Keycloak Claim Information Point - NPE when trying to read body

[tpenakov]

When you try to read body through Claim Information Point the result is Null Pointer Exception.

When you add the following to your application.properties file:

quarkus.keycloak.policy-enforcer.claim-information-point.claims.claim-from-body={request.body}

And execute the post request against the endpoint /api/auth-entry

The result is:

ERROR: HTTP Request to /api/auth-entry failed, error id: d73bb86a-aa3e-40bc-9497-7683a11b1a92-1
java.lang.NullPointerException
	at io.quarkus.keycloak.pep.VertxHttpFacade$1.getInputStream(VertxHttpFacade.java:124)
	at org.keycloak.adapters.authorization.util.RequestPlaceHolderResolver.resolve(RequestPlaceHolderResolver.java:107)
	at org.keycloak.adapters.authorization.util.PlaceHolders.parsePlaceHolders(PlaceHolders.java:93)
	at org.keycloak.adapters.authorization.util.PlaceHolders.resolve(PlaceHolders.java:45)

Here is the Sample Project

You can create the quarkus realm from src/test/resources/keycloack/quarkus-realm.json file.

Then you can retrieve the token for user (alice/alice) as described here: https://quarkus.io/guides/security-keycloak-authorization

Then you have to put the token in org.otaibe.enforcer.claim.can.not.read.body.web.controller.RestControllerTest#TOKEN

If you execute the test org.otaibe.enforcer.claim.can.not.read.body.web.controller.RestControllerTest#testPostEndpoint

Then you will receive the NPE

[gsmet]

@sberyozkin @pedroigor any chance you could have a look at that one before tomorrow evening?

[pedroigor]

@gsmet Looking ...

[pedroigor]

@gsmet @tpenakov I think I'll not be able to deliver this fix until tomorrow.

Although I managed to fix the original issue so that we can properly read the request body, it is not possible to read the body again by the application. For this one, I'm stuck and I don't have yet a clue how to allow the request inputstream to be read twice (by security handlers + later on by the application).

@sberyozkin @stuartwdouglas Any clue how we can achieve this? Is there some way to buffer the inputstream and/or use a markSupported one ? Or maybe prove a wrapper for vert.x request so that we can buffer the stream ....

[pedroigor]

Regarding the original problem (NPE when obtaining the body) the cause of the exception is that the body needs to be read first by a handler (blocking). The solution I found is to reuse the VertxInputStream from Resteasy extension.

[pedroigor]

I think I have a prototype that might work. But not sure whether or not it is the best way to achieve it. Here are the changes https://github.com/quarkusio/quarkus/compare/master...pedroigor:issue-5959?expand=1.

Basically, after reading the request from the security layer, we set a buffered stream in the routing context so that later it can be reused. There is a change to Resteasy that checks whether or not the buffered stream is set and if so, uses it instead of trying to read again from the connection.