Comments (9)
/cc @geoand (kubernetes,openshift), @iocanel (kubernetes,openshift), @pedroigor (oidc), @sberyozkin (oidc)
from quarkus.
@fedinskiy I believe this issue is invalid, as you get 403 for the discovery request, which most likely means that Kubernetis expects some authorisation token. So you should update the test and add an OidcRequestFilter
which will set that token, there was an issue closed recently related to this situation, I'll add the links a bit later
from quarkus.
@fedinskiy
FYI, #38246. Note 403
is mentioned when accessing the discovery endpoint, with a link to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/. I think this is the exact same case here with the RHSSO image.
See also a follow up bug closed yesterday: #38776.
So, on main, you need to add OidcRequestFilter
and for now, since you may also have to do the same for the JWKS endpoint, add the required service account token if request.uri()
ends with either .well-known/openid-configuration
(the discovery endpoint) or /protocol/openid-connect/certs
(Keycloak JWKS endpoint).
from quarkus.
@sberyozkin is this described somewhere in our docs? Right now, I am a little bit confused.
As far as I understand, discovery request is send to the keycloak endpoint, and the endpoint is accessible without authorisation.
Link you sent describes service accounts, which I do not use in the example. I expect, that from K8s point of view, there are just two apps in the same project, which communicate through HTTP.
from quarkus.
@fedinskiy In that case there is something else specific to the RHSSO deployment that blocks what is a typically public request.
Can you access the well known configuration endpoint from the browser?
from quarkus.
@sberyozkin I can open http://$(oc get route rhsso -o template --template='{{.spec.host}}')/realms/test-mutual-tls-realm
in browser. But if I go through the links, which are posted there, then token-service
(realms/test-mutual-tls-realm/protocol/openid-connect
) says "Page not found" and account-service
(realms/test-mutual-tls-realm/account
) says "https required", despite the link posted in http://
form.
UPD: curl with -L -v
for both show, that token-service returns HTTP 404 and account-service 302 and when 200 (so it is a different behaviour from browser)
from quarkus.
@fedinskiy The failure happens with the access forbidden error when Quarkus OIDC attempts to get ${quarkus.oidc.auth-server-url}/.well-known/openid-configuration
, can you check this one please ?
from quarkus.
It returns 403 with body {"error":"invalid_request","error_description":"HTTPS required"}
, which makes sense, since we have "sslRequired": "all",
in keycloak-realm.json
, thank you!
However, if we have this error (and probed path) in quarkus logs or error stacktrace, that would improve things tremendously and there would be no need to disturb you with this issue. Is it possible to make such changes?
from quarkus.
@fedinskiy Sure, I've opened #38819
from quarkus.
Related Issues (20)
- Quarkus OIDC Client: OidcRequestFilter is missing OIDC client name information HOT 1
- Add information about Session/EM proxying to the Hibernate ORM documentation HOT 1
- [Mandrel 23.0] hibernate-orm-panache-kotlin native integration tests fail with 23.0 build and 23.1.2 sdk. HOT 12
- Heartbeat mechanism with Smallrye AMQP connector HOT 9
- Quarkus maven plugin creates projects with non-relocated dependencies HOT 2
- Support programmatic Schema definition with Protostream 5 in Infinispan HOT 1
- We need an entry point guide for Messaging HOT 2
- Not all lib jars are scanned for split packages HOT 3
- Avro schemas aren't generated in isolation HOT 2
- Recommended gradle test `-Dquarkus.package.type=native` doesn't work as expected HOT 3
- Exception when building application with a lot of dependencies, String too large to record error HOT 32
- Feature Request: Immediate Exception Handling for Unreachable Kafka Broker HOT 8
- Funqy to return custom HTTP Response Codes HOT 2
- unclear exceptions from quarkus-maven-plugin 3.8 when used on Java 11 HOT 2
- XOauth2 support for Quarkus Mailer e.g. for Office365 HOT 2
- Dev UI /endpoints does not show all of my endpoints HOT 9
- Make the name of the client certificate attribute which is mapped to roles configurable
- Submodule on second level fails to find itself in dev mode HOT 2
- Provide a way to filter or redact health information programatically HOT 3
- IllegalArgumentException exception is thrown when logging rest client request / response body which has GUID HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from quarkus.