robsontenorio / laravel-keycloak-guard Goto Github PK

Bom dia Robson, tudo bem ?
Estou precisando integrar o Lumen com o keycloak em uma API, você teria alguma documentação ou projeto de teste com esse pacote implementado ? Estou tendo dificuldades de entender como funciona o pacote criado por ti ou um da Vizir.

Hi @robsontenorio ,

I am using your package and i reviewed all my keycloak settings and still getting the error "[Keycloak Guard] Signature verification failed".

Sometimes i see different implementations about to build a private or public cert key. A lot of people use "----- BEGIN PUBLIC KEY --- " and other people use "----- BEGIN CERTIFICATE -----". I really dont know what is the correct way but i tried both and didnt work the auth.

Can you teach me how extract the public and private key from my keycloak, maybe i using the wrong key pair?

Thanks

If the allowed_resources is not present in the JWT, it produce this error:
KeycloakGuard\Exceptions\ResourceAccessNotAllowedException: [Keycloak Guard] The decoded JWT token has not a valid resource_access allowed by API. Allowed resources by API: in file /var/www/html/vendor/robsontenorio/laravel-keycloak-guard/src/KeycloakGuard.php on line 169

It can be really usefull if you want to manage your roles in the app and be more flexible to change the auth keycloak realm for example.
Also, some keycloak realm that you need to be authenticated don't give this param and it's a problem for the package.

I am planning to create a custom guard in my laravel backend code, based on your llb, but adding the control of the token via userInfo endpoint. Would you like to add this feature?

Hello I have a problem with laravel-keycloak-guard.
Everything seems to be going smoothly, but when I try to access user data via \ Auth :: user () it returns an empty user object.
I would like to know that if my KEYCLOAK_LOAD_USER_FROM_DATABASE variable is set to false, the user object is not loaded with the user data contained in the sent token?

Here we can see that a new version is available:
https://github.com/firebase/php-jwt

Keep following updates of dependencies is important, that's why I iopened this issue.

All KeycloakGuard's properites and methods are private. When we want to overwrite the class to add some additional logic it makes it more complicated. The question is if private is by design or can we change the props to be protected.

We will be happy to provide a PR with the changes if you accept it.

Thanks for the grat package!

I've successfully obtained an access token as follow:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSNnpnSXF6dHp4aVlVY25aR2JmOHBfLU5jams1VmhqNGprUzNndXdCb0pJIn0.eyJleHAiOjE2MjAyNTEyMTUsImlhdCI6MTYxNzY1OTIxNSwiYXV0aF90aW1lIjoxNjE3NjU3NDcwLCJqdGkiOiJiMDVjY2NjMi03N2RjLTQ3NmEtOGY2NS1jZDA1ZTc3OWFkOTUiLCJpc3MiOiJodHRwOi8vZGV2LnNoYW5iZS5pbzo4MDgwL2F1dGgvcmVhbG1zL3NoYW5iZSIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkNTVkNzZhYS0wODY3LTQwZGUtYTVmNS00NTU4MWMyODhkNTIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzaGFuYmUtYXBwIiwic2Vzc2lvbl9zdGF0ZSI6ImVlOWU4YzM3LWRlYmEtNDU5YS05OThiLWNhOWQ1OGRlMTZkZSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgb2ZmbGluZV9hY2Nlc3MgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6Ik1laHJkYWQgU2hva3JpIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiY29kZS5wb2V0OTVAZ21haWwuY29tIiwiZ2l2ZW5fbmFtZSI6Ik1laHJkYWQiLCJmYW1pbHlfbmFtZSI6IlNob2tyaSIsImVtYWlsIjoiY29kZS5wb2V0OTVAZ21
apparently firebase/jwt checks for . to segment token and this token has 1 . so 2 segments is generated(it should be 3)
Does keycloak has a special config to generate 3 segments? as far as I know this is an open id connect access token And I don't have any idea why it doesn't have 2 dots in it.

