[Post Quarkus Migration] Add /auth redirection?

[megian]

Context

The original behavior of Wildly was having an redirect from / to /auth. After the migration you just get a "Resource not found".

Alternatives

Keep without.

[megian]

Potentially we could run the application itself on /, but do a rewrite on /authin the ingress if required.

[simu]

Potentially we could run the application itself on /, but do a rewrite on /authin the ingress if required.

I don't know if there's a ingress controller agnostic way to do rewrites in the ingress, but I suspect we'd have to implement this using custom annotations for each ingress controller we want to support (this is one of the things that Gateway API aims to address as far as I understand).

Another idea I had was to have a separate path entry for / with path type Exact in the Ingress object. This approach could work on clusters with ingress controllers which support path type Exact for ingress paths. However, for example the OpenShift 4 ingress-to-route controller explicitly doesn't support that path type, so this won't work reliably across different Kubernetes distributions.

Edit: I read the comment wrong at first.

[megian]

In Keycloak v20 the admin url can be different to the fronted url and might fix this.

[megian]

In Keycloak v20 the admin url can be different to the fronted url and might fix this.

It isn't. Set the Keycloak itself to / and redirect /auth to /at an ingress level could be an other option.

[megian]

Set the Keycloak itself to / and rewrite /auth to /at an ingress level does work in a first test.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: keycloakx-auth-rewrite
  namespace: syn-keycloak-test
spec:
  ingressClassName: nginx
  rules:
  - host: id.test.example.com
    http:
      paths:
      - backend:
          service:
            name: keycloakx-http
            port:
              name: https
        path: /auth(/|$)(.*)
        pathType: Prefix
  tls:
  - hosts:
    - id.test.example.com
    secretName: ingress-tls

[megian]

For OpenShift:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    route.openshift.io/termination: reencrypt
    haproxy.router.openshift.io/rewrite-target: /
  name: keycloakx-auth-rewrite
  namespace: syn-keycloak-test
spec:
  rules:
  - host: id.test.example.com
    http:
      paths:
      - backend:
          service:
            name: keycloakx-http
            port:
              name: https
        path: /auth
        pathType: Prefix
  tls:
  - hosts:
    - id.test.example.com
    secretName: ingress-tls

[megian]

Just rewriting the realm URL does work in the case OpenID Connect Discovery isn't used. Keycloak currently doesn't support keycloak/keycloak#17634(multiple realm front-ends).

Original path: https://x.x.x.x/auth/realms/my_realm/.well-known/openid-configuration
Ajusted path: https://x.x.x.x/realms/my_realm/.well-known/openid-configuration

The issuer URL remains the same and the verification fails.

oauth2-proxy is able to ignore it using the --insecure-oidc-skip-issuer-verification parameter. But each OIDC implementation might be different.

[megian]

See potential optimization in later Keycloak versions keycloak/keycloak#27730.

[megian]

Should become fixed with keycloak/keycloak#32863 in v26.

[mabartos]

@megian Yes, the required functionality is part of the Keycloak 26.