Quarkus OIDC + Primefaces

296 views
Skip to first unread message

Dmitry Shultz

unread,
Jul 1, 2023, 5:21:09 PM7/1/23
to Quarkus Development mailing list
Hi All,

Writing here to align my expectations for Quarkus + Keycloak OIDC + Primefaces. It works pretty good most of the time, but I'm having two major issues:

There is a chance it doesn't work because I'm doing something wrong, there is a bug somewhere or my expectations are wrong and it is not supported.

For easy assessment I deployed the reproducing app https://dev.collarclubvernon.ca, connected it to GitHub and there is also a test user freya:prime. Feel free to use it for reproducing/assessing these issues. Please let me know if I need to change anything, open a bug or wait more for an answers on stackoverflow (i know everybody are super busy, so it's ok).

Thanks in advance,
Dmitry

Sergey Beryozkin

unread,
Jul 2, 2023, 7:36:21 AM7/2/23
to dmi...@diligesoft.com, Quarkus Development mailing list
Hi

On Sat, Jul 1, 2023 at 10:21 PM Dmitry Shultz <dmi...@diligesoft.com> wrote:
Hi All,

Writing here to align my expectations for Quarkus + Keycloak OIDC + Primefaces. It works pretty good most of the time, but I'm having two major issues:

I've missed this query, sorry.

So, the problem is, Keycloak Authorization endpoint does not support cross origin redirects, which is why
we have this solution: 


The idea is to skip XHR and do the pure browser redirection which is not a problem.
Give that a try please.

 

404 is returned because for the logout path to remain a virtual path, you need to add something like:

quarkus.http.auth.permission.logout.paths=/tenant-logout
quarkus.http.auth.permission.logout.policy=authenticated

Otherwise, the security system does not recognize this path requiring any verification and the JAX-RS endpoint or Vert.x route is invoked and you get 404,
which also suggest how you can fix it without having to add a policy, add a no-op `/secure/logout` method - which is not the best solution but will work,

Please see the code example at:

Also you tried the FrontChannel logout option - it requires a dedicated setup, both the front-channel and back-channel options are for the global logout, with Keycloak driving the logout,
when one of the services initiated a logout - for your case it is not necessary right now
 
There is a chance it doesn't work because I'm doing something wrong, there is a bug somewhere or my expectations are wrong and it is not supported.

For easy assessment I deployed the reproducing app https://dev.collarclubvernon.ca, connected it to GitHub and there is also a test user freya:prime. Feel free to use it for reproducing/assessing these issues. Please let me know if I need to change anything, open a bug or wait more for an answers on stackoverflow (i know everybody are super busy, so it's ok).


If the OIDC question is not answered/commented at all - it means we just missed it - so ping us on Zulip in Quarkus Discussions when that happens

Cheers Sergey
 
Thanks in advance,
Dmitry

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAHaFQ1uM0uAcqxQgDnWg0RdNbkAxJ6-QW4OAasd_QHeFY%2Bx95Q%40mail.gmail.com.

Sergey Beryozkin

unread,
Jul 2, 2023, 7:43:23 AM7/2/23
to dmi...@diligesoft.com, Quarkus Development mailing list
On Sun, Jul 2, 2023 at 12:36 PM Sergey Beryozkin <sbia...@redhat.com> wrote:
Hi

On Sat, Jul 1, 2023 at 10:21 PM Dmitry Shultz <dmi...@diligesoft.com> wrote:
Hi All,

Writing here to align my expectations for Quarkus + Keycloak OIDC + Primefaces. It works pretty good most of the time, but I'm having two major issues:

I've missed this query, sorry.

So, the problem is, Keycloak Authorization endpoint does not support cross origin redirects, which is why
we have this solution: 


The idea is to skip XHR and do the pure browser redirection which is not a problem.
Give that a try please.

 

404 is returned because for the logout path to remain a virtual path, you need to add something like:

quarkus.http.auth.permission.logout.paths=/tenant-logout
quarkus.http.auth.permission.logout.policy=authenticated

Otherwise, the security system does not recognize this path requiring any verification and the JAX-RS endpoint or Vert.x route is invoked and you get 404,
which also suggest how you can fix it without having to add a policy, add a no-op `/secure/logout` method - which is not the best solution but will work,

Please see the code example at:

I see you configured it as expected - I'll have a look early next week

Sergey Beryozkin

unread,
Jul 2, 2023, 8:12:12 AM7/2/23
to dmi...@diligesoft.com, Quarkus Development mailing list
By the way,

On Sun, Jul 2, 2023 at 12:43 PM Sergey Beryozkin <sbia...@redhat.com> wrote:


On Sun, Jul 2, 2023 at 12:36 PM Sergey Beryozkin <sbia...@redhat.com> wrote:
Hi

On Sat, Jul 1, 2023 at 10:21 PM Dmitry Shultz <dmi...@diligesoft.com> wrote:
Hi All,

Writing here to align my expectations for Quarkus + Keycloak OIDC + Primefaces. It works pretty good most of the time, but I'm having two major issues:

I've missed this query, sorry.

So, the problem is, Keycloak Authorization endpoint does not support cross origin redirects, which is why
we have this solution: 


The idea is to skip XHR and do the pure browser redirection which is not a problem.
Give that a try please.

This query also highlights why Quarkus OIDC has to fail when the state cookie is present but it does not recognize the current request as a valid redirect URI from the OIDC provider,
because if it did not, in this case, you'd get a redirect loop.

The other thing, if your XHR request to Keycloak fails at the redirect time, you can avoid having to clear the browser cache if you remove the state cookie from XHR, assuming you have Quarkus CORS origins correctly configured, additionally allowing XHR to access the credentials with the Quarkus CORS configuration should allow XHR control (ex, remove) the cookies. It should not be necessary with the solution I linked to above, but in general, night be worth investigating

Melloware

unread,
Jul 2, 2023, 8:37:45 AM7/2/23
to Quarkus Development mailing list
Dmitry,  once you get this working I would love for you to do a small write up for me so I can add it to the Quarkus Faces WIKI for other JSF users in the future that will no doubt run into this issue!

Melloware

unread,
Jul 2, 2023, 8:42:06 AM7/2/23
to Quarkus Development mailing list
I started a new empty WIKI page here: https://github.com/melloware/quarkus-faces/wiki/OIDC-Integration

I know for myself I would like to know how to wire all this up and I know others will too appreciate your work!

Sergey Beryozkin

unread,
Jul 2, 2023, 9:11:38 AM7/2/23
to dmi...@diligesoft.com, Quarkus Development mailing list
On Sun, Jul 2, 2023 at 12:43 PM Sergey Beryozkin <sbia...@redhat.com> wrote:


On Sun, Jul 2, 2023 at 12:36 PM Sergey Beryozkin <sbia...@redhat.com> wrote:
Hi

On Sat, Jul 1, 2023 at 10:21 PM Dmitry Shultz <dmi...@diligesoft.com> wrote:
Hi All,

Writing here to align my expectations for Quarkus + Keycloak OIDC + Primefaces. It works pretty good most of the time, but I'm having two major issues:

I've missed this query, sorry.

So, the problem is, Keycloak Authorization endpoint does not support cross origin redirects, which is why
we have this solution: 


The idea is to skip XHR and do the pure browser redirection which is not a problem.
Give that a try please.

 

404 is returned because for the logout path to remain a virtual path, you need to add something like:

quarkus.http.auth.permission.logout.paths=/tenant-logout
quarkus.http.auth.permission.logout.policy=authenticated

Otherwise, the security system does not recognize this path requiring any verification and the JAX-RS endpoint or Vert.x route is invoked and you get 404,
which also suggest how you can fix it without having to add a policy, add a no-op `/secure/logout` method - which is not the best solution but will work,

Please see the code example at:

I see you configured it as expected - I'll have a look early next week

As far as the logout is concerned, can you please create a reproducer which I can run on my laptop ?

We have an RP initiated logout test with the logout path represented by the test JAX-RS endpoint method with `@Authenticated` - the 2nd solution I referred to above - the test endpoint throws an internal error to ensure it is not even invoked - it exists there for the JAX-RS layer not to complain with 404 before the security check is done.

After I removed this method I had the test failing.

Next, adding the configuration (as per the OIDC docs):

quarkus.http.auth.permission.logout.paths=/tenant-logout/logout
quarkus.http.auth.permission.logout.policy=authenticated

I have got the test passing again.

You can verify with the Quarkus source:
```
cd integration-tests/oidc-code-flow
1. Confirm the test works:
mvn clean install -Dtest-containers -Dstart-containers -Dtest=CodeFlowTest#testRPInitiatedLogout
2. Get it failing by removing the resource method at `/tenant-logout/logout/` in
`src/main/java/io/quarkus/it/keycloak/TenantLogout.java`
3. Fix it by adding the required configuration in `src/main/resources/application.properties`
```

It looks like for some reasons, in your setup, the logout request is not recognized as a request requiring the verification by Quarkus OIDC.
It might be a path mismatch when deployed in the cloud, or something to do with the cookie path setup you do, so let's have it reproduced in the local laptop setup first


Sergey

Sergey Beryozkin

unread,
Jul 2, 2023, 4:42:49 PM7/2/23
to dmi...@diligesoft.com, Quarkus Development mailing list
The follow up action,

# Logged-out users should be returned to the /welcome.html site which will offer an option to re-login:
quarkus.oidc.logout.post-logout-path=/secure/user/home.xhtml

Will fail - because you have set it on the path you have configured to be requiring the authentication (/secure/*), so the logged out user will be returning back to Quarkus and will be immediately
challenged to authenticate - which is not what the comment suggests (this one is coming from the OIDC docs I believe).

Dmitry, can you please open a Quarkus issue, with a reproducer confirming the RP-Initiated logout can not start,  mark it as a bug if you'd like, if it proves it is not then we'll close it as an invalid issue, I'll have a look early next week and we can discuss all the other details there - on this list we are not encouraging non-dev related discussions.


Thanks
Reply all
Reply to author
Forward
0 new messages