Skip to content

Fix Keycloak mtls_endpoint_aliases metadata parsing#194

Open
antaloaalonso wants to merge 5 commits into
jhipster:mainfrom
antaloaalonso:codex/keycloak-mtls-endpoint-aliases
Open

Fix Keycloak mtls_endpoint_aliases metadata parsing#194
antaloaalonso wants to merge 5 commits into
jhipster:mainfrom
antaloaalonso:codex/keycloak-mtls-endpoint-aliases

Conversation

@antaloaalonso

@antaloaalonso antaloaalonso commented May 10, 2026

Copy link
Copy Markdown

Fix #174

Summary

  • Override Nimbus oauth2-oidc-sdk to 9.22.2 so Spring Security can parse Keycloak 15 OIDC metadata containing nested mtls_endpoint_aliases.
  • Add a regression test that serves Keycloak-like provider metadata from an in-process HTTP server and builds a ClientRegistration through ClientRegistrations.fromIssuerLocation.

Verification

  • JAVA_HOME=/opt/homebrew/opt/openjdk@11/libexec/openjdk.jdk/Contents/Home PATH=/opt/homebrew/opt/openjdk@11/bin:$PATH ./mvnw -ntp -P-webapp verify
  • git diff --check

@antaloaalonso

Copy link
Copy Markdown
Author

CI appears to be waiting for maintainer approval to run the forked pull_request workflow. Local verification is green on the submitted head: JAVA_HOME=/opt/homebrew/opt/openjdk@11/libexec/openjdk.jdk/Contents/Home PATH=/opt/homebrew/opt/openjdk@11/bin:$PATH ./mvnw -ntp -P-webapp verify and git diff --check both passed.

@antaloaalonso

Copy link
Copy Markdown
Author

CI fix pushed in de61a8e. The failing app jobs were reaching .github/scripts/run-app-ci.sh: docker-compose: command not found on ubuntu-latest, so the Consul/Keycloak containers never started and the later OAuth/Cypress checks failed downstream.

This update wraps Compose invocation to prefer docker-compose when present and fall back to docker compose, with set -euo pipefail so service startup failures stop the job immediately.

Local validation:

  • bash -n .github/scripts/run-app-ci.sh
  • git diff --check
  • docker compose version
  • command -v docker-compose
  • JAVA_HOME=/opt/homebrew/opt/openjdk@11/libexec/openjdk.jdk/Contents/Home PATH=/opt/homebrew/opt/openjdk@11/bin:$PATH ./mvnw -ntp -Dtest=OidcProviderMetadataTest test
  • JAVA_HOME=/opt/homebrew/opt/openjdk@11/libexec/openjdk.jdk/Contents/Home PATH=/opt/homebrew/opt/openjdk@11/bin:$PATH ./mvnw -ntp -P-webapp verify

@antaloaalonso

Copy link
Copy Markdown
Author

Pushed one more CI-only fix after the latest run failed in the backend step while invoking webpack. The failure came from the workflow's standalone npm install leaving node_modules in a state where webpack-cli could not resolve vue-loader's webpack 5 plugin dependency; Maven already runs the frontend plugin install before the webpack build, so this removes that redundant install step and lets the later frontend test reuse the Maven-installed tree.

Local verification:

  • git diff --check
  • bash -n .github/scripts/run-app-ci.sh
  • clean worktree: JAVA_HOME=/opt/homebrew/opt/openjdk@11/libexec/openjdk.jdk/Contents/Home PATH=/opt/homebrew/opt/openjdk@11/bin:$PATH ./mvnw -ntp clean verify -P-webpack
  • patched branch: JAVA_HOME=/opt/homebrew/opt/openjdk@11/libexec/openjdk.jdk/Contents/Home PATH=/opt/homebrew/opt/openjdk@11/bin:$PATH ./mvnw -ntp clean verify -P-webpack
  • frontend test with the repo Node path: PATH=$PWD/target/node:$PATH ./target/node/npm run test

@antaloaalonso

Copy link
Copy Markdown
Author

Local verification is still green on the latest head, and GitHub is currently showing no reported checks for this forked PR:

  • JAVA_HOME=/opt/homebrew/opt/openjdk@11/libexec/openjdk.jdk/Contents/Home PATH=/opt/homebrew/opt/openjdk@11/bin:$PATH ./mvnw -ntp -P-webapp verify
  • git diff --check

Since this is intended to resolve the $500 bug-bounty issue #174, could a maintainer trigger/approve CI or let me know what else is needed for review and bounty handling if the fix is accepted? I’ll address any failures or requested changes promptly.

@antaloaalonso

Copy link
Copy Markdown
Author

Pushed a focused CI follow-up in 3420ba0. The failing Application CI jobs were dying during the Maven frontend build because vue-loader@15.9.6 was resolving against a webpack tree without webpack/lib/rules/DescriptionDataMatcherRulePlugin. Maven was running a mutable npm install path, so I switched the frontend-maven-plugin installs in both webapp/prod profiles to npm ci so CI uses the lockfile-pinned webpack tree.

Local validation run before pushing:

  • git diff --check
  • bash -n .github/scripts/run-app-ci.sh
  • clean npm ci + npm run webapp:build using the repo Node path
  • ./mvnw -ntp -Dtest=OidcProviderMetadataTest test
  • ./mvnw -ntp clean verify -P-webpack -> BUILD SUCCESS, 18 tests, 0 failures

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Unexpected type of JSON object member with key mtls_endpoint_aliases

1 participant