search

micronaut-projects / micronaut-security

The official Micronaut security solution
Apache License 2.0
168 stars 124 forks source link

Support Keycloak 17+ #1024

Open morki opened 2 years ago

morki commented 2 years ago

Feature description

Keycloak 17

In Keycloak 17 the default distribution is powered by Quarkus and default endpoints has changed (removed the /auth prefix) so autoconfiguration of EndSessionEndpoint is failing.

See https://github.com/micronaut-projects/micronaut-security/pull/1009

Keycloak 18

In Keycloak 18 there are even bigger changes as shift to using standard OIDC logout and more. This means the KeycloakEndSessionEndpoint is not working anymore.

The behaviour is now following OIDC standard and is working exactly as OktaEndSessionEndpoint.

Proposed solution

Add new configuration property mode with following options:

Example:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            issuer: xxx
            end-session:
              enabled: true
              mode: standard # <-- this is the new property

Current workaround for Keycloak 18

We successfuly tricked Micronaut to think that Keycloak is Okta by using ?okta suffix for issuer URL e.g. https://sso.xxx.com/realms/master?okta.

graemerocher commented 2 years ago

would you consider sending a PR for this? I think it makes sense to add a separate keycloak18 config so that older versions continue to be supported

morki commented 2 years ago

@graemerocher I think the same, what do you think about the proposed solution above? Any naming or other recommendations?

graemerocher commented 2 years ago

seems fine, will need to be documented though

sdelamo commented 2 years ago

Thanks for the request @morki

I think we have to support OpenID Connect RP-Initiated Logout 1.0. And I think we have to be able to specify whether you want to use that logout request or a custom.

morki commented 2 years ago

New version for this proposal can use property vendor instead of mode:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            vendor: keycloak-17 # <-- this is the new property
            issuer: xxx
            end-session:
              enabled: true

This new version can be used for https://github.com/micronaut-projects/micronaut-test-resources/pull/44 and will enable multiple versions of Keycloak for example.

j1cs commented 1 year ago

i just want to say that keycloak is version 21.