Hi!

Can you share to me how you use laravel socialite in getting token from keycloak server?
Thank you :)

Hello my friends.
laravel-keycloak does not connect to keycloak to verify token. OK? The firebase lib is used to check the veracity of the token, am I correct? How should my User table look, should I include the username field? I'm generating a token with insomnia and trying to consume a protected endpoint, so I get the following error:
[Keycloak Guard] Signature verification failed

Are there any usage examples?
Thanks.

Hi, I am using Laravel 8.37.0 and Vuejs. I have installed and configured this package as per the instruction given in the read-me file. But I am getting following error message while calling from postman. Kindly check and help me to resolve this issue.

"message": "[Keycloak Guard] Signature verification failed",
"exception": "KeycloakGuard\Exceptions\TokenException",
"file": "/opt/lampp/htdocs/archive/officer-hwn-web-robsontenorio/vendor/robsontenorio/laravel-keycloak-guard/src/KeycloakGuard.php",
"line": 41,

In my auth.php I have

'defaults' => [
'guard' => 'api',
'passwords' => 'users',
],
'guards' => [
'api' => [
'driver' => 'keycloak',
'provider' => 'users',
// 'hash' => false,
],
],
'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => App\Models\User::class,
],
In my config/keycloak.php i have

return [
'realm_public_key' => env('KEYCLOAK_REALM_PUBLIC_KEY', "MII####"),

'load_user_from_database' => env('KEYCLOAK_LOAD_USER_FROM_DATABASE', true),

'user_provider_credential' => env('KEYCLOAK_USER_PROVIDER_CREDENTIAL', 'email'),

'token_principal_attribute' => env('KEYCLOAK_TOKEN_PRINCIPAL_ATTRIBUTE', 'username'),

'append_decoded_token' => env('KEYCLOAK_APPEND_DECODED_TOKEN', false),

'allowed_resources' => env('KEYCLOAK_ALLOWED_RESOURCES', null)
];

In Postman Request

Method : Get
URL : 127.0.0.1:8000/api/v1/protected-endpoint
Authorization :
Type :Bearer_token , Token {{access_token}}
Body :
username : "###user@###corp.com"
password : test1
grant_type:password

Hello, I am experiencing problems with the validation of the signature in laravel ^ 8.54, it does not validate the signature, I debugged the library and it gives an error in the openssl_verify of the JWT.php class line 264, the parameters of the token, signature, key , The algorithm is correct, you can see that they arrive, but when validating the signature, it throws an error.

KeycloakGuard\Exceptions\TokenException: [Keycloak Guard] Signature verification failed in file

vendor/robsontenorio/laravel-keycloak-guard/src/KeycloakGuard.php on line 44

Hello, I am using the latest version of keycloak (4.3.0.Final) which encourages ClientID & Secret with a URL redirect.

I do not see where I would configure this into your application?

The use of a Realm Public Key is not encouraged as our IT security policy calls for periodic rotation of Realm Key Pairs. It would be much better to configure my Laravel Application on a per-client, rather than per-realm basis. Are you looking to implement this into this code?

What am I missing?

Tech stack: laravel 8, keykcloak 14

First request: please describe the KEYCLOAK_ALLOWED_RESOURCES example in the .env file
Second request: I have attached a picture, I get this error message

Thanks

If I create a custom request in my API like CustomerRequest and put in a required|string|max:50. Auth redirects directly to login page if it returns false. Especally in API this is not very usefull. Does anybody know, how to get ErrorHandling ?

I want keyclock for authentication process for web in Laravel. is this package suitable for that?

