Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strip the scheme value from the OIDC proxy host #26608

Merged
merged 1 commit into from Jul 12, 2022
Merged

Strip the scheme value from the OIDC proxy host #26608

merged 1 commit into from Jul 12, 2022

Conversation

sberyozkin
Copy link
Member

@sberyozkin sberyozkin commented Jul 7, 2022
edited

Fixes #26577.

As described in #26577, Vertx (Mutiny) Web Client will fail if the proxy host is configured as http://localhost - I have confirmed it, UnknownHostException is reported - with quarkus.oidc using Mutiny WebClient. While quarkus-keycloak-authorization extending quarkus-oidc and sharing the same proxy configuration will fail unless the host is set as http://localhost.

So I've done a minor update which 1) strips the scheme from a proxy host value if the scheme is set as in http://localhost in OidcCommonUtils which is used for creating quarkus-oidc and also quarkus-oidc-client and 2) adds http:// to the host value if it is not already there when configuring keycloak-authorization.
At this moment of time it likely does not really make sense to introduce a scheme proxy option as it is not directly taken into account with WebClient.

@sberyozkin sberyozkin force-pushed the keycloak_authorization_proxy_scheme branch from 17961ee to 266c17a Compare July 8, 2022 13:14
gsmet
gsmet reviewed Jul 11, 2022
View reviewed changes
...on/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java Outdated
adapterConfig.setProxyUrl(oidcConfig.proxy.host.get() + ":"
+ oidcConfig.proxy.port);
String host = oidcConfig.proxy.host.get();
if (!host.startsWith("http")) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know I'm being a bit pedantic here but I would rather have the test do:

if (!host.startsWith("http://") && !host.startsWith("https://")) {

Because we could imagine someone having a host that is httpfoobar.com.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @gsmet No problems at all, it is worth avoiding any issues like this one, thanks for spotting it

@sberyozkin sberyozkin force-pushed the keycloak_authorization_proxy_scheme branch from 266c17a to 78d60b4 Compare July 11, 2022 13:10
@gsmet gsmet merged commit 19cba3c into quarkusio:main Jul 12, 2022
@quarkus-bot quarkus-bot bot added this to the 2.11 - main milestone Jul 12, 2022
@sberyozkin sberyozkin deleted the keycloak_authorization_proxy_scheme branch July 12, 2022 10:20
@gsmet gsmet modified the milestones: 2.11.0.CR1, 2.10.3.Final Jul 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gsmet gsmet gsmet approved these changes

@cescoffier cescoffier cescoffier left review comments

Assignees
No one assigned
Labels
area/keycloak kind/bugfix
Projects
None yet
Milestone
2.10.3.Final
Development

Successfully merging this pull request may close these issues.

Quarkus oidc proxy host expects protocol
3 participants
@sberyozkin @cescoffier @gsmet