-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Keycloak Dev Service when OIDC client is used without OIDC extension #43609
Support Keycloak Dev Service when OIDC client is used without OIDC extension #43609
Conversation
beb0279
to
ac7233d
Compare
This comment has been minimized.
This comment has been minimized.
5c80137
to
06da6fe
Compare
cc @sberyozkin but let's see how CI goes, I run couple of extension unit tests locally, but not every integration test |
06da6fe
to
91ffec0
Compare
This comment has been minimized.
This comment has been minimized.
🙈 The PR is closed and the preview is expired. |
This comment has been minimized.
This comment has been minimized.
|
So |
I'll wait for #43601 merge before I push fixes because this needs to adapt changes there anyway (I am moving file that is edited there). |
Thanks very much @michalvavrik, What happens when both |
DEV UI wise - card is not produced in the OIDC Client, so you have OIDC card that also contains that link |
But we don't have to start hiding it, I think it is shown now on
Sure, I got confused for a moment if it would start twice, but no, it will be a single instance only |
I am not sure we understand each other, let me try again:
I hide OIDC CLient card when OIDC Is present. If you are saying "let's show it" I think it's alright and I'll do it (please confirm!). I somehow misunderstood your email that said I guess though when no |
...ent/src/test/java/io/quarkus/oidc/client/OidcClientTooManyJwtCredentialKeyPropsTestCase.java
Outdated
Show resolved
Hide resolved
...ava/io/quarkus/oidc/common/deployment/devservices/keycloak/KeycloakDevServicesProcessor.java
Outdated
Show resolved
Hide resolved
...ava/io/quarkus/oidc/common/deployment/devservices/keycloak/KeycloakDevServicesProcessor.java
Outdated
Show resolved
Hide resolved
91ffec0
to
085e7e8
Compare
...c-client/deployment/src/main/java/io/quarkus/oidc/client/deployment/OidcClientBuildStep.java
Show resolved
Hide resolved
...c-client/deployment/src/main/java/io/quarkus/oidc/client/deployment/OidcClientBuildStep.java
Outdated
Show resolved
Hide resolved
extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java
Outdated
Show resolved
Hide resolved
...mework/keycloak-server/src/main/java/io/quarkus/test/keycloak/client/KeycloakTestClient.java
Outdated
Show resolved
Hide resolved
...rvices/keycloak/src/main/java/io/quarkus/devservices/keycloak/KeycloakDevServicesConfig.java
Show resolved
Hide resolved
@michalvavrik It looks quite perfect, minor suggestions are there only, I'll run your PR a bit later as well and then we can merge. Later, I'll follow the same pattern for OIDC dynamic client registration as well and eventually we can cover keycloak-admin-clients |
813565a
to
a8f21be
Compare
Status for workflow
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tested Michal's PR on my laptop, with quarkus-quickstarts/security-openid-connect-quickstart
to confirm a KC DevService is started in dev and test modes, and that OIDC DevUI works as usual.
Additionally, I've confirmed OIDc Dev UI offers Auth0 login experience with quarkus.oidc.auth-server-url
pointing to an Auth0 domain
@michalvavrik I thought for a second if it would make sense to keep the base devservice abstract and have extension specific extensions which would deal with their own properties (oidc, oidc-client), etc and have some build time coordination informing each other the the dev service is started. |
I am all for loose coupling, did it this way because it feels easier to understand than new level of abstraction. FWIW if it will be me who introduce this for other extensions, I'll move these config properties to the extensions and enhance |
@michalvavrik Sure, we can look at it all later, thanks |
Almost feels like there should be a not in documentation about this @michalvavrik . I also checked https://github.com/quarkusio/quarkus/wiki/Migration-Guide-3.16 and https://quarkus.io/blog/quarkus-3-16-1-released/. I didn't find anything highlighting this change. |
Triggered by quarkusio/quarkus#43609 change Expanding quarkus-qe@c4883c3 change
If you mean https://quarkus.io/version/main/guides/security-openid-connect-dev-services then I agree. This week I'll be implementing Keycloak Dev Svc for Keycloak Admin Clients, so I'll write into that document that we now configure auth-server-url for default OIDC client and client registration (and that we configure KC with anonymous client registration policy).
"Breaking" part is that container is started if you use OIDC client without OIDC extension and you don't have configured auth server url for default client and you don't have disabled dev svc (or kc dev svc). I can see it can affect you if you don't have docker. But actual users - if they have OIDC Client enabled, they probably need auth server, so this can have only very little impact. I'll let @sberyozkin deal with migration guide as I don't have perms. |
Thank you @michalvavrik. |
Triggered by quarkusio/quarkus#43609 change Expanding c4883c3 change
OidcDevServicesBuildItem
; the class wasn't final, therefore could never be used as SimpleBuildItem must be finalquarkus/core/builder/src/main/java/io/quarkus/builder/item/BuildItem.java
Line 22 in 4cab5df
quarkus.keycloak.devservices.enabled
with SR Config during the build timegrant
was deprecated on Dev Svc config from 2021 and since I am moving this config, I am also dropping this property