Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2452

Wildfly OIDC with relative URL generates lots of keycloak requests

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 1.19.1.Final, 2.0.0.Final, 2.6.0.Final
    • None
    • Hide

      follow instructions Securing Wildfy Apps with OpenId Connect 

      Configure oidc.json to use relative URLs

      {
          "client-id" : "myclient",
          "realm": "myrealm",
          "auth-server-url": "/keycloak",
          "public-client" : "true",
          "principal-attribute" : "preferred_username",
          "ssl-required" : "EXTERNAL"
      } 

      Configure relative redirectUrl in keycloak: /simple-webapp-oidc/*

      Configure reverse proxy in front of application & keycloak. Optionally wildfly running the application can be used as reverse proxy for keycloak, so no extra component is needed.

      access the app: http://<proxy_address>/simple-webapp-oidc/

       

      Logs will show multiple lines of

      09:55:25,790 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:25,790 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:55:25,801 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:25,802 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:55:27,469 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:27,470 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:55:27,479 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:27,479 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:55:28,390 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:28,390 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:55:28,398 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:28,398 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 
      Show
      follow instructions Securing Wildfy Apps with OpenId Connect   Configure oidc.json to use relative URLs {     "client-id" : "myclient" ,     "realm" : "myrealm" ,     "auth-server-url" : "/keycloak" ,     " public -client" : " true " ,     "principal-attribute" : "preferred_username" ,     "ssl-required" : "EXTERNAL" } Configure relative redirectUrl in keycloak: /simple-webapp-oidc/ * Configure reverse proxy in front of application & keycloak. Optionally wildfly running the application can be used as reverse proxy for keycloak, so no extra component is needed. access the app: http://<proxy_address>/simple-webapp-oidc/   Logs will show multiple lines of 09:55:25,790 INFO  [org.wildfly.security.http.oidc] ( default task-6) ELY23004: Loaded OpenID provider metadata from 'https: //modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:25,790 WARN  [org.wildfly.security.http.oidc] ( default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:55:25,801 INFO  [org.wildfly.security.http.oidc] ( default task-6) ELY23004: Loaded OpenID provider metadata from 'https: //modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:25,802 WARN  [org.wildfly.security.http.oidc] ( default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:55:27,469 INFO  [org.wildfly.security.http.oidc] ( default task-6) ELY23004: Loaded OpenID provider metadata from 'https: //modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:27,470 WARN  [org.wildfly.security.http.oidc] ( default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:55:27,479 INFO  [org.wildfly.security.http.oidc] ( default task-6) ELY23004: Loaded OpenID provider metadata from 'https: //modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:27,479 WARN  [org.wildfly.security.http.oidc] ( default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:55:28,390 INFO  [org.wildfly.security.http.oidc] ( default task-6) ELY23004: Loaded OpenID provider metadata from 'https: //modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:28,390 WARN  [org.wildfly.security.http.oidc] ( default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:55:28,398 INFO  [org.wildfly.security.http.oidc] ( default task-6) ELY23004: Loaded OpenID provider metadata from 'https: //modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:28,398 WARN  [org.wildfly.security.http.oidc] ( default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration

      Environment:

      Wildfly 26.1.2.Final

      Keycloak 19.0.2

      Description:

      We are in process if migrating from Wildfly 24.0.1 & Keycloak 12.0.4 to Wildfly 26.1.2 and Keycloak 19.0.2. We use keycloak to provide authentication to our application and both are behind same reverse proxy (modcluster). We have been using relative URLs to allow customer to access the application with IP or DNS names from multiple different network. 

      After migration to new version we have observed following behaviour

      Issue 1

      Relative URLs do not work when provider-url is configured in oidc.json

      {
          "client-id" : "myclient",
          "provider-url": "/keycloak/realms/myrealm",
          "public-client" : "true",
          "principal-attribute" : "preferred_username",
          "ssl-required" : "EXTERNAL"
      }

      Following error can be seen on logs

      09:53:34,385 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:53:34,385 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:53:34,386 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:53:35,908 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:53:35,908 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:53:35,909 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 

       

      Issue 2

      If provider-url is not configured but auth-server-url and realm parameters are configured instead, relative URLs do work but lots of keycloak connections done and every other connection fails

      {
          "client-id" : "myclient",
          "realm": "myrealm",
          "auth-server-url": "/keycloak",
          "public-client" : "true",
          "principal-attribute" : "preferred_username",
          "ssl-required" : "EXTERNAL"
      } 
      09:55:25,790 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:25,790 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:55:25,801 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:25,802 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
      09:55:27,469 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:27,470 WARN  [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 

       

