Skip to content

Oauth2 Resource Server will not retry on first failure with Multi-tenancy #10444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Lzxe92 opened this issue Oct 27, 2021 · 2 comments
Closed

Oauth2 Resource Server will not retry on first failure with Multi-tenancy #10444

Lzxe92 opened this issue Oct 27, 2021 · 2 comments
Assignees
@Lzxe92 @jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.6.0

Comments

@Lzxe92
Copy link

Lzxe92 commented Oct 27, 2021
edited
Loading

Describe the bug
I have an oauth2 server running on keycloak http://localhost:8080/keycloak-service/ and configured multi-tenancy using this

JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver
    ("http://localhost:8080/keycloak-service/realms/tenant1", "http://localhost:8080/keycloak-service/realms/tenant2");

http
    .authorizeExchange(exchanges -> exchanges
        .anyExchange().authenticated()
    )
    .oauth2ResourceServer(oauth2 -> oauth2
        .authenticationManagerResolver(authenticationManagerResolver)
    );

However if the keycloak service is down initally, and a request has been sent to the controller, server will return 500 with this error on the console

java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "http://localhost:8080/keycloak-service/realms/tenant1"
	at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:143)
	Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:

Which is expected as the oauth server is down. However once the keycloak service back up, subsequent call to the controller will still show the same result

To Reproduce

  1. Stop keycloak-service (oauth server)
  2. Start spring boot project
  3. Call controller
  4. Returns 500 error, oauth server is down
  5. Start keycloak-service (aouth server)
  6. call controller again
  7. it still return 500 error, even though oauth server is up

Expected behavior
Expect step 7 above to show success instead of failure
@Lzxe92 Lzxe92 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Oct 27, 2021
@Lzxe92 Lzxe92 changed the title Oauth2 Resource Server will not retry on first failure in Multi-tenancy Oauth2 Resource Server will not retry on first failure with Multi-tenancy Oct 27, 2021
@jzheaux
Copy link
Contributor

jzheaux commented Oct 27, 2021

Thanks for the report, @Lzxe92.

I think this is because JwtIssuerReactiveAuthenticationManagerResolver is using Mono#cache. A better solution would likely be to use the version of Mono#cache that allows for specifying a TTL. In this case, I think specifying a TTL like so will address the issue:

.cache((manager) -> Duration.ofMillis(Long.MAX_VALUE), (ex) -> Duration.ZERO, () -> Duration.ZERO)

Are you able to provide a PR that makes the change and adds a test? Also, it would be helpful to have a test for JwtIssuerAuthenticationManagerResolver as well to ensure that this use case is addressed for both implementations.

@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 27, 2021
@jzheaux jzheaux added this to the 5.6.0 milestone Oct 27, 2021
@Lzxe92
Copy link
Author

Lzxe92 commented Oct 28, 2021

Sure. I'll make a PR for this to help others.

jzheaux added a commit that referenced this issue Nov 11, 2021
@jzheaux
Don't Cache ReactiveJwtDecoders Errors
538541b 
Closes gh-10444
jzheaux added a commit that referenced this issue Nov 11, 2021
@jzheaux
Don't Cache ReactiveJwtDecoders Errors
72db6a2 
Closes gh-10444
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Nov 11, 2021
Closed
jzheaux added a commit that referenced this issue Nov 11, 2021
@jzheaux
Don't Cache ReactiveJwtDecoders Errors
f89a34c 
Closes gh-10444
Closed
jzheaux added a commit that referenced this issue Nov 11, 2021
@jzheaux
Don't Cache ReactiveJwtDecoders Errors
7b03fb5 
Closes gh-10444
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Lzxe92 Lzxe92

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.6.0
Development

No branches or pull requests
3 participants
@Lzxe92 @jzheaux @spring-projects-issues