mhuin
commented
2 years ago For more context about the "/auth" issue, see these notes: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed
Open mhuin opened 2 years ago
mhuin
commented
2 years ago For more context about the "/auth" issue, see these notes: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed
morucci
commented
1 year ago Hi, any update on that issue ?
davido
commented
1 year ago Any contribution would be welcomed.
davido
commented
1 year ago @mhuin
For more context about the "/auth" issue, see these notes: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed
I added the fix for this problem here: [1].
[1] https://gerrit-review.googlesource.com/c/plugins/oauth/+/372194
Hello,
The keycloak oauth plugin doesn't work properly when deploying gerrit and keycloak via a docker or podman compose. This is due to the fact that in a compose, services use an internal networking that may differ from external networking as seen from a user's web browser.
Consider the example compose below:
`` version: '2.3' services: keycloak: image: docker.io/jboss/keycloak environment:
The keycloak service is available via localhost:8082 outside of the compose (for the end user to log in to). However the gerrit service can only reach the keycloak service as keycloak:8082. When setting the rootUrl parameter in the plugin's configuration, it is impossible to specify an alternative for internal networking, so either the login redirection or gerrit's token fetching will fail.
A possible workaround is to modify the end user /etc/hosts file to add an entry for keycloak. This is unacceptable for production deployments though.
This issue occurs in kubernetes deployments for the same reason. We also observe an issue with the hardcoded keycloak urls for the auth and token endpoints, as they assume that the URL will start with "/auth" - however the documented way to deploy keycloak in kubernetes is as a "virtual host", see: https://www.keycloak.org/getting-started/getting-started-kube
I would recommend adding two optional parameters: authEndpoint and tokenEndpoint so that deployers can specify what URLs to use.