Skip to content

OIDC identity provider receives wrong client-id for client-id containing colon #529

Description

@EmteZogaf

OIDC identity provider (keycloak) rejects authentication and shows only substring of actual client-id in log message when BPE client connections configuration has client-id containing colon (:)

Description

Effected DSF Version

  • ≥ 2.0.0

To Reproduce

Configuration:

  • Set DSF BPE configuration variable DEV_DSF_BPE_FHIR_CLIENT_CONNECTIONS_CONFIG to
    fhir-store:
      base-url: "https://www.example.com/fhir"
      test-connection-on-startup: yes
      oidc-auth:
        base-url: "https://auth.example.com/realms/test"
        client-id: "foo:bar"
        client-secret: "password"

Steps to reproduce the behavior:

  1. Configure keycloak with realm test and add client with client id foo:bar and password password
  2. Start DSF BPE Server
  3. Wait till connection test of client connection fhir-store fails in BPE logs
  4. See keycloak logs

Expected Behavior

OIDC identity provider accepts client credentials and connection test in BPE succeeds

Logs

BPE:

[main] DEBUG dev.dsf.bpe.spring.config.FhirClientConnectionsConfig - Testing connection with OIDC provider at https://auth.example.com/realms/test for 'fhir-store' [Failed]
dev.dsf.bpe.api.client.oidc.OidcClientException: Unexpected response status code 401 Unauthorized

Keycloak:

WARN  [org.keycloak.events] (executor-thread-171) type="CLIENT_LOGIN_ERROR", realmId="test", realmName="test", clientId="foo", userId="null", ipAddress="172.18.0.1", error="client_not_found", grant_type="client_credentials"

Screenshots

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingready for releaseIssue is fixed and merged into develop, ready for next release

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions