-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to Quarkus 3.2.8 #24639
Update to Quarkus 3.2.8 #24639
Conversation
Based on my testing, this should also fix #24160 Not sure of the etiquette if we should add another closes for that one to also link the PR or if the mention is enough. |
@abstractj / @vmuzikar - I've updated some version in Keycloak's POM that should match Quarkus' parent POM in a second commit. Please squash the commits before merging. |
76fe81e
to
bbab5e2
Compare
@abstractj Thanks for the PR. Seems there's some issue with the Operator OLM tests. I'll look into it. |
@abstractj @shawkins Created abstractj#2 |
59db293
to
2ae2006
Compare
2ae2006
to
bd0e11d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@abstractj - there have been some expired certificates, which have just been updated in main. You might need another CI run before all your tests are green. See #24657. |
ec4d204
to
6ace403
Compare
@abstractj @vmuzikar @vietj the issue with the javascript adapter tests appear to be due to changes in the vertx forwarding logic. The problematic request is explicitly setting an empty host:
The forwarding logic then creates an empty authority and will calculate absolute uris that lack a host https:/auth/admin... I'm not sure if this this intended to be a protection mechanism when the host isn't populated, or if it should still infer the host - someone else will need to weigh in on a fix. I see the same condition being hit during the failing cors tests, so it's possible this could be the root cause for all the failures. |
@shawkins Thanks for investigating. I think we need someone from @keycloak/ui to chime in. I don't think a request without |
@shawkins Actually, which request exactly do you mean is missing the header? A JS Adapter created request? |
I would presume it is coming from there yes. |
I did some testing with @vmuzikar, and to me it doesn't look like this is an error caused by Keycloak JS or any other client-side code for that matter. I was able to run the test and get it to fail using the following command: mvn test -Dtest=JavascriptAdapterTest#testLocationHeaderInResponse -Pauth-server-quarkus The test only seems to fail when the Quarkus server is enabled using
Specifically, the value of the -https://localhost:8543/auth/admin/realms/test/users/044f3ca4-af90-4ecb-b6b6-63d36a9cc2fd
+https:/auth/admin/realms/test/users/044f3ca4-af90-4ecb-b6b6-63d36a9cc2fd For some reason the domain name is being stripped from the URL returned from the server. This seems to be a regression in Quarkus. Looking at the changelog it looks like quarkusio/quarkus#36234 might have something to do with this, which leads to eclipse-vertx/vert.x#4879, which unfortunately does not have a commit or PR associated with it. Either way, I think this is a Quarkus bug, or we're not passing something into it correctly on our side. It cannot be a client-side bug, as we're not allowed to set the |
@jonkoops that is correct, it is not coming directly from the client side.
Working backwards more from https://github.com/vert-x3/vertx-web/blob/a76e681af8313035ab7a772481d840a81051ecc9/vertx-web/src/main/java/io/vertx/ext/web/impl/ForwardedParser.java#L200 the header is being set by https://github.com/quarkusio/quarkus/blob/b9766f547d2c5c02715b5e35fda1c5f2f15904d8/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/ForwardedParser.java#L202 The headers at this level show the host is missing, not empty:
Which then gets set as an explicit empty value on the delegate, which then gets turned into the uri with the missing host. For reference the offending request is coming into the RealmsResource.getProtocol method - test/protocol/openid-connect/ |
Yes, vert.x or the vert.x extension logic in quarkus. This change looks suspect: quarkusio/quarkus@d41c78b#diff-26b0d509bb91cfaf3c4160496ea25fc584e85d4e2cc1b708eb72ea3b25b74c4dR124 - the old logic just called host(), which would return localhost:8543 in this case. |
So I guess this will have to be reported as a bug for Quarkus, perhaps we can even submit a fix? Anyone willing to jump on that? Either way, it looks like we will not be able to upgrade until this is fixed upstream. |
Did a quick search, but I could not find any issues closed or open that report this problem. |
Captured as quarkusio/quarkus#37045 |
jFTR – it was confirmed to be a Vert.x bug: vert-x3/vertx-web#2511 Found also another reproducer. Just access KC via |
Possible workaround would be to temporarily disable HTTP/2 in KC. But there'd be perf implications at the very least. |
@vmuzikar my 2 cents. I'd wait for the next release with the fix. |
eclipse-vertx/vert.x#4947 was resolved but it turned out to be another regression in 3.2.8. The original issue is still unresolved. |
It was confirmed the Quarkus issue will be resolved in 3.2.9. Since we'll skip 3.2.8, I think we can close this PR. |
Closes keycloak#24638 Closes keycloak#24160 Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Václav Muzikář <vmuzikar@redhat.com>
6ace403
to
c3a30db
Compare
Superseded by #24842. @abstractj Let me know if you have any concerns with closing this. |
Closes #24638
Closes #24160