Skip to content

fix: use containeraddress for jwk-set-uri #886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: use containeraddress for jwk-set-uri #886

wants to merge 1 commit into from

Conversation

@FritzHoing
Copy link
Contributor

@FritzHoing FritzHoing commented Jun 27, 2024
edited
Loading

Description

Needs to be updated in shogun-docker also.

Related issues or pull requests

Pull request type

  • Bugfix
  • Feature
  • Dependency updates
  • Tests
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • Documentation content changes
  • Other (please describe)

Do you introduce a breaking change?

  • Yes
  • No

Checklist

  • I understand and agree that the changes in this PR will be licensed under the
    Apache Licence Version 2.0.
  • I have followed the guidelines for contributing.
  • The proposed change fits to the content of the code of conduct.
  • I have added or updated tests and documentation, and the test suite passes (run mvn test locally).
  • I have added a screenshot/screencast to illustrate the visual output of my update.

@simonseyock
Copy link
Member

simonseyock commented Jun 27, 2024

This problem occurs if the KEYCLOAK_HOST is not reachable from inside the container.
The problem started to appear with the newest SHOGun version.
I noticed the same while using the helm-charts and opened this PR there: terrestris/helm-charts#90

dnlkoch
dnlkoch requested changes Jun 28, 2024
View reviewed changes
shogun-config/src/main/resources/application-base.yml
jwt:
issuer-uri: https://${KEYCLOAK_HOST:shogun-keycloak}/auth/realms/SHOGun
jwk-set-uri: https://${KEYCLOAK_HOST:shogun-keycloak}/auth/realms/SHOGun/protocol/openid-connect/certs
jwk-set-uri: http://shogun-keycloak:8080/auth/realms/SHOGun/protocol/openid-connect/certs
Copy link
Member

@dnlkoch dnlkoch Jun 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why this is needed, but removing the environment variable KEYCLOAK_HOST entirely seems not to be the right way to me.

Copy link
Member

@simonseyock simonseyock Jul 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is that spring is accessing the jwk-set-uri to autoconfigure itself and retrieve some certificates from keycloak. If the KEYCLOAK_HOST is used, this only works if the KEYCLOAK_HOST is accessible from inside the container.

Using the container address and removing the KEYCLOAK_HOST here seems to be the solution, as this should be working in any environment.

The documentation is not exhaustive in that regard, but I understand it this way:

  • The issuer-url is used to check the issuer field in the jwt. If jwk-set-uri is not set, this is also used to autoconfigure and retrieve the certificates.
  • The jwk-set-uri is used instead for the requests if set

https://docs.spring.io/spring-security/reference/reactive/oauth2/resource-server/jwt.html#webflux-oauth2resourceserver-jwt-jwkseturi

@FritzHoing FritzHoing closed this Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonseyock simonseyock simonseyock left review comments

@dnlkoch dnlkoch dnlkoch requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@FritzHoing @simonseyock @dnlkoch