KeycloakOpenIDConnection created successfully even if the credentials are wrong

[alexrohozneanu]

I have the following code

I am using python-keycloak=4.4.0

keycloak_connection = KeycloakOpenIDConnection(
            server_url="https://localhost:8443",
            username="admin",
            password="admin",
            verify=False,
        )
admin = LibKeycloakAdmin(connection=keycloak_connection)

print(admin.get_server_info())

This works perfectly and outputs the desired result

However, if I put in some wrong credentials, the keycloak_connection object is still created, and the keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}' error is raise only when I call a method from the admin object like admin.get_server_info(). Example bellow:

keycloak_connection = KeycloakOpenIDConnection(
            server_url="https://localhost:8443",
            username="dummy",
            password="dummy",
            verify=False,
        )
admin = LibKeycloakAdmin(connection=keycloak_connection)

print(admin.get_server_info())

This is the output:

/Users/alexr/PycharmProjects/AndreeaRulesPython/.venv/lib/python3.8/site-packages/urllib3/connectionpool.py:1099: InsecureRequestWarning: Unverified HTTPS request is being made to host 'localhost'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
  warnings.warn(
Traceback (most recent call last):
  File "/Users/alexr/PycharmProjects/AndreeaRulesPython/python-keycloak.py", line 16, in <module>
    print(admin.get_server_info())
  File "/Users/alexr/PycharmProjects/AndreeaRulesPython/.venv/lib/python3.8/site-packages/keycloak/keycloak_admin.py", line 963, in get_server_info
    data_raw = self.connection.raw_get(urls_patterns.URL_ADMIN_SERVER_INFO)
  File "/Users/alexr/PycharmProjects/AndreeaRulesPython/.venv/lib/python3.8/site-packages/keycloak/openid_connection.py", line 369, in raw_get
    self._refresh_if_required()
  File "/Users/alexr/PycharmProjects/AndreeaRulesPython/.venv/lib/python3.8/site-packages/keycloak/openid_connection.py", line 354, in _refresh_if_required
    self.refresh_token()
  File "/Users/alexr/PycharmProjects/AndreeaRulesPython/.venv/lib/python3.8/site-packages/keycloak/openid_connection.py", line 337, in refresh_token
    self.get_token()
  File "/Users/alexr/PycharmProjects/AndreeaRulesPython/.venv/lib/python3.8/site-packages/keycloak/openid_connection.py", line 324, in get_token
    self.token = self.keycloak_openid.token(
  File "/Users/alexr/PycharmProjects/AndreeaRulesPython/.venv/lib/python3.8/site-packages/keycloak/keycloak_openid.py", line 339, in token
    return raise_error_from_response(data_raw, KeycloakPostError)
  File "/Users/alexr/PycharmProjects/AndreeaRulesPython/.venv/lib/python3.8/site-packages/keycloak/exceptions.py", line 192, in raise_error_from_response
    raise error(
keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}'

I would expect that the error should be raised during the creation of the connection and not afterwards.
Same thing for client_id and client_secret_key

[ryshoooo]

Hi @alexrohozneanu

This is a deliberate design of the library, network calls are only made upon executed actions, not during instantiation.

[alexrohozneanu]

Hi @ryshoooo,

Thanks for your comment!

I would expect that, in case there is no network connection to the server, the code would raise the error as soon as possible, and that would be during the instantiation of the class.

Also the name of the class is suffixed by "Connection" which is making me believe the connection should already be established during instantiation.

Are there any specific reasons on why the library is designed like that?