helidon icon indicating copy to clipboard operation
helidon copied to clipboard

Published 20 hours ago verified publisher icon helidon-io

OIDC provider - backward incompatible outbound config

Open danielkec opened this issue 1 year ago • 1 comments

Environment Details

  • Helidon Version: 4 snapshot
  • Helidon MP
  • JDK version: 21
  • OS: Ubuntu 23.10 6.5.0-14-generic

Problem Description

While in Helidon 3 oidc outbound configuration worked like this:

security:
  providers:
    - abac:
    - oidc:
        audience: "kingdom-audience"
        client-id: "beginning-helidon-client"
        redirect: true
        client-secret: Bcx0RVWPLwXj3vP8xByv9Dwr7lCL1jjl
        identity-uri: "http://${keycloak.host}:${keycloak.port}/realms/beginning-helidon"
        frontend-uri: "${app.castle-url}"
        post-logout-uri: /
        logout-enabled: true
        propagate: true
        outbound:
          - name: "propagate-token"
            hosts: ["watchtower.local"]

In Helidon 4 outbound prefix needs to be used twice:

security:
  providers:
    - abac:
    - oidc:
        ...
        propagate: true
        outbound:
          outbound:
            - name: "propagate-token"
              hosts: [ "watchtower.local" ]

Problem is prefix being queried twice, first in here: https://github.com/helidon-io/helidon/blob/224f99d56c7212e9d6426d7310ad1f714f6247b5/security/providers/oidc/src/main/java/io/helidon/security/providers/oidc/OidcProvider.java#L338-L341

And then again here: https://github.com/helidon-io/helidon/blob/224f99d56c7212e9d6426d7310ad1f714f6247b5/security/providers/common/src/main/java/io/helidon/security/providers/common/OutboundConfig.java#L81-L86

danielkec avatar Jan 16 '24 15:01 danielkec

It is not backwards incompatibility. It is a bug. It should be there only once.

Verdent avatar Jan 29 '24 20:01 Verdent