Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support Keycloak 17+

See original GitHub issue

Feature description

Keycloak 17

In Keycloak 17 the default distribution is powered by Quarkus and default endpoints has changed (removed the /auth prefix) so autoconfiguration of EndSessionEndpoint is failing.

See https://github.com/micronaut-projects/micronaut-security/pull/1009

Keycloak 18

In Keycloak 18 there are even bigger changes as shift to using standard OIDC logout and more. This means the KeycloakEndSessionEndpoint is not working anymore.

The behaviour is now following OIDC standard and is working exactly as OktaEndSessionEndpoint.

Proposed solution

Add new configuration property mode with following options:

auto (actual behavior using EndSessionEndpointResolver, backward compatible, default value)
standard (new behaviour, following the standard, using renamed OktaEndSessionEndpoint)

Example:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            issuer: xxx
            end-session:
              enabled: true
              mode: standard # <-- this is the new property

Current workaround for Keycloak 18

We successfuly tricked Micronaut to think that Keycloak is Okta by using ?okta suffix for issuer URL e.g. https://sso.xxx.com/realms/master?okta.

Issue Analytics

State:
Created a year ago
Reactions:2
Comments:5 (5 by maintainers)

Top GitHub Comments

1reaction

sdelamocommented, Jun 22, 2022

Thanks for the request @morki

I think we have to support OpenID Connect RP-Initiated Logout 1.0. And I think we have to be able to specify whether you want to use that logout request or a custom.

0reactions

morkicommented, Jul 5, 2022

New version for this proposal can use property vendor instead of mode:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            vendor: keycloak-17 # <-- this is the new property
            issuer: xxx
            end-session:
              enabled: true

This new version can be used for https://github.com/micronaut-projects/micronaut-test-resources/pull/44 and will enable multiple versions of Keycloak for example.

Top Results From Across the Web

Support for Java17 - Keycloak Discourse

Hi team,. Any idea on Keycloak support for Java 17. Thanks!! ... Have you tried it? There are not “officially supported” versions of...

Keycloak 17.0.0 released

A new approach to documentation in form of server guides to help you install and configure Keycloak. Upgraded Quarkus to 2.7.0.Final.

Release Notes - Keycloak

Supported OpenJDK versions. Keycloak now supports OpenJDK 17 both for the server and adapters. With the removal of the WildFly based distribution there...

Upgrading Guide - Keycloak

As mentioned above, we try to support newer release versions of Keycloak server working with older release versions of the adapters. However, in ......

Documentation - Keycloak

Guides ; Getting Started, How to get started with Keycloak ; Server Installation and Configuration, Installation and offline configuration of the Keycloak server....