micronaut-security icon indicating copy to clipboard operation
micronaut-security copied to clipboard
verified publisher icon micronaut-projects

Support Keycloak 17+

Open morki opened this issue 3 years ago • 6 comments

Feature description

Keycloak 17

In Keycloak 17 the default distribution is powered by Quarkus and default endpoints has changed (removed the /auth prefix) so autoconfiguration of EndSessionEndpoint is failing.

See https://github.com/micronaut-projects/micronaut-security/pull/1009

Keycloak 18

In Keycloak 18 there are even bigger changes as shift to using standard OIDC logout and more. This means the KeycloakEndSessionEndpoint is not working anymore.

The behaviour is now following OIDC standard and is working exactly as OktaEndSessionEndpoint.

Proposed solution

Add new configuration property mode with following options:

  • auto (actual behavior using EndSessionEndpointResolver, backward compatible, default value)
  • standard (new behaviour, following the standard, using renamed OktaEndSessionEndpoint)

Example:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            issuer: xxx
            end-session:
              enabled: true
              mode: standard # <-- this is the new property

Current workaround for Keycloak 18

We successfuly tricked Micronaut to think that Keycloak is Okta by using ?okta suffix for issuer URL e.g. https://sso.xxx.com/realms/master?okta.

morki avatar May 25 '22 08:05 morki

would you consider sending a PR for this? I think it makes sense to add a separate keycloak18 config so that older versions continue to be supported

graemerocher avatar May 26 '22 13:05 graemerocher

@graemerocher I think the same, what do you think about the proposed solution above? Any naming or other recommendations?

morki avatar May 26 '22 19:05 morki

seems fine, will need to be documented though

graemerocher avatar May 27 '22 08:05 graemerocher

Thanks for the request @morki

I think we have to support OpenID Connect RP-Initiated Logout 1.0. And I think we have to be able to specify whether you want to use that logout request or a custom.

sdelamo avatar Jun 22 '22 14:06 sdelamo

New version for this proposal can use property vendor instead of mode:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            vendor: keycloak-17 # <-- this is the new property
            issuer: xxx
            end-session:
              enabled: true

This new version can be used for https://github.com/micronaut-projects/micronaut-test-resources/pull/44 and will enable multiple versions of Keycloak for example.

morki avatar Jul 05 '22 08:07 morki

i just want to say that keycloak is version 21.

glats avatar Feb 28 '23 17:02 glats