      Issue 3

      If provider-url, auth-server-url and realm parameters are all configured then lots of connections are made to keycloak but they are all successful

      {
          "client-id" : "myclient",
          "provider-url": "/keycloak/realms/myrealm",
          "realm": "myrealm",
          "auth-server-url": "/keycloak",
          "public-client" : "true",
          "principal-attribute" : "preferred_username",
          "ssl-required" : "EXTERNAL"
      } 
      09:55:25,790 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:25,801 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:27,469 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:27,479 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:28,390 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
      09:55:28,398 INFO  [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 

       

      Issue 4

      Issues 1 - 3 can be reproduced using the test program. Additionally we have observed a related issue with our own application that uses Vaadin 14 framework. When absolute URL is configured in provider-url, push notifications used by the application works, client sends requests such as

      https://modcluster/MyApplication/ui/?v-r=push&v-uiId=0&v-pushId=ce42309b-c1cf-4aa1-8379-9f8b73ac8431&X-Atmosphere-tracking-id=db517b20-df5a-4765-bb41-ab3c5f08dfe8&X-Atmosphere-Framework=2.3.2.vaadin1-javascript&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application%2Fjson%3B%20charset%3DUTF-8&X-atmo-protocol=true&_=1664346684416
       

      When relative URLs are used (auth-server-url + realm and optionally relative provider-url) corrupted notifications are send instead

      https://modcluster/MyApplication/ui/?v-r=push&v-uiId=0&v-pushId=c5a33102-8bb6-47bd-8497-88b37858357a&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.3.2.vaadin1-javascript&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application/json;%20charset=UTF-8&X-atmo-protocol=true&_=1664287652604
       

      Following error is shown in the wildfly logs

      17:09:45,358 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /MyApplication/ui/: java.lang.IllegalArgumentException: Illegal character in query at index 272: https://modcluster/MyApplication/ui/?v-r=push&v-uiId=0&v-pushId=e36b7b55-6e77-4ddc-bd5f-8f2bc55c4bdf&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.3.2.vaadin1-javascript&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application/json; charset=UTF-8&X-atmo-protocol=true&_=1664287785348
      	at java.base/java.net.URI.create(URI.java:883)
      	at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcClientContext.getAuthServerBaseUrl(OidcClientContext.java:533)
      	at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcClientContext.resolveUrls(OidcClientContext.java:97)
      	at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcClientContext.resolveDeployment(OidcClientContext.java:83)
      	at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcHttpFacade.getOidcClientConfiguration(OidcHttpFacade.java:183)
      	at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcHttpFacade.createTokenStore(OidcHttpFacade.java:187)
      	at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcHttpFacade.<init>(OidcHttpFacade.java:86)
      	at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcAuthenticationMechanism.evaluateRequest(OidcAuthenticationMechanism.java:68)
      	at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
      	at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:325)
      	at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:300)
      	at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:94)
      	at org.wildfly.security.elytron-web.undertow-server@1.10.1.Final//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)
      	at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
      	at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
      	at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.core@2.2.19.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
      	at io.undertow.core@2.2.19.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
      	at io.undertow.core@2.2.19.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      	at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
      	at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      	at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
      	at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      	at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
      	at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
      	at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
      	at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
      	at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
      	at io.undertow.core@2.2.19.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
      	at io.undertow.core@2.2.19.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
      	at org.jboss.xnio@3.8.7.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
      	at java.base/java.lang.Thread.run(Thread.java:829)
      Caused by: java.net.URISyntaxException: Illegal character in query at index 272: https://modcluster/MyApplication/ui/?v-r=push&v-uiId=0&v-pushId=e36b7b55-6e77-4ddc-bd5f-8f2bc55c4bdf&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.3.2.vaadin1-javascript&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application/json; charset=UTF-8&X-atmo-protocol=true&_=1664287785348
      	at java.base/java.net.URI$Parser.fail(URI.java:2913)
      	at java.base/java.net.URI$Parser.checkChars(URI.java:3084)
      	at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3172)
      	at java.base/java.net.URI$Parser.parse(URI.java:3114)
      	at java.base/java.net.URI.<init>(URI.java:600)
      	at java.base/java.net.URI.create(URI.java:881)
      	... 49 more
      

      Difference seems to be in the end of the request

      Relative URL:
      
      Content-Type=application/json;%20charset=UTF-8&X-atmo-protocol=true&_=1664287652604
      
      Absolute URL:
      
      Content-Type=application%2Fjson%3B%20charset%3DUTF-8&X-atmo-protocol=true&_=1664346684416

       

              Unassigned Unassigned
              jukka-pekka.jarvinen@tietoevry.com Jukka-Pekka Järvinen
              Votes:
              4 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: