Quarkus oidc proxy host expects protocol

[ccpatrut]

Describe the bug

Hi guys I think you have a problem in your quarkus, keycloak oidc implementation.

During initialization of a quarkus application which is configured with keycloak as previously mentioned during load time the method configureProxyForAuthServerIfProvided is called. On line 409 this expects a protocol, such as http:// or https://
https://github.com/keycloak/keycloak/blob/main/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/HttpClientBuilder.java

Without this protocol the application will fail at initialization with: " Host name may not be null"

Secondly, in https://github.com/quarkusio/quarkus/blob/main/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java the method toProxyOptions expects a proxy host without a protocol in front of it.
This method is called at runtime. Due to the fact that one sets one value only, the two are conflicting:
quarkus.oidc."tenant".proxy.host

For instance, by setting a value with a protocol to satisfy the adapter check all the calls at runtime will be failling with an error such as "unknow host exception" du to the the fact that OidcCommonUtils will configure a proxy host with http:// in front of it.

Expected behavior

That the proxy configuration works both at runtime and startup time.

Actual behavior

Is not working with unknown host exception for the proxy host value

How to Reproduce?

Configure and application with keycloak and proxy set on it.
Root your trafic to the keycloak instance through a proxy.

Output of uname -a or ver

MINGW64_NT-10.0-19044 vd15474 3.1.7-340.x86_64 2021-03-26 22:17 UTC x86_64 Msys

Output of java -version

java version "11.0.8" 2020-07-14 LTS

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.10.0.Final

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot]

/cc @pedroigor, @sberyozkin

[sberyozkin]

Hi @ccpatrut I'm a little bit confused, https://github.com/keycloak/keycloak/blob/main/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/HttpClientBuilder.java is not used in quarkus-oidc, can you please clarify what is the problem with quarkus.oidc.proxy.host This is just one of the properties a user needs to pass to Vert.x client, quarkus-oidc is not checking quarkus.oidc.proxy.host - just passing it along to Vert.x client

[ccpatrut]

Hi @sberyozkin thanks for your fast reply.

Following the guide at https://quarkus.io/guides/security-keycloak-authorization one must use both oidc and keycloak-authorization.

Indeed the quarkus-oidc is just passing it, but so does keycloak-authorization through KeycloakPolicyEnforcerRecorder.java in createPolicyEnforcer.

By following the stacktrace of keycloak-authorization it ends up using the adapter code in HttpClientBuilder.

The builder won't build the proxy without a protocol in front of the server while quarkus-oidc won't find the proxy server if it has a protocol in front of it.

The two implementations conflict one with another.

[sberyozkin]

@ccpatrut I see, thanks for the clarification, will try to fix shortly

[ccpatrut]

Thank you, @sberyozkin

Could you let me know about the release lifecycle as well?

How fast could we use the fix?

I also have to say that I find it strange that so many methods are statically implemented in these libraries and it's impossible to override them. Is there any chance that you guys would consider using dependency injection and abstractization in these libraries?

This way in case of such defects overriding a method will fix most of the problems until an actual fix is available.

Best regards and thanks for picking my defect this fast,
Catalin

[sberyozkin]

@ccpatrut Fix will be available in Quarkus 2.11.0.CR1 due in the next week or so

[ccpatrut]

@sberyozkin great, thank you!