Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Keycloak 17+ #1024

Open
morki opened this issue May 25, 2022 · 6 comments
Open

Support Keycloak 17+ #1024

morki opened this issue May 25, 2022 · 6 comments

Comments

@morki
Copy link
Contributor

morki commented May 25, 2022

Feature description

Keycloak 17

In Keycloak 17 the default distribution is powered by Quarkus and default endpoints has changed (removed the /auth prefix) so autoconfiguration of EndSessionEndpoint is failing.

See #1009

Keycloak 18

In Keycloak 18 there are even bigger changes as shift to using standard OIDC logout and more. This means the KeycloakEndSessionEndpoint is not working anymore.

The behaviour is now following OIDC standard and is working exactly as OktaEndSessionEndpoint.

Proposed solution

Add new configuration property mode with following options:

  • auto (actual behavior using EndSessionEndpointResolver, backward compatible, default value)
  • standard (new behaviour, following the standard, using renamed OktaEndSessionEndpoint)

Example:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            issuer: xxx
            end-session:
              enabled: true
              mode: standard # <-- this is the new property

Current workaround for Keycloak 18

We successfuly tricked Micronaut to think that Keycloak is Okta by using ?okta suffix for issuer URL e.g. https://sso.xxx.com/realms/master?okta.
@graemerocher
Copy link
Contributor

would you consider sending a PR for this? I think it makes sense to add a separate keycloak18 config so that older versions continue to be supported

@morki
Copy link
Contributor Author

morki commented May 26, 2022

@graemerocher I think the same, what do you think about the proposed solution above? Any naming or other recommendations?

@graemerocher
Copy link
Contributor

seems fine, will need to be documented though

@sdelamo
Copy link
Contributor

sdelamo commented Jun 22, 2022

Thanks for the request @morki

I think we have to support OpenID Connect RP-Initiated Logout 1.0. And I think we have to be able to specify whether you want to use that logout request or a custom.

This was referenced Jun 22, 2022
Open
Merged
@morki morki mentioned this issue Jul 5, 2022
Draft
@morki
Copy link
Contributor Author

morki commented Jul 5, 2022

New version for this proposal can use property vendor instead of mode:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            vendor: keycloak-17 # <-- this is the new property
            issuer: xxx
            end-session:
              enabled: true

This new version can be used for micronaut-projects/micronaut-test-resources#44 and will enable multiple versions of Keycloak for example.

@j1cs
Copy link

j1cs commented Feb 28, 2023

i just want to say that keycloak is version 21.

@timyates timyates mentioned this issue Mar 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@graemerocher @sdelamo @morki @j1cs @wetted