https://github.com/hibernate/hibernate-orm)) | build | patch | `6.3.0.Final` -> `6.3.1.Final` |
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.3.3` -> `3.4.1` |
| [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | minor | `3.3.3` -> `3.4.1` |

---

### Release Notes

<details>
<summary>vladmihalcea/hypersistence-utils</summary>

### [`v3.5.3`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-353---September-19-2023)

\================================================================================

Add QueryStackTraceLogger that allows you to locate the source of an SQL query executed by Hibernate [#&#8203;653](vladmihalcea/hypersistence-utils#653)

</details>

<details>
<summary>hibernate/hibernate-orm</summary>

### [`v6.3.1.Final`](https://github.com/hibernate/hibernate-orm/blob/HEAD/changelog.txt#Changes-in-631Final-September-19-2023)

[Compare Source](hibernate/hibernate-orm@6.3.0...6.3.1)

https://hibernate.atlassian.net/projects/HHH/versions/32188

\*\* Bug
\* \[HHH-17221] - AssertionError initializing a collection with FetchMode.SUBSELECT and IdClass having only one field
\* \[HHH-17203] - ElementCollection doesn't consider [@&#8203;Where](https://github.com/Where) annotation on delete of elements
\* \[HHH-17202] - ArrayStoreException for single field id class entity collection batch loading
\* \[HHH-17201] - Unexpected value type exception for unordered multi id Load with ordered return disable
\* \[HHH-17189] - Audited annotations are ignored on embeddable super types
\* \[HHH-17177] - JDBC type code is ignored in XML mapping for an id attribute
\* \[HHH-17173] - Getting one-to-one association through a referenece to a bytecode enhanced entity fails
\* \[HHH-17168] - Investigate failures on db10\_5 and Cockrachdb of FunctionTests.testCastBinaryWithLength
\* \[HHH-17167] - Unable to locate parameter for RESTRICT - DELETE error when removing entity with RowId
\* \[HHH-17166] - query methods returning primitive types incorrectly inferred to be mutation query methods
\* \[HHH-17165] - short method names in metamodel generator cause SIOBE
\* \[HHH-17163] - persist() should throw JPA's EntityExistsException if passed detached instance
\* \[HHH-17159] - java.lang.StackOverflowError during Update on Entity with Embeddable and JSON
\* \[HHH-17156] - NPE when an Embeddable column is reused in another class related by inheritance
\* \[HHH-17154] - NullPointerException is thrown when constructing EntityManagerFactoryBuilderImpl
\* \[HHH-17135] - CriteriaQuery error passing nullLiteral with entity type class
\* \[HHH-17131] - Regression in entity streams with associated collections resulting in result duplication
\* \[HHH-17105] - SQL clause from [@&#8203;WhereJoinTable](https://github.com/WhereJoinTable) is no longer used for DELETE queries (6.2 regression)
\* \[HHH-17104] - Bug with max() request inside projection
\* \[HHH-17100] - CustomType wrongly calls UserType#disassemble
\* \[HHH-17080] - \[Envers] AuditReader.getRevisionNumberForDate(LocalDateTime) uses Epoch Seconds instead of Epoch Millis
\* \[HHH-17079] - NPE when using CompositeUserType with generic fields in Hibernate 6
\* \[HHH-17049] - Bytecode Enhancement, extra records created for associations created in constructor
\* \[HHH-16945] - CTE query cycle attribute evaluated incorrectly on MSSQL using collation "Latin1\_General_CI_AS"
\* \[HHH-15968] - Sporadic ClassCastException when querying for Set<Enum>.

\*\* Improvement
\* \[HHH-17220] - Avoid runtime lookups of JdbcService from TableGenerator and TableStructure
\* \[HHH-17171] - JPA and multiple query roots
\* \[HHH-16768] - HQL parsed predicates don't validate type comparability

\*\* Task
\* \[HHH-17204] - Relax visibility of some methods for reactive upsert() support
\* \[HHH-17187] - Avoid 0 byte trailing UUID's in tests
\* \[HHH-17160] - Gradle 8.3 upgrade
\* \[HHH-17087] - Update container images to the latest version

</details>

<details>
<summary>quarkusio/quarkus</summary>

### [`v3.4.1`](https://github.com/quarkusio/quarkus/releases/tag/3.4.1)

[Compare Source](quarkusio/quarkus@3.4.0...3.4.1)

