Add OIDC login to Helidon

[mraible]

No description provided.

[mraible]

I tried using this example, and added a few keys:

security.providers.abac=true
security.providers.oidc.header-atn=true
security.providers.oidc.redirect-uri=/oidc/redirect

However, this results in an error on startup:

2022.05.12 09:18:16 INFO io.helidon.common.LogConfig Thread[main,5,main]: Logging at initialization configured using classpath: /logging.properties
Exception in thread "main" io.helidon.security.SecurityException: Configuration key redirect-uri is not a valid provider configuration. Supported keys: http-signatures, jwt, header-atn, http-basic-auth, http-digest-auth, oidc, mp-jwt-auth, abac
        at io.helidon.security.Security$Builder.findProviderService(Security.java:1441)
        at io.helidon.security.Security$Builder.lambda$findProviderService$15(Security.java:1429)

[mraible]

Error is now:

2022.05.13 13:03:14 INFO io.helidon.common.LogConfig Thread[main,5,main]: Logging at initialization configured using classpath: /logging.properties
Exception in thread "main" io.helidon.common.Errors$ErrorMessagesException: FATAL: Failed to load metadata: io.helidon.webclient.WebClientException: Invalid uri /.well-known/openid-configuration. Uri.getHost() returned null. from /.well-known/openid-configuration at io.helidon.webclient.WebClientException: Invalid uri /.well-known/openid-configuration. Uri.getHost() returned null.
        at io.helidon.common.Errors.checkValid(Errors.java:183)
        at io.helidon.security.providers.oidc.common.OidcConfig$Builder.build(OidcConfig.java:1133)
        at io.helidon.security.providers.oidc.common.OidcConfig.create(OidcConfig.java:463)
        at io.helidon.security.providers.oidc.OidcProvider$Builder.config(OidcProvider.java:699)
        at io.helidon.security.providers.oidc.OidcProvider.create(OidcProvider.java:207)
        at io.helidon.security.providers.oidc.OidcProviderService.providerInstance(OidcProviderService.java:45)
        at io.helidon.security.Security$Builder.providerFromConfig(Security.java:1334)

[mraible]

I've confirmed locally that Helidon 3 only works with Java 17+.

[mraible]

@tomas-langer I'm still unable to get OIDC working with Helidon 3. If I start the app and go to http://localhost:8080, it does redirect me to Okta. However, when it comes back to the app, it gives me a 401 in my browser.

[mraible]

I tried upgrading to Helidon 3.0.1 and now I get a 401 when I launch http://localhost:8080.

[mraible]

@tomas-langer I tested this again today with the latest bits. Hitting http://localhost:8080 still results in a 401. I expect it to redirect to Okta. The logging says:

2022.09.10 09:26:51 FINEST io.helidon.security.providers.oidc.OidcProvider Thread[helidon-server-1,5,server]: 
Missing token, could not find in either of: [header, cookie]

If I try hitting /hello with a valid access token, it also fails:

2022.09.10 09:27:06 SEVERE io.helidon.security.providers.oidc.OidcProvider Thread[helidon-client-0,5,security-thread-pool]: Fatal issues found:
FATAL: Audience must contain [https://dev-17700857.okta.com/], yet it is: Optional[[api://default]] at io.helidon.security.jwt.Jwt@409c599e

The default audience for Okta dev accounts is api://default, so it seems like Helidon is making some incorrect assumptions about what the audience should be.