Problems with allowedIssuers

[volkflo]

Apiman Version

3.1.2.Final

Apiman Manager Distro

Tomcat

Apiman Gateway Distro

Vert.x

Java Version

11

Operating System

Linux

Are you running Apiman in a container, or on an orchestration platform?

Kubernetes

Describe the bug

Recent changes (759a0d2) cause problems depending on your keycloak endpoint.

If the auth server url contains an path with / (e.g. http://keycloak/my/Cool/Path) the following does not work:

apiman/gateway/platforms/vertx3/vertx3/src/main/java/io/apiman/gateway/platforms/vertx3/api/auth/KeycloakOAuthFactory.java

Lines 178 to 194 in c441939

	private static String buildIssuerWithRealm(String issuerServer, String realmName) {
	try {
	URIBuilder builder = new URIBuilder(issuerServer);
	List<String> pathSegments = Stream.of(builder.getPath(), "realms", realmName)
	.filter(Objects::nonNull)
	.collect(Collectors.toList());
	URI uri = builder
	.setPathSegments(pathSegments)
	.build();
	return uri.toString();
	} catch (URISyntaxException e) {
	throw new RuntimeException(e);
	}
	}

The path is treated as one segment which causes problems in the later URL constructions as the / will be encoded to %2f which causes problems in the discovery.

In addition this feature forces you to use allowedIssuers.
If you do not want this (as you may are only using the internal domain) we should the option in the default config to disabled allowedIssuer checks.

Expected behaviour

Path should be correctly supported.

We could do it something like this, which correctly splits the path by /

List<String> pathSegments = builder.getPathSegments();
         pathSegments.add("realms");
         pathSegments.add(realmName);

In addition the check can be disabled via "validateIssuer": false in the gateway config json.

Actual behaviour

No response

How to Reproduce

No response

Relevant log output

No response

Anything else?

No response

[msavy]

Did you make a PR for this? Or you just letting me know about it

[volkflo]

Ehm, that is a good question.
Will check again. I can probably provide a PR.
First, I have to remember if a fixed it already or just disabled the check

[msavy]

Unless there is a compelling reason, I'm probably not going to do another v3 release, so may not be worth it.

[volkflo]

Yeah, I guess that is not worth it as this is a very special use case for us.
Not sure how much changes are for Apiman 4 but I guess it would be useful for the V4 release

[msavy]

In addition to what I've mentioned before re: Apiman 4, I'm focussing on areas as requested by those who financially support the project (i.e. work with Black Parrot Labs to ensure the project can continue), so there will be a fair number of changes both upstream and downstream.

Obviously, there's a heck of a lot to do, especially in combination with my other obligations (and trying not to completely burn myself out).