##### Major changes

-   [#&#8203;35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway

##### Complete changelog

-   [#&#8203;36000](quarkusio/quarkus#36000) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /docs
-   [#&#8203;35999](quarkusio/quarkus#35999) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /bom/application
-   [#&#8203;35990](quarkusio/quarkus#35990) - Don't ignore empty SSE events in client
-   [#&#8203;35987](quarkusio/quarkus#35987) - Improve the way HTTP authorizer logs exceptions
-   [#&#8203;35981](quarkusio/quarkus#35981) - Fix link to AWS Lambda SnapStart in documentation
-   [#&#8203;35979](quarkusio/quarkus#35979) - Add `@ConfigDocEnumValue` & `@ConfigDocDefault` to writing-extensions guide
-   [#&#8203;35977](quarkusio/quarkus#35977) - Recompute cached value when the Redis connection fails
-   [#&#8203;35975](quarkusio/quarkus#35975) - OIDC: AuthenticationRedirectionException after successful login
-   [#&#8203;35968](quarkusio/quarkus#35968) - Warn when wrong token proxy is accessed
-   [#&#8203;35966](quarkusio/quarkus#35966) - SSE: Reactive SseEventSource client doesn't consume empty events
-   [#&#8203;35964](quarkusio/quarkus#35964) - OIDC: NPE when accessing IdToken when Bearer access token is sent
-   [#&#8203;35959](quarkusio/quarkus#35959) - Log invalid CORS origin and method
-   [#&#8203;35958](quarkusio/quarkus#35958) - \[GraalVM 24.0] Hibernate ORM elasticsearch native integration tests fail with return type mismatch
-   [#&#8203;35956](quarkusio/quarkus#35956) - Fix return type of hibernate-search substitution
-   [#&#8203;35949](quarkusio/quarkus#35949) - Properly initialize reactive Pool beans
-   [#&#8203;35938](quarkusio/quarkus#35938) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /bom/application
-   [#&#8203;35937](quarkusio/quarkus#35937) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /independent-projects/tools
-   [#&#8203;35926](quarkusio/quarkus#35926) - Fix use of multiple `@ClientXXX` annotations in REST Client Reactive
-   [#&#8203;35925](quarkusio/quarkus#35925) - Add a property to bypass cache mechanism in case of Redis failure
-   [#&#8203;35919](quarkusio/quarkus#35919) - Honor OIDC logout requests when ID token has expired
-   [#&#8203;35914](quarkusio/quarkus#35914) - Prevent recording configuration coming from Gradle
-   [#&#8203;35900](quarkusio/quarkus#35900) - Fix RESTEasy CDI dependency issue
-   [#&#8203;35899](quarkusio/quarkus#35899) - Add note about unsupported `@Lock` in Spring Data JPA
-   [#&#8203;35895](quarkusio/quarkus#35895) - Update liquibase to 4.23.2, liquibase-mongodb to 4.23.1
-   [#&#8203;35889](quarkusio/quarkus#35889) - UriInfo can not be injected in presence of quarkus-rest-client dependency
-   [#&#8203;35886](quarkusio/quarkus#35886) - OTel Scope.close() warning improvement
-   [#&#8203;35885](quarkusio/quarkus#35885) - Applying the QE feedback for the Logging guide
-   [#&#8203;35884](quarkusio/quarkus#35884) - Application fails to start when eactive restclient uses both ClientExceptionMapper and ClientObjectMapper
-   [#&#8203;35883](quarkusio/quarkus#35883) - Bring back the HTTP console commands
-   [#&#8203;35879](quarkusio/quarkus#35879) - Quarkus 3.4.0.CR1 does not have HTTP commands in dev mode
-   [#&#8203;35858](quarkusio/quarkus#35858) - NullPointerException when entity primary key has the type `byte[]`
-   [#&#8203;35777](quarkusio/quarkus#35777) - Add a note about HR not being a replacement for ORM
-   [#&#8203;35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway
-   [#&#8203;35728](quarkusio/quarkus#35728) - OIDC logout not working for virtual callback paths, if id_token is expired but session cookie is present
-   [#&#8203;35690](quarkusio/quarkus#35690) - Upgrade to Hibernate ORM 6.2.9.Final and HR 2.0.5.Final
-   [#&#8203;35655](quarkusio/quarkus#35655) - Flyway does not work without default datasource 3.3
-   [#&#8203;35528](quarkusio/quarkus#35528) - flyway with one supported and one unsupported Db throws exception at startup