Thanks for this great solution! It works realy nice. Just have one problem. I tried:
Auth::hasRole('SuperUser') => true
and also insert use Illuminate\Contracts\Auth\Guard;
But it returned me a syntax error (unexpected '=>' (T_DOUBLE_ARROW).
I am also using realm roles. Is Auth::hasRole checking this, too?

hi, I want to authenticate users between multiple micro services.. and each micro service will have an authentication..
I found your package.. and it seems work for me.. but the problem is I don't know how to tell keycloak to use the users of keycloak panel for authentication.. not to lookup in laravel users table, because there is no users table in my services.

please help me with my issue.. or if you have any suggestion to help me find my solution that be great
thank you

Hi,

is it possible to add an Exception Handler?

I would prefer a 4xx Http Status Code with a message instead of a 500 Server error in some cases.

For example the ResourceAccessNotAllowedException

=> 403 - You do not have the resource access

Best regards

thoss

I am able to get the default methods response in controller files. But when I try to call the same methods in blade files like below

<body>
   Welcome {{Auth::user()}}
</body>

Getting empty response in the view. Please help me where I am going wrong?

Hello,

I am testing your laravel module for keycloak.

I followed the instructions mentioned in the readme. But I have error messages that appear :

In your module, should we set the keycloack database: ie, should we tell your module that it must connect to the keycloak database? If yes, how ?

Can you help me ?

Regards,
Christophe

I'd like to avoid the resource_access control, because i would like to manage directly from my backend, i connot find any solution around if not delete directly the control in the Guard.
It would be great have a configuration at Keycloak.init(), but i cannot find it.
Any solutions?

Hi Robson,

Thank you for this package, it's very helpful.

I found an issue that the user token is valid but the default function like Auth::user(), Auth::id() ... are not working, because the user attribute is null.

I resolved it by adding this line after authentication :

$this->user = $this->provider->retrieveByCredentials([$this->config['user_provider_credential'] => $this->decodedToken->{$this->config['user_provider_credential']}]);

Configuration and user providers are not published.

php artisan vendor:publish --provider="KeycloakGuard\KeycloakGuardServiceProvider"
"Nothing to publish for tag []."

Hi and first of all a praise for the development, but unfortunately I have a problem with authentication.

My steps:

1. Installed a fresh Laravel instance..
2. php artisan make:auth
   3. composer require robsontenorio/laravel-keycloak-guard
3. php artisan vendor:publish --provider="KeycloakGuard\KeycloakGuardServiceProvider"
4. changed some parts in config/auth.php like the documentation
5. added properties to the .env

KEYCLOAK_REALM_PUBLIC_KEY="************************************" KEYCLOAK_LOAD_USER_FROM_DATABASE= KEYCLOAK_USER_PROVIDER_CREDENTIAL="email" KEYCLOAK_TOKEN_PRINCIPAL_ATTRIBUTE= KEYCLOAK_APPEND_DECODED_TOKEN= KEYCLOAK_ALLOWED_RESOURCES="https://***/auth"

7. create a new route in api.php

Route::group(['middleware' => 'auth:api'], function () {
    Route::resource('blog', 'Api\BlogController');
});

each time if i call the url /api/blog i was redirect to the /login.. then if i want to authenticate, i get this error:

Call to undefined method KeycloakGuard\KeycloakGuard::attempt()

Am I doing something wrong?

Hi,
On my production server, I have this error even on public endpoints :

Argument 2 passed to KeycloakGuard\Token::decode() must be of the type string, null given, called in robsontenorio/laravel-keycloak-guard/src/KeycloakGuard.php on line 39

#0 robsontenorio/laravel-keycloak-guard/src/KeycloakGuard.php(39): KeycloakGuard\Token::decode(NULL, NULL)
#1 robsontenorio/laravel-keycloak-guard/src/KeycloakGuard.php(27): KeycloakGuard\KeycloakGuard->authenticate()
#2 robsontenorio/laravel-keycloak-guard/src/KeycloakGuardServiceProvider.php(21): KeycloakGuard\KeycloakGuard->__construct(Object(Illuminate\Auth\EloquentUserProvider), Object(Illuminate\Http\Request))
#3 Illuminate/Auth/AuthManager.php(111): KeycloakGuard\KeycloakGuardServiceProvider->KeycloakGuard\{closure}(Object(Illuminate\Foundation\Application), 'api', Array)
#4 Illuminate/Auth/AuthManager.php(88): Illuminate\Auth\AuthManager->callCustomCreator('api', Array)
#5 Illuminate/Auth/AuthManager.php(68): Illuminate\Auth\AuthManager->resolve('api')
#6 Illuminate/Auth/AuthManager.php(54): Illuminate\Auth\AuthManager->guard('api')

I don't have this problem on dev (local).
Thanks for your help.

