search

eclipse-vertx / vertx-auth

Apache License 2.0
162 stars 154 forks source link

Keycloak 11 removes token_introspection_endpoint from discovery endpoint #434

Closed jhkuperus closed 3 years ago

jhkuperus commented 3 years ago

Version

3.9.4

Context

Our operations team recently upgraded Keycloak to version 11. This caused all of our Vertx-services to suddenly fail with 403 responses with Invalid path as the underlying message. After some analysis, the Invalid path message was a response from Keycloak, which Vertx-auth was trying to connect at introspectionPath == null.

It appears Keycloak 11 has removed the deprecated field token_introspection_endpoint in favor of the field introspection_endpoint (based on RFC-8414). This causes OpenIDConnectAuth to read a null value for the token introspection endpoint and later break.

Do you have a reproducer?

I'll curate a discovery-document for this issue.

Steps to reproduce

  1. Deploy a Keycloak 11 and use discovery for configuration
  3. ...
  4. ...

Extra

openjdk version "11.0.7" 2020-04-14
OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing)
jhkuperus commented 3 years ago

Apologies, I pressed enter too soon. Still writing the bug-report properly.

pmlopes commented 3 years ago

@jhkuperus could you attach an example discovery file with the new keys. It would be great to write a regression test.

jhkuperus commented 3 years ago

Here's our the respsonse from our Keycloak on /auth/realms/test-realm/.well-known/openid-configuration:

keycloak-11-discovery.json.zip

(The actual realm name and hostname have been replaced)

jhkuperus commented 3 years ago

By the way, I'm trying to get the OAuth2KeycloakIT to run, but it just keeps failing on OAuth2KeycloakIT.lambda$setUp$0:54 Expected true, even with the Keycloak 6 docker image that you provide in the fixtures. Any hints?

pmlopes commented 3 years ago

It works for me.

docker build -t vertx-test-keycloak vertx-auth-oauth2/src/test/fixtures
docker run -d -p 8888:8080 -p 9443:8443 vertx-test-keycloak

from the root of the project. Upgrading to 11 would be interesting but it also requires a new dump of the fixtures which aren't comatible with newer versions.

pmlopes commented 3 years ago

I've added a test to confirm that introspection works with keycloak. Aparently keycloak 6 supported both keys already on 6. Switiching to the official one seems to be the better choice instead of relying on some legacy config.

jhkuperus commented 3 years ago

So, is this patched for a next 3.9.x-version? I prepared a version that read the RFC-8414 field first and tried to fallback on the legacy one if it read null. Then again, if most mainstream versions of keycloak already had the RFC-field as well, switching would indeed be the best solution.

I also looked over the 4.0 code couldn't find a reference to the legacy field there. So hopefully we won't run into this again when we migrate to 4.0 soonish.

Thank you for your swift action!

pmlopes commented 3 years ago

We're already on release candidates for 4.0.0, unless this is really critical we may backport it to 3.9, currently it only targets 4.0.0, the next candidate release (CR2) should be be done in the coming days.

jhkuperus commented 3 years ago

Understood. I haven't seen anyone else complain about this, so I guess it's not that critical? We can work with our fork now until we go with the 4.0.0 upgrade