Closed jhkuperus closed 3 years ago
Apologies, I pressed enter too soon. Still writing the bug-report properly.
@jhkuperus could you attach an example discovery file with the new keys. It would be great to write a regression test.
Here's our the respsonse from our Keycloak on /auth/realms/test-realm/.well-known/openid-configuration
:
keycloak-11-discovery.json.zip
(The actual realm name and hostname have been replaced)
By the way, I'm trying to get the OAuth2KeycloakIT
to run, but it just keeps failing on OAuth2KeycloakIT.lambda$setUp$0:54 Expected true
, even with the Keycloak 6 docker image that you provide in the fixtures. Any hints?
It works for me.
docker build -t vertx-test-keycloak vertx-auth-oauth2/src/test/fixtures
docker run -d -p 8888:8080 -p 9443:8443 vertx-test-keycloak
from the root of the project. Upgrading to 11 would be interesting but it also requires a new dump of the fixtures which aren't comatible with newer versions.
I've added a test to confirm that introspection works with keycloak. Aparently keycloak 6 supported both keys already on 6. Switiching to the official one seems to be the better choice instead of relying on some legacy config.
So, is this patched for a next 3.9.x-version? I prepared a version that read the RFC-8414 field first and tried to fallback on the legacy one if it read null
. Then again, if most mainstream versions of keycloak already had the RFC-field as well, switching would indeed be the best solution.
I also looked over the 4.0 code couldn't find a reference to the legacy field there. So hopefully we won't run into this again when we migrate to 4.0 soonish.
Thank you for your swift action!
We're already on release candidates for 4.0.0, unless this is really critical we may backport it to 3.9, currently it only targets 4.0.0, the next candidate release (CR2) should be be done in the coming days.
Understood. I haven't seen anyone else complain about this, so I guess it's not that critical? We can work with our fork now until we go with the 4.0.0 upgrade
Version
3.9.4
Context
Our operations team recently upgraded Keycloak to version 11. This caused all of our Vertx-services to suddenly fail with
403
responses withInvalid path
as the underlying message. After some analysis, theInvalid path
message was a response from Keycloak, which Vertx-auth was trying to connect atintrospectionPath == null
.It appears Keycloak 11 has removed the deprecated field
token_introspection_endpoint
in favor of the fieldintrospection_endpoint
(based on RFC-8414). This causesOpenIDConnectAuth
to read anull
value for the token introspection endpoint and later break.Do you have a reproducer?
I'll curate a discovery-document for this issue.
Steps to reproduce
Extra