Support Keycloak 17+

[morki]

Feature description

Keycloak 17

In Keycloak 17 the default distribution is powered by Quarkus and default endpoints has changed (removed the /auth prefix) so autoconfiguration of EndSessionEndpoint is failing.

See #1009

Keycloak 18

In Keycloak 18 there are even bigger changes as shift to using standard OIDC logout and more. This means the KeycloakEndSessionEndpoint is not working anymore.

The behaviour is now following OIDC standard and is working exactly as OktaEndSessionEndpoint.

Proposed solution

Add new configuration property mode with following options:

• auto (actual behavior using EndSessionEndpointResolver, backward compatible, default value)
• standard (new behaviour, following the standard, using renamed OktaEndSessionEndpoint)

Example:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            issuer: xxx
            end-session:
              enabled: true
              mode: standard # <-- this is the new property

Current workaround for Keycloak 18

We successfuly tricked Micronaut to think that Keycloak is Okta by using ?okta suffix for issuer URL e.g. https://sso.xxx.com/realms/master?okta.

[graemerocher]

would you consider sending a PR for this? I think it makes sense to add a separate keycloak18 config so that older versions continue to be supported

[morki]

@graemerocher I think the same, what do you think about the proposed solution above? Any naming or other recommendations?

[graemerocher]

seems fine, will need to be documented though

[sdelamo]

Thanks for the request @morki

I think we have to support OpenID Connect RP-Initiated Logout 1.0. And I think we have to be able to specify whether you want to use that logout request or a custom.

[morki]

New version for this proposal can use property vendor instead of mode:

micronaut:
  security:
    oauth2:
      clients:
        internal:
          enabled: true
          client-id: xxx
          client-secret: xxx
          openid:
            vendor: keycloak-17 # <-- this is the new property
            issuer: xxx
            end-session:
              enabled: true

This new version can be used for micronaut-projects/micronaut-test-resources#44 and will enable multiple versions of Keycloak for example.

[j1cs]

i just want to say that keycloak is version 21.