Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Quarkus OIDC does not work with Auth0
See original GitHub issueDescribe the bug Given the configuration :
quarkus.oidc.auth-server-url=https://myauthtenant.eu.auth0.com/
On start-up Quarkus tries to access URL : https://myauthtenant.eu.auth0.com//.well-known/openid-configuration (see double //) which causes an exception
OIDC server is not available at the 'quarkus.oidc.auth-server-url' URL (...)
(...)
Cannot GET //.well-known/openid-configuration
Alternatively, when removing trailing slash:
quarkus.oidc.auth-server-url=https://myauthtenant.eu.auth0.com
an error is thrown
issuer validation failed: received [https://myauthtenant.eu.auth0.com/]
as the issuer field in the OIDC JSON has the trailing slash
"issuer": "https://myauthtenant.eu.auth0.com/",
I’ve tried adding
quarkus.oidc.introspection-path=.well-known/openid-configuration
quarkus.oidc.jwks-path=.well-known/jwks.json
with no effect
Expected behavior
Quarkus could be smart enough not to add another “/” before .well-known when the auth-server-url ends with trailing /
Actual behavior Quarkus start up error
To Reproduce Steps to reproduce the behavior:
- Create a free Auth0 tenant
- Configure Quarkus as in https://quarkus.io/guides/security-openid-connect-web-authentication
- Configure properties to point to Auth0
- Start app
Configuration
quarkus.oidc.auth-server-url=https://myauthtenant.eu.auth0.com
quarkus.oidc.introspection-path=.well-known/openid-configuration
quarkus.oidc.jwks-path=.well-known/jwks.json
quarkus.oidc.client-id=XXX
quarkus.oidc.credentials.secret=XXX
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=email,profile,roles
Screenshots (If applicable, add screenshots to help explain your problem.)
Environment (please complete the following information):
- Output of
uname -aorver: - Output of
java -version: - GraalVM version (if different from Java):
- Quarkus version or git rev:
Additional context (Add any other context about the problem here.)
Issue Analytics
- State:
- Created 4 years ago
- Comments:16 (11 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@piotrgwiazda PR #5944 will offer an alternative where you’d just set an
issueras aquarkus.oidc.claims.issuerproperty which will disable the default Vertx Oauth2 issuer validation which only does a comparison based on the site URL. (FYI, Vertx OAuth2 fix for this issue has also been merged by Paulo) but going forward I think we will encourage the users to set the expected issuer, audience, etc directly as trhe quarkus properties. CC @pedroigorThanks, @gsmet. I was just about to comment 😃
@sberyozkin It seems the suggestion from @piotrgwiazda makes sense.
However, I’m wondering if we should also have a
quarkus.oidc.issuerproperty to specify the issuer. The reason being that there is no implicit relation between the root URL we use to fetch the discovery document and the issuer. It should work for most implementations (what may be fine for now) but may fail for others if they don’t use the root URL as the issuer.The problem of adding that property is that issuer verification is performed within the Vert.x OAuth library. So, I’m not sure if it would work without disabling issuer verification and doing it by ourselves. Or maybe there is some alternative in Vert.X OAuth to define the issuer (not the
site).