-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
1.19.1.Final, 2.0.0.Final, 2.6.0.Final
-
None
Environment:
Wildfly 26.1.2.Final
Keycloak 19.0.2
Description:
We are in process if migrating from Wildfly 24.0.1 & Keycloak 12.0.4 to Wildfly 26.1.2 and Keycloak 19.0.2. We use keycloak to provide authentication to our application and both are behind same reverse proxy (modcluster). We have been using relative URLs to allow customer to access the application with IP or DNS names from multiple different network.
After migration to new version we have observed following behaviour
Issue 1
Relative URLs do not work when provider-url is configured in oidc.json
{ "client-id" : "myclient", "provider-url": "/keycloak/realms/myrealm", "public-client" : "true", "principal-attribute" : "preferred_username", "ssl-required" : "EXTERNAL" }
Following error can be seen on logs
09:53:34,385 WARN [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:53:34,385 WARN [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:53:34,386 WARN [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:53:35,908 WARN [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:53:35,908 WARN [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:53:35,909 WARN [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
Issue 2
If provider-url is not configured but auth-server-url and realm parameters are configured instead, relative URLs do work but lots of keycloak connections done and every other connection fails
{ "client-id" : "myclient", "realm": "myrealm", "auth-server-url": "/keycloak", "public-client" : "true", "principal-attribute" : "preferred_username", "ssl-required" : "EXTERNAL" }
09:55:25,790 INFO [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:25,790 WARN [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:55:25,801 INFO [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:25,802 WARN [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration 09:55:27,469 INFO [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:27,470 WARN [org.wildfly.security.http.oidc] (default task-6) ELY23005: Unable to load OpenID provider metadata from /keycloak/realms/myrealm/.well-known/openid-configuration
Issue 3
If provider-url, auth-server-url and realm parameters are all configured then lots of connections are made to keycloak but they are all successful
{ "client-id" : "myclient", "provider-url": "/keycloak/realms/myrealm", "realm": "myrealm", "auth-server-url": "/keycloak", "public-client" : "true", "principal-attribute" : "preferred_username", "ssl-required" : "EXTERNAL" }
09:55:25,790 INFO [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:25,801 INFO [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:27,469 INFO [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:27,479 INFO [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:28,390 INFO [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration' 09:55:28,398 INFO [org.wildfly.security.http.oidc] (default task-6) ELY23004: Loaded OpenID provider metadata from 'https://modcluster/keycloak/realms/myrealm/.well-known/openid-configuration'
Issue 4
Issues 1 - 3 can be reproduced using the test program. Additionally we have observed a related issue with our own application that uses Vaadin 14 framework. When absolute URL is configured in provider-url, push notifications used by the application works, client sends requests such as
https://modcluster/MyApplication/ui/?v-r=push&v-uiId=0&v-pushId=ce42309b-c1cf-4aa1-8379-9f8b73ac8431&X-Atmosphere-tracking-id=db517b20-df5a-4765-bb41-ab3c5f08dfe8&X-Atmosphere-Framework=2.3.2.vaadin1-javascript&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application%2Fjson%3B%20charset%3DUTF-8&X-atmo-protocol=true&_=1664346684416
When relative URLs are used (auth-server-url + realm and optionally relative provider-url) corrupted notifications are send instead
https://modcluster/MyApplication/ui/?v-r=push&v-uiId=0&v-pushId=c5a33102-8bb6-47bd-8497-88b37858357a&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.3.2.vaadin1-javascript&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application/json;%20charset=UTF-8&X-atmo-protocol=true&_=1664287652604
Following error is shown in the wildfly logs
17:09:45,358 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /MyApplication/ui/: java.lang.IllegalArgumentException: Illegal character in query at index 272: https://modcluster/MyApplication/ui/?v-r=push&v-uiId=0&v-pushId=e36b7b55-6e77-4ddc-bd5f-8f2bc55c4bdf&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.3.2.vaadin1-javascript&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application/json; charset=UTF-8&X-atmo-protocol=true&_=1664287785348 at java.base/java.net.URI.create(URI.java:883) at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcClientContext.getAuthServerBaseUrl(OidcClientContext.java:533) at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcClientContext.resolveUrls(OidcClientContext.java:97) at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcClientContext.resolveDeployment(OidcClientContext.java:83) at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcHttpFacade.getOidcClientConfiguration(OidcHttpFacade.java:183) at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcHttpFacade.createTokenStore(OidcHttpFacade.java:187) at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcHttpFacade.<init>(OidcHttpFacade.java:86) at org.wildfly.security.elytron-http-oidc@1.19.1.Final//org.wildfly.security.http.oidc.OidcAuthenticationMechanism.evaluateRequest(OidcAuthenticationMechanism.java:68) at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85) at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:325) at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:300) at org.wildfly.security.elytron-base@1.19.1.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:94) at org.wildfly.security.elytron-web.undertow-server@1.10.1.Final//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107) at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.core@2.2.19.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) at io.undertow.core@2.2.19.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) at io.undertow.core@2.2.19.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38) at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) at io.undertow.core@2.2.19.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) at org.wildfly.extension.undertow@26.1.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79) at io.undertow.servlet@2.2.19.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100) at io.undertow.core@2.2.19.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387) at io.undertow.core@2.2.19.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852) at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at org.jboss.xnio@3.8.7.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: java.net.URISyntaxException: Illegal character in query at index 272: https://modcluster/MyApplication/ui/?v-r=push&v-uiId=0&v-pushId=e36b7b55-6e77-4ddc-bd5f-8f2bc55c4bdf&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.3.2.vaadin1-javascript&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application/json; charset=UTF-8&X-atmo-protocol=true&_=1664287785348 at java.base/java.net.URI$Parser.fail(URI.java:2913) at java.base/java.net.URI$Parser.checkChars(URI.java:3084) at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3172) at java.base/java.net.URI$Parser.parse(URI.java:3114) at java.base/java.net.URI.<init>(URI.java:600) at java.base/java.net.URI.create(URI.java:881) ... 49 more
Difference seems to be in the end of the request
Relative URL: Content-Type=application/json;%20charset=UTF-8&X-atmo-protocol=true&_=1664287652604 Absolute URL: Content-Type=application%2Fjson%3B%20charset%3DUTF-8&X-atmo-protocol=true&_=1664346684416
- is related to
-
ELY-2284 Wildfly OIDC secured App generates a lot of keycloak requests
- Resolved