Charlie

I'm trying to implement a similar setup to the example. My frontend authenticates with KeyCloak and I make a test request to the backend. My test request is GET /api/v1/bla and has a header Authorization: Bearer eyJhbG.... When I refresh my browser, my frontend identifies the KC session as active and working. My user is identified via email in Laravel and in the KC.

My test route:

  Route::group(['middleware' => 'auth:api'], function () {
      Route::get('bla', function () {
          Log::debug("boo");
          return JsonResponse::create(["T" => 23], 200);
      });
});

My network tab:

So, the 1st time I call bla, it timeouts after ~3.1 minutes. Then the 2nd time it works (wtf) and then the 3rd time it responds with {"code":500,"message":"[Keycloak Guard] Expired token"}.

Could it be that I have configured something somewhere incorrectly? I don't know where to look or where to start, I'm completely lost. I want to handle all authorization myself in the Laravel app, I just want to authenticate the user with KC and map them to a Laravel user.

I send an request:

GET /www/seas-siscof-servicos/public/api/grupos HTTP/1.1 Accept: / Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5XzFQTUhXVW9qdlptQWIxNzhMVFkyU1N0U211RHM0eWkwbEJtNldMQTJBIn0.eyJleHAiOjE2MjYyMDM4NzAsImlhdCI6MTYyNjIwMzU3MCwiYXV0aF90aW1lIjoxNjI2MjAzNTY4LCJqdGkiOiJlYThhMWMyMC1jMTczLTQxYjItOTEzMS00MmI4MzgxNTExNzEiLCJpc3MiOiJodHRwczovL2lkbS1ob21vbG9nYWNhby5wcm9kYW0uYW0uZ292LmJyL2F1dGgvcmVhbG1zL3Npc2NvZiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkYjM4YTIxZi1hOWE1LTQ2OTktYjIzYi0xY2RkMGRlM2NiYjgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzaXNjb2Ytd2ViIiwibm9uY2UiOiI5MWJhMTlkMi1jNjIxLTQxMjItOWE0Ni1iMWZjMjcyNTg1ZWQiLCJzZXNzaW9uX3N0YXRlIjoiYzBlYzVhZjMtOGE4ZC00NGFlLTkzZmYtZTRhNmJiYTM4YTBjIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IkNvcmludGhvIEZlcm5hbmRlcyIsInByZWZlcnJlZF91c2VybmFtZSI6IjczMjk0Nzk5MjY4IiwiZ2l2ZW5fbmFtZSI6IkNvcmludGhvIiwibG9jYWxlIjoicHQtQlIiLCJmYW1pbHlfbmFtZSI6IkZlcm5hbmRlcyIsImVtYWlsIjoiY29yaW50aG9AcHJvZGFtLmFtLmdvdi5iciJ9.HXlPrfrQPXsdLfBmeERZ62v4LFeSsROGaE1-fvhMemiXV6lQZo-62ldGQekQZGzH2_lJzZH5KR95kbifSxkGhX1eHD-x0Yh_Da4S0HWISR4hAh69CbB5HXKTwPzcMRz8ngvqMOItOBEfKdRtIfPsbqypNYhrWM-m84h6IGJWki5amIIWcmWC_vii2jUaLWYO1qygHLcIq3SIeh9yBRRWQzT1XUyGyaoBNwQIY6zUj0JTTSPLMOP_52_5q-y-2WT_7v7Os9Tg1AzXHssEbef-D3IJJtzgbl3vGgWqJAPy4dhKeT4SOSIK4DsUiUBKaOO2kFQOWzE6iOUWRaFj3fBTBg Host: localhost User-Agent: insomnia/2021.4.1

But, always get an "Unauthorized" return

I'm using Lumen 8.0

When I make a request to a route guarded by the keycloak middleware with an invalid bearer token, such as with an expired token or invalid resource_access, the response status code is set to 500. I'd expect this to be a 401 instead since the problem is related to being unauthorized, not an internal error. I think this behavior may lead to confusion, especially when Laravel's APP_DEBUG is disabled in production environments. In that case only the following is returned:

Status: 500 Internal Server Error

{
    "message": "Server Error"
}

I did some experimenting and if the KeycloakGuardException extends from Illuminate\Auth\AuthenticationException instead of \UnexpectedValueException, a 401 will be returned.

Is this normal behavior or is there some configuration I'm missing? I apologize if I'm missing something obvious, I'm new to Laravel. Any help would be greatly appreciated!

Hi

I got the error message of

KeycloakGuard\Exceptions\TokenException
[Keycloak Guard] Cannot handle token prior to 2020-12-02T01:54:16+0000

when try to verify the access_token.

My route is

Route::group(['middleware' => 'auth:api'], function () {
    Route::get('/protected', function () {
        return Auth::token();
    });
});

The route did returns full decoded JWT token from authenticated user only after several seconds after the token was generated.

I am not sure whether I need to clean cache or do something to make it work.

The error displayed on vendor/robsontenorio/laravel-keycloak-guard/src/KeycloakGuard.php: Line 41

    try {

      $this->decodedToken = Token::decode($this->request->bearerToken(), $this->config['realm_public_key']);

    } catch (\Exception $e) {

      throw new TokenException($e->getMessage());

    }

• I am using Laravel 8

Hi, I would like to know where can I set/find the KEYCLOAK_TOKEN_PRINCIPAL_ATTRIBUTE for keycloak configuration?

I am not clear with it , and need your advise.

Do I need to set the attribute by my own like picture below?

Appreciate your help . Thanks!

Hello how can I avoid that mi API Restfull return KeycloakGuard\Exceptions\TokenException: [Keycloak Guard] Expired token in file and error 500 when the keycloak access token is expired, I attached below the screen of postman answer, sorry for my bad english and thanks for your help

Is the package supports the latest keycloak server?
where do we put the server details for keycloak authentication?

Hi, I could not find if this issue has been discussed before.

Currently this project only supports sending the access token via authorization header (bearer token). I have a use case where we also need to support sending the access token via query param / form input.

Possibly a method like what is used in the Laravel TokenGuard would be the answer.

Hi,
when I try to retrieve some resources from my api laravel application , I have the following error :

"message": "[Keycloak Guard] Algorithm not allowed",
"exception": "KeycloakGuard\Exceptions\TokenException",
"file": "C:\*******\keycloak-laravel\vendor\robsontenorio\laravel-keycloak-guard\src\KeycloakGuard.php",
"line": 41,

Do you have any idea about this ?
Thanks for you answer.

Charlie

If I store some information about users in Laravel App Database (Users table)
So I have same users in DB:

1. Keycloak
2. Laravel App (some additional user information)

KEYCLOAK_LOAD_USER_FROM_DATABASE = true

How can I organize registration flow with your package to store users in both databases?

I get below error when make a reguest to my APi

KeycloakGuard\Exceptions\ResourceAccessNotAllowedException: [Keycloak Guard] The decoded JWT token has not a valid resource_access allowed by API. Allowed resources by API: in file C:\xampp\htdocs\psyphy\psyphy\lead_service\vendor\robsontenorio\laravel-keycloak-guard\src\KeycloakGuard.php on line 164

Hello ,

I'm getting this error while trying to connect to my small application.

What did I do wrong ?

Here is my project : https://github.com/Jenkiiz/test_guard.git

Thank you !

I tried out your implementation and I am having some trouble.

Symfony\Component\Routing\Exception\RouteNotFoundException
Route [login] not defined.
http://localhost:8000/api/protected-endpoint
latest laravel

I have made default as requested (for API) and using firecamp for testing. I wonder what I am doing wrong.

What is the expected behaviour to reach a site which is protected and not authenticated? Do you have a sample implementation at hand which I can look at?

I would be using laravel as an API server only and use reactjs as UI, but after a few days research I might move away from laravel (not that openidconnect client friendly by default). You are my last hope:) PHP can natively run on hosting servers hence my choice instead of an expressjs or some other which requires at least a docker/kubernetes/etc

I hope you can answer fast though my project is private so non-commercial.

Im getting this error message after trying to access an url with access_token bearer. I did setup the required parameter .env

What did I do wrong ?

I get an error Call to undefined method KeycloakGuard\KeycloakGuard::attempt(). I'm using Laravel 8 and I've followed the steps according to in README.md.

Can anyone help me ? :'(

Hello,

In your Requirements, it is mentioned the following thing:

I do not have a "users" table : except that of keycloak.

In addition, my database is under postgresql: is there a specific configuration to set up for this connection to the table users laravel with this (your) module ?

Regards,
Christophe

[2021-12-11 23:20:18] development.ERROR: 'Call to undefined method KeycloakGuard\KeycloakGuard::attempt()' - File: '/var/www/html/vendor/laravel/framework/src/Illuminate/Auth/AuthManager.php' - Method: 'login' at line: 336  

I followed the document. All the env vars are fine as well. Can someone help me out?

Hello, Currently I am using package laravel-keycloak-web-gaurd with front-end, and it's working fine.

Now can I use this api gaurd along with web gaurd.

My auth.php:
'web' => [
'driver' => 'keycloak-web',
'provider' => 'users',
],
'api' => [
'driver' => 'keycloak',
'provider' => 'users',
'hash' => false,
],

And using customised user provider:
'driver' => 'keycloak-users',
'model' => App\Models\User::class,

When I tried it with sending token: getting resource_access exception.

How should I configure this ??

I've installed the laravel-keycloak-guard like instructed, but I am getting the error.
Do I need to do something that is not documented to make this work?

API works well without keycloak-guard

Thanks in advance.

my configuration:
"php": "^7.1.3",
"fideloper/proxy": "^4.0",
"laravel/framework": "5.8.*",
"laravel/tinker": "^1.0",
"robsontenorio/laravel-keycloak-guard": "^1.3"

error stack trace.

InvalidArgumentException thrown with message "Route [login] not defined."

