Communicate between Quarkus webapps using OIDC authentication

[TheMightyE]

Hello! I have two Quarkus applications (app-a and app-b). Both are authenticated using our company's OIDC provider and both are within the same kubernetes cluster.. When a user clicks a link in app-a, I redirect them to app-b in a new tab. However, if the user is not already authenticated in app-b, they are redirected to the root page of app-b. When this happens, the URL in the new tab removes the endpoint from the URL and only keeps the query parameters. For example, if I redirect in a new tab to URL app-b.company.com/endpoint?query1=help&query2=me, they are redirected to app-b.company.com/?query1=help&query2=me after app-b authenticates them. If the same link is click in app-a again now, user is correctly redirected to the proper URL in the new tab.

How can I properly authenticate the user using our OIDC so when the user clicks the link in app-a, they are redirected to app-b without having to authenticate in app-b again?

I'm certain I left out useful information, so please ask questions for clarification. My application.properties:

quarkus.native.resources.includes=META-INF/*.xml,*.properties
quarkus.oidc.auth-server-url=${AUTH_SERVER_URL}
quarkus.oidc.client-id=${CLIENT_ID}}
quarkus.oidc.credentials.secret=${OIDC_SECRET}
quarkus.oidc.authentication.force-redirect-https-scheme=${FORCE_HTTPS}
quarkus.oidc.authentication.restore-path-after-redirect=true
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated

[sberyozkin]

@TheMightyE Hi,

Quarkus OIDC itself should not be dropping /endpoint during its own redirects.

Try to redirect without query parameters, as in app-b.company.com/endpoint and see if it changes it.
What happens if you avoid restoring the request path after the redirect, set that property to false ?
Do you configure quarkus.oidc.authentication.redirect-path ?

I suspect at some point Quarkus only sees app-b.company.com, instead of app-b.company.com/endpoint. I can add some extra logging if it proves difficult to identify the problem with the above checks.
Though I think if you enable https://quarkus.io/guides/http-reference#configuring-http-access-logs, it should already let you see if
app-b.company.com/endpoint is visible as a request URI

[TheMightyE]

Hello @sberyozkin. The same issue is seen if I redirect without the query parameters. Same thing if quarkus.oidc.authentication.restore-path-after-redirect is removed or set to false. I do not configure quarkus.oidc.authentication.redirect-path. I used to have it set it to / but I removed it since it made no difference. I am going to add that extra HTTP logging you mentioned and see if anything stands out.

[TheMightyE]

Also do you customise http root ?

What do you mean by this?

[sberyozkin]

@TheMightyE See https://quarkus.io/guides/http-reference#context-path

OK, please investigate further and I can add some OIDC specific logging if necessary

[TheMightyE]

The issue was that my change quarkus.oidc.authentication.restore-path-after-redirect=true didn't successfully deploy which was missed by us. I appreciate your prompt responses and willingness to help, even going as far as offering to add additional logs. I will be sure to return to this forum for future problems. Thanks @sberyozkin.

[sberyozkin]

@TheMightyE Np at all, good you've made it work