quarkus: Quarkus OIDC does not work with Auth0

Describe the bug Given the configuration :

quarkus.oidc.auth-server-url=https://myauthtenant.eu.auth0.com/

On start-up Quarkus tries to access URL : https://myauthtenant.eu.auth0.com//.well-known/openid-configuration (see double //) which causes an exception

OIDC server is not available at the 'quarkus.oidc.auth-server-url' URL (...)
(...)
Cannot GET //.well-known/openid-configuration

Alternatively, when removing trailing slash:

quarkus.oidc.auth-server-url=https://myauthtenant.eu.auth0.com

an error is thrown

issuer validation failed: received [https://myauthtenant.eu.auth0.com/]

as the issuer field in the OIDC JSON has the trailing slash

"issuer": "https://myauthtenant.eu.auth0.com/",

I’ve tried adding

quarkus.oidc.introspection-path=.well-known/openid-configuration
quarkus.oidc.jwks-path=.well-known/jwks.json

with no effect

Expected behavior Quarkus could be smart enough not to add another “/” before .well-known when the auth-server-url ends with trailing /

Actual behavior Quarkus start up error

To Reproduce Steps to reproduce the behavior:

  1. Create a free Auth0 tenant
  2. Configure Quarkus as in https://quarkus.io/guides/security-openid-connect-web-authentication
  3. Configure properties to point to Auth0
  4. Start app

Configuration

quarkus.oidc.auth-server-url=https://myauthtenant.eu.auth0.com
quarkus.oidc.introspection-path=.well-known/openid-configuration
quarkus.oidc.jwks-path=.well-known/jwks.json
quarkus.oidc.client-id=XXX
quarkus.oidc.credentials.secret=XXX
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=email,profile,roles

Screenshots (If applicable, add screenshots to help explain your problem.)

Environment (please complete the following information):

  • Output of uname -a or ver:
  • Output of java -version:
  • GraalVM version (if different from Java):
  • Quarkus version or git rev:

Additional context (Add any other context about the problem here.)

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 16 (11 by maintainers)

Most upvoted comments

@piotrgwiazda PR #5944 will offer an alternative where you’d just set an issuer as a quarkus.oidc.claims.issuer property which will disable the default Vertx Oauth2 issuer validation which only does a comparison based on the site URL. (FYI, Vertx OAuth2 fix for this issue has also been merged by Paulo) but going forward I think we will encourage the users to set the expected issuer, audience, etc directly as trhe quarkus properties. CC @pedroigor

+1
sberyozkin on Dec 4, 2019

Thanks, @gsmet. I was just about to comment 😃

@sberyozkin It seems the suggestion from @piotrgwiazda makes sense.

However, I’m wondering if we should also have a quarkus.oidc.issuer property to specify the issuer. The reason being that there is no implicit relation between the root URL we use to fetch the discovery document and the issuer. It should work for most implementations (what may be fine for now) but may fail for others if they don’t use the root URL as the issuer.

The problem of adding that property is that issuer verification is performed within the Vert.x OAuth library. So, I’m not sure if it would work without disabling issuer verification and doing it by ourselves. Or maybe there is some alternative in Vert.X OAuth to define the issuer (not the site).

+1
pedroigor on Nov 28, 2019
Read more comments on GitHub
← quarkus: Quarkus Oauth2 quarkus.oauth2.enabled doesn't seem to work
quarkus: Quarkus OIDC shouldn't fail, when Auth Server is not up  →