### [`v3.4.0`](https://github.com/quarkusio/quarkus/releases/tag/3.4.0)

[Compare Source](quarkusio/quarkus@3.3.3...3.4.0)

##### Complete changelog

-   [#&#8203;35888](quarkusio/quarkus#35888) - Restore missing parameters in OIDC Dev UI client cred and password SwaggerUI/GraphQL handlers
-   [#&#8203;35870](quarkusio/quarkus#35870) - Use default Vert.x client settings in OTel exporters
-   [#&#8203;35866](quarkusio/quarkus#35866) - Automatic TLS support in new Vert.x based open telemetry implementation
-   [#&#8203;35862](quarkusio/quarkus#35862) - Only remove OTLP trace services when otlp is not configured
-   [#&#8203;35846](quarkusio/quarkus#35846) - Fixes aggregation of configurations with two different executions ids
-   [#&#8203;35844](quarkusio/quarkus#35844) - Improve description of the duration format in configuration documentation
-   [#&#8203;35840](quarkusio/quarkus#35840) - Updates Infinispan to 14.0.17.Final
-   [#&#8203;35831](quarkusio/quarkus#35831) - Quarkus aggregate configurations from different executions that share the same goal
-   [#&#8203;35822](quarkusio/quarkus#35822) - Check that embedded property types are marked as `@Embeddable`
-   [#&#8203;35817](quarkusio/quarkus#35817) - Improve Qute + Cache integration
-   [#&#8203;35804](quarkusio/quarkus#35804) - HTTP fix response compression support
-   [#&#8203;35792](quarkusio/quarkus#35792) - Do not include in the list of property names Kubernetes config fallbacks
-   [#&#8203;35789](quarkusio/quarkus#35789) - Improve OTel Sampler docs
-   [#&#8203;35786](quarkusio/quarkus#35786) - OpenTelemetry exporter (otlp) startup dependency error when running as a Docker container image
-   [#&#8203;35784](quarkusio/quarkus#35784) - Document the ability to automatically compress rotated log files
-   [#&#8203;35778](quarkusio/quarkus#35778) - Fix generic handling of ParamConverter
-   [#&#8203;35774](quarkusio/quarkus#35774) - RESTEasy Reactive fails to handle collections of parameterized types as parameter
-   [#&#8203;35764](quarkusio/quarkus#35764) - Do not include revision and host-specific info in MANIFEST.MF
-   [#&#8203;35762](quarkusio/quarkus#35762) - Delete temporary openshift files
-   [#&#8203;35759](quarkusio/quarkus#35759) - Upgrade Smallrye OpenAPI to 3.5.2
-   [#&#8203;35757](quarkusio/quarkus#35757) - Update liquibase from 4.20.0 to 4.23.1, liquibase-mongodb to 4.23.0
-   [#&#8203;35747](quarkusio/quarkus#35747) - Large files remain in /tmp after OpenShift deployments
-   [#&#8203;35726](quarkusio/quarkus#35726) - Improve matching of config properties to a root
-   [#&#8203;35722](quarkusio/quarkus#35722) - Since quarkus 3.3.0 a WARN message unrecognized configuration key "quarkus.kubernetes.route.expose" is logged
-   [#&#8203;35718](quarkusio/quarkus#35718) - Packs libraries alongside executable in function.zip
-   [#&#8203;35713](quarkusio/quarkus#35713) - AWS Lambda extension does not pack necessary .so files when AWT is used
-   [#&#8203;35710](quarkusio/quarkus#35710) - Fix potential NPE in HTTP proxying
-   [#&#8203;35706](quarkusio/quarkus#35706) - Azure-Functions crash when X-Forwarded headers are enabled java.lang.NullPointerException
-   [#&#8203;35599](quarkusio/quarkus#35599) - Keycloak/Quarkus Issues: Dev and Prod
-   [#&#8203;35598](quarkusio/quarkus#35598) - Improve Error-Message for missing Embedabbles
-   [#&#8203;35558](quarkusio/quarkus#35558) - Widen conditions under RESTEasy Reactive Server and RESTEasy Classic Client can work together
-   [#&#8203;12260](quarkusio/quarkus#12260) - Quarkus logging with compress option

</details>

<details>
<summary>quarkusio/quarkus-platform</summary>

### [`v3.4.1`](quarkusio/quarkus-platform@3.3.3...3.4.1)

[Compare Source](quarkusio/quarkus-platform@3.3.3...3.4.1)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/keycloak kind/bug Something isn't working
Projects
None yet
5 participants