Infinite Redirects when "Authorization" header is not passed explicitly

[LouizFC]

Version

3.8.5

Context

The OAuth2AuthHandler enters a redirect loop if the Bearer is not present and Sessions are enabled.

What happens:

1. User requests a protected route.
2. User is redirected to keycloak.
3. User is now (or was) authenticated, redirect user to callback route.
4. Redirect user to "state" route, usually step 1 route
5. Bearer not found, redirect user back to keycloak
6. Repeat 3 to 5 infinitely

The "redirect if Bearer not found" can be found here:

https://github.com/vert-x3/vertx-web/blob/8ed1511766697c9ee9e7e5acaad9041f2ca4c384/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/OAuth2AuthHandlerImpl.java#L81-L119

Edit: Also, "setupCallback" redirects user back to the route specified by the "state" parameter

Do you have a reproducer?

https://github.com/LouizFC/vertx-infinite-loop-reproducer

Steps to reproduce

1. Import the realm-export.json into a new keycloak realm.
2. Regenerate the "vertx" client secret at the Client > vertx > Credentials tab
3. Create a test user
4. Export the OIDC JSON into the app MainVerticle class, removing trailing slashes from the auth url
5. Run the app and open localhost:8080/user at the browser
6. Login with the test user
7. Infinite loop

[pmlopes]

Thanks for the report, I'll investigate it.

[pmlopes]

I believe this issue is solved. Please re-open if not.