Wildfly 26.1.3 - elytron-oidc-subsystem configuration

[Martin Czakó]

Greetings,

I am trying to setup the elytron-oidc-subsystem to secure my deployment (let's say by name explorer.war) to redirect me to an external site for authentication.

So far I have this:

<subsystem xmlns="urn:wildfly:elytron-oidc-client:1.0">

  <secure-deployment name="explorer.war">

    <client-id>my-client-id</client-id>

    <provider-url>https://<external-site></provider-url>

    <ssl-required>external</ssl-required>

  </secure-deployment>

</subsystem>

The problem is that I am getting a WARN logs after wildfly starts:

ELY23005: Unable to load OpenID provider metadata from https://<external-site>/.well-known/openid-configuration

When I try to reach this site from my browser it all goes through and I get a response JSON. But for some reason there's a problem when wildfly is trying to reach the site.

I was thinking that maybe it's because of the HTTPS protocol used in this case.

Does anybody have an idea to my problem?

Thanks

[Prarthona Paul]

Hello there, 

It should be possible to use HTTPS protocol for openID connect. 
I have seen this error pop up oftentimes when I make a mistake in specifying the value for the "provider-url" field. 
Could you please double-check to see if the provider-url you are specifying is correct? Maybe it is missing a '/' or maybe there is a typo? 
You could place a breakpoint here: https://github.com/wildfly-security/wildfly-elytron/blob/1638f890f77a78277cdd98997d0bf808222eebbf/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfiguration.java#L241-L242 to make sure that the discoveryUrl parameter is what you expect it to be. 

Since you can access https://<external-site>/.well-known/openid-configuration directly using your browser, then it means the endpoint is being invoked correctly by your application. So, there might be a bug in either how you are setting up your OpenID config or a bug in the server code. 
In the second case, that bug should have been fixed in a later version of wildfly. 

I hope this answers your question. 
Please feel free to follow up with any questions. 

[Martin Czakó]

Thanks, I'll try to debug it based on your suggestions.

Another problem is that I want to be redirected to the OIDC server page right when I try to access login page of my web application but so far this doesn't happen. Do you know how to achieve this? I found out that the secure-deployment in elytron-oidc-subsystem can be configured with with redirect-rewrite-rules but wasn't able to found out how to use this or even if this what could help me to achieve my goal.

Thanks

Dne středa 14. února 2024 v 20:25:33 UTC+1 uživatel Prarthona Paul napsal:

[Prarthona Paul]

Hello Martin, 

You can find more information about the OIDC subsystem and deployment configuration here: https://docs.wildfly.org/31/Admin_Guide.html#Elytron_OIDC_Client

When you log in to your web application, which page does it redirect you to for now? And what would you like it to be? 

Are you trying to make changes to the OIDC login page? or the redirect page your application returns to once authentication is successful? If it is the first one, then I am not sure if the redirect rewrite rule would be applicable for this. Redirect-rewrite-rule is used to customize the url of the page your application would be returning to once authentication is successful. It cannot be used to customize the OIDC login page itself. 

The issues you are facing with your login page may be caused by incorrect configuration of Provolder_url. So, It should be fixed once the original issue you mentioned is fixed. 
Please feel free to follow up with any questions you have. 

best, 
Prarthona