OIDC server is erroneously shown as not available about quarkus HOT 9 CLOSED

/cc @geoand (kubernetes,openshift), @iocanel (kubernetes,openshift), @pedroigor (oidc), @sberyozkin (oidc)

from quarkus.

@fedinskiy I believe this issue is invalid, as you get 403 for the discovery request, which most likely means that Kubernetis expects some authorisation token. So you should update the test and add an OidcRequestFilter which will set that token, there was an issue closed recently related to this situation, I'll add the links a bit later

from quarkus.

@fedinskiy
FYI, #38246. Note 403 is mentioned when accessing the discovery endpoint, with a link to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/. I think this is the exact same case here with the RHSSO image.

See also a follow up bug closed yesterday: #38776.

So, on main, you need to add OidcRequestFilter and for now, since you may also have to do the same for the JWKS endpoint, add the required service account token if request.uri() ends with either .well-known/openid-configuration (the discovery endpoint) or /protocol/openid-connect/certs (Keycloak JWKS endpoint).

from quarkus.

@sberyozkin is this described somewhere in our docs? Right now, I am a little bit confused.

As far as I understand, discovery request is send to the keycloak endpoint, and the endpoint is accessible without authorisation.
Link you sent describes service accounts, which I do not use in the example. I expect, that from K8s point of view, there are just two apps in the same project, which communicate through HTTP.

from quarkus.

@fedinskiy In that case there is something else specific to the RHSSO deployment that blocks what is a typically public request.
Can you access the well known configuration endpoint from the browser?

from quarkus.

@sberyozkin I can open http://$(oc get route rhsso -o template --template='{{.spec.host}}')/realms/test-mutual-tls-realm in browser. But if I go through the links, which are posted there, then token-service(realms/test-mutual-tls-realm/protocol/openid-connect) says "Page not found" and account-service (realms/test-mutual-tls-realm/account) says "https required", despite the link posted in http:// form.

UPD: curl with -L -v for both show, that token-service returns HTTP 404 and account-service 302 and when 200 (so it is a different behaviour from browser)

from quarkus.

@fedinskiy The failure happens with the access forbidden error when Quarkus OIDC attempts to get ${quarkus.oidc.auth-server-url}/.well-known/openid-configuration, can you check this one please ?

from quarkus.

It returns 403 with body {"error":"invalid_request","error_description":"HTTPS required"}, which makes sense, since we have "sslRequired": "all", in keycloak-realm.json, thank you!

However, if we have this error (and probed path) in quarkus logs or error stacktrace, that would improve things tremendously and there would be no need to disturb you with this issue. Is it possible to make such changes?

from quarkus.

@fedinskiy Sure, I've opened #38819

from quarkus.