Stacktrace:
#35 InvalidArgumentException in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/UrlGenerator.php:388
#34 Illuminate\Routing\UrlGenerator:route in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Foundation/helpers.php:782
#33 route in /home/ostri/sites/l2/app/Http/Middleware/Authenticate.php:18
#32 App\Http\Middleware\Authenticate:redirectTo in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Auth/Middleware/Authenticate.php:68
#31 Illuminate\Auth\Middleware\Authenticate:authenticate in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Auth/Middleware/Authenticate.php:41
#30 Illuminate\Auth\Middleware\Authenticate:handle in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:163
#29 Illuminate\Pipeline\Pipeline:Illuminate\Pipeline{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php:53
#28 Illuminate\Routing\Pipeline:Illuminate\Routing{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php:58
#27 Illuminate\Routing\Middleware\ThrottleRequests:handle in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:163
#26 Illuminate\Pipeline\Pipeline:Illuminate\Pipeline{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php:53
#25 Illuminate\Routing\Pipeline:Illuminate\Routing{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:104
#24 Illuminate\Pipeline\Pipeline:then in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Router.php:682
#23 Illuminate\Routing\Router:runRouteWithinStack in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Router.php:657
#22 Illuminate\Routing\Router:runRoute in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Router.php:623
#21 Illuminate\Routing\Router:dispatchToRoute in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Router.php:612
#20 Illuminate\Routing\Router:dispatch in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:176
#19 Illuminate\Foundation\Http\Kernel:Illuminate\Foundation\Http{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php:30
#18 Illuminate\Routing\Pipeline:Illuminate\Routing{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php:21
#17 Illuminate\Foundation\Http\Middleware\TransformsRequest:handle in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:163
#16 Illuminate\Pipeline\Pipeline:Illuminate\Pipeline{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php:53
#15 Illuminate\Routing\Pipeline:Illuminate\Routing{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php:21
#14 Illuminate\Foundation\Http\Middleware\TransformsRequest:handle in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:163
#13 Illuminate\Pipeline\Pipeline:Illuminate\Pipeline{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php:53
#12 Illuminate\Routing\Pipeline:Illuminate\Routing{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php:27
#11 Illuminate\Foundation\Http\Middleware\ValidatePostSize:handle in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:163
#10 Illuminate\Pipeline\Pipeline:Illuminate\Pipeline{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php:53
#9 Illuminate\Routing\Pipeline:Illuminate\Routing{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php:62
#8 Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode:handle in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:163
#7 Illuminate\Pipeline\Pipeline:Illuminate\Pipeline{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php:53
#6 Illuminate\Routing\Pipeline:Illuminate\Routing{closure} in /home/ostri/sites/l2/vendor/fideloper/proxy/src/TrustProxies.php:57
#5 Fideloper\Proxy\TrustProxies:handle in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:163
#4 Illuminate\Pipeline\Pipeline:Illuminate\Pipeline{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php:53
#3 Illuminate\Routing\Pipeline:Illuminate\Routing{closure} in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php:104
#2 Illuminate\Pipeline\Pipeline:then in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:151
#1 Illuminate\Foundation\Http\Kernel:sendRequestThroughRouter in /home/ostri/sites/l2/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php:116
#0 Illuminate\Foundation\Http\Kernel:handle in /home/ostri/sites/l2/public/index.php:55

Hi, i have a trouble with Token Expired Exception. the vendor/robsontenorio/laravel-keycloak-guard/src/KeycloakGuard.php call a $this-autenticate() on class construction, and if a token was expired launch a catch block on line 41 casting a new TokenException($e->getMessage());

The problem are on my middleware for autenticate. He not catch a any exception of expired token, this cause a problem can not be a json response, returning a 500 status and laravel html message instead of json

Hello,
It looks like your package is going to work great for my needs, but I'm really confused by how the resource_access check is supposed to work. Please note that I'm very new to keycloak and this terminology, but I'll do my best to describe my issue.

In Keycloak I created a client test-app-js and have added the client roles "user", "manager", and "superuser".

I've set up a mapper to add the users client roles to the token. The default Token Claim Name for the mapper is resource_access.${client_id}.roles. When I inspect the token, I can see the role is getting added in this format:

Initially I was trying to set the allowed_resources to my roles, like "allowed_resources" => "user,manager,superuser", but I always get the error:

The decoded JWT token has not a valid resource_access allowed by API.

After some digging I found this is the part of the code that checks the resource access:

The line that confuses me is:

$token_resource_access = array_keys((array)($this->decodedToken->resource_access ?? []));

So my question is: is the intention with allowed_resources to restrict clients? Because the only way I've been able to get it to work is to set "allowed_resources" => "test-app-js" (my client name), which works because that is the key of the first array inside resource_access. I guess I was just confused if this was the intended functionality, or if I'm doing something wrong.

Thanks!

When I disable KEYCLOAK_LOAD_USER_FROM_DATABASE, this error will appear:

Error: Call to undefined method Illuminate\Auth\DatabaseUserProvider::getModel()

I want to load the user from keycloak first, because I'm not sure if it exists in the DB.