I have a third party vendor web application (Angular based served by IIS) which I previously integrated with our Keycloak 11 instance (Implicit flow). It has been working fine. The vendor has released a new version which I am testing, but the integration to Keycloak no longer works.
Getting specifics from the vendor has been challenging, but it seems they have updated some third party library which appears to have changed its default behaviour. Doing a little tracing and I see that the application server queries Keycloak on /auth/realms/{my_realm}/protocol/openid-connect/certs with an Accept header of application/jwk-set+json. Keycloak is replying with a 406 (not acceptable).
Is this an Access Type issue? It was previously Public so is the behaviour now consistent with Confidential and if so which Client Authenticator applies?
Thanks for the reply, but I’m not sure it does. I am in no way a OIDC expert, but I was working under the assumption that a configuration change of Keycloak would result in it expecting and accepting the application/jwk-set+json header I mentioned. Is the header not meant as a parameter to the receiving OIDC server to alter its behaviour per the protocol?
The provider you tested against may simply not have the functionality enabled either.
I think I’m starting to understand. He may be referring to Section 7 of RFC 7517. The new version of the OIDC client library my vendor is using must have simply started being explicit by specifying the MIME type in the Accept header. Given that the server’s response is in this format it seems reasonable to expect the server to recognize the MIME type in the Accept header.
Given that Keycloak responds to this URI appropriately when the application/jwk-set+json MIME type is not specified, am I correct in thinking that Wildfly/Undertow is responding with the 406 before even passing it to Keycloak? If so, how can I add the new MIME type to the list of accepted values to get around this temporarily?
I don’t believe that this RFC is saying what MUST be accepted by the server in the Accept header. It defines only what MUST be returned in the cty (Content Type header - request headers != response headers).
Requested Accept: jwk-set+json, but application/json returned (that’s correct, it doesn’t contain private key, so it doesn’t need to be jwk-set+json type).
I would say it will be nice to have if server accepts anything in the accept header, which is not default Keycloak behaviour in this case, but I don’t believe it is some RFC violation.
For me it looks like your vendor is very strict. Probably it has tested lib with IDP, which has different (opinionated) implementation and they are expecting that all other IDPs will have the same behaviour.
Interesting discussion. I think you’re correct. The spec is only specific about the response, not the request. I had a look at section 14 of the HTTP spec regarding the Accept header which states : If an Accept header field is present, and if the server cannot send a response which is acceptable according to the combined Accept field value, then the server SHOULD send a 406 (not acceptable) response.
Technically, Google is compliant, but only because the weaker “SHOULD” (and not “MUST”) is stated in the spec. Google is simply ignoring the Accept header. This is arguably incorrect behaviour, but technically correct.
Practically, I think it would be appropriate for the IDP to allow the client to specify “application/jwk-set+json” in the request Accept header if it is expected in the response. This is the format Keycloak is responding in is it not?
Theoretical aside, I still need a way to get around this in the short term. I’ve set an Undertow expression-filter in standalone.xml with expression=“set(attribute=’%{i,Accept}’,value=’*/*’)” and this does the trick, but am I opening myself to other potential problems? I’d feel a little better if I could “tighten” this up a bit.
I would use workaround: drop Accept header for JWK endpoint URLS on the reverse proxy level.
Solution: ask your third party vendor web application to fix it. They shouldn’t rely on this behaviour, when RFC doesn’t specify it strictly as MUST.