quarkus: Oidc extension gives 401 after approximately 30-40 seconds on public endpoint

I have a quarkus app using the oidc/keycloak extension and it has been working fine for the past year or so. After upgrading to 1.13.4 it suddenly starts giving me 401-unauthorized after app. 30-40 seconds after restarting the quarkus app. It does not happen when using 1.13.3, so i am pretty sure it is introduced in 1.13.4. If i downgrade to 1.13.3 it keeps working, but 1.13.4 stop working after roughly 30-40 seconds after hitting the public endpoint. All my protected endpoints are still working fine.

I expected 1.13.4 to behave the same way as 1.13.3 when it comes to Oidc/keycloak and public endpoints. I cannot see any info regarding changes in the upgrade docs.

The funny thing is it allows me to access my public endpoint for 30-40 seconds before handing me 401 - so right after reboot it works - but only for app 30 seconds after hitting the public endpoint for the first time.

Configuration

quarkus.oidc.enabled=true
quarkus.oidc.auth-server-url=http://iam-keycloak:8080/auth/realms/MYREALM
quarkus.oidc.client-id=api
quarkus.oidc.credentials.secret=<SECRET>
quarkus.oidc.tls.verification=none
quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.enforcement-mode=permissive
quarkus.keycloak.policy-enforcer.paths.api.name=API
quarkus.keycloak.policy-enforcer.paths.api.path=/api
quarkus.keycloak.policy-enforcer.paths.api.enforcement-mode=DISABLED

I have added DEBUG to logging and from the log i can see “Method : proceed” in the beginning and then suddenly even though it is a public endpoint it calls keycloak and from then on i get 401. My keycloak is on port 8081. My guess is that “Proxy auth state: UNCHALLENGED” triggers the call to keycloak.

021-05-16 22:55:21,567 DEBUG [org.jbo.res.res.i18n] (executor-thread-1) RESTEASY002315: PathInfo: / 2021-05-16 22:55:21,567 DEBUG [dk.cor.res.RestFilterRequest] (executor-thread-1) incoming call: GET http://localhost:8080/api 2021-05-16 22:55:21,568 DEBUG [org.jbo.res.res.i18n] (executor-thread-1) MessageBodyWriter: org.jboss.resteasy.core.providerfactory.SortedKey 2021-05-16 22:55:21,568 DEBUG [org.jbo.res.res.i18n] (executor-thread-1) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jsonp.JsonObjectProvider 2021-05-16 22:55:21,568 DEBUG [org.jbo.res.res.i18n] (executor-thread-1) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jsonp.JsonObjectProvider 2021-05-16 22:55:21,568 DEBUG [org.jbo.res.res.i18n] (executor-thread-1) MessageBodyWriter: org.jboss.resteasy.core.providerfactory.SortedKey 2021-05-16 22:55:21,568 DEBUG [org.jbo.res.res.i18n] (executor-thread-1) Interceptor Context: org.jboss.resteasy.core.interception.jaxrs.ServerWriterInterceptorContext, Method : proceed 2021-05-16 22:55:21,568 DEBUG [org.jbo.res.res.i18n] (executor-thread-1) MessageBodyWriter: org.jboss.resteasy.core.providerfactory.SortedKey 2021-05-16 22:55:21,568 DEBUG [org.jbo.res.res.i18n] (executor-thread-1) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jsonp.JsonObjectProvider 2021-05-16 22:55:21,568 DEBUG [org.jbo.res.res.i18n] (executor-thread-1) Provider : org.jboss.resteasy.plugins.providers.jsonp.JsonObjectProvider, Method : writeTo 2021-05-16 22:55:29,601 DEBUG [org.apa.htt.imp.con.tsc.ThreadSafeClientConnManager] (executor-thread-1) Get connection: {}->http://localhost:8081, timeout = 0 2021-05-16 22:55:29,601 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) [{}->http://localhost:8081] total kept alive: 1, total issued: 0, total allocated: 1 out of 20 2021-05-16 22:55:29,601 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) Getting free connection [{}->http://localhost:8081][null] 2021-05-16 22:55:29,601 DEBUG [org.apa.htt.imp.cli.DefaultHttpClient] (executor-thread-1) Stale connection check 2021-05-16 22:55:29,602 DEBUG [org.apa.htt.imp.cli.DefaultHttpClient] (executor-thread-1) Stale connection detected 2021-05-16 22:55:29,602 DEBUG [org.apa.htt.imp.con.DefaultClientConnection] (executor-thread-1) Connection 0.0.0.0:49887<->127.0.0.1:8081 closed 2021-05-16 22:55:29,603 DEBUG [org.apa.htt.imp.con.DefaultClientConnectionOperator] (executor-thread-1) Connecting to localhost:8081 2021-05-16 22:55:29,603 DEBUG [org.apa.htt.cli.pro.RequestAddCookies] (executor-thread-1) CookieSpec selected: compatibility 2021-05-16 22:55:29,603 DEBUG [org.apa.htt.cli.pro.RequestAuthCache] (executor-thread-1) Auth cache not set in the context 2021-05-16 22:55:29,603 DEBUG [org.apa.htt.cli.pro.RequestProxyAuthentication] (executor-thread-1) Proxy auth state: UNCHALLENGED 2021-05-16 22:55:29,603 DEBUG [org.apa.htt.imp.cli.DefaultHttpClient] (executor-thread-1) Attempt 1 to execute request 2021-05-16 22:55:29,603 DEBUG [org.apa.htt.imp.con.DefaultClientConnection] (executor-thread-1) Sending request: GET /auth/realms/MYREALM/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=%2Fapi HTTP/1.1 2021-05-16 22:55:29,604 DEBUG [org.apa.htt.wire] (executor-thread-1) >> “GET /auth/realms/MYREALM/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=%2Fapi HTTP/1.1[\r][\n]” 2021-05-16 22:55:29,604 DEBUG [org.apa.htt.wire] (executor-thread-1) >> “Authorization: Bearer <BEARERTOKEN>[\r][\n]” 2021-05-16 22:55:29,604 DEBUG [org.apa.htt.wire] (executor-thread-1) >> “Host: localhost:8081[\r][\n]” 2021-05-16 22:55:29,604 DEBUG [org.apa.htt.wire] (executor-thread-1) >> “Connection: Keep-Alive[\r][\n]” 2021-05-16 22:55:29,604 DEBUG [org.apa.htt.wire] (executor-thread-1) >> “[\r][\n]” 2021-05-16 22:55:29,604 DEBUG [org.apa.htt.headers] (executor-thread-1) >> GET /auth/realms/MYREALM/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=%2Fapi HTTP/1.1