reverted

example-config.yml

@@ -19,4 +19,4 @@ auth_client.config.raw: >
     "confidential-port": 0,
     "clientId": "registrationService"
   }
-auth_client.public_keys_url: "http://localhost:8080/realms/demoRealm/protocol/openid-connect/certs"
+auth_client.public_keys_url: "http://localhost:8080/auth/realms/demoRealm/protocol/openid-connect/certs"

pkg/configuration/configuration.go

@@ -178,7 +178,7 @@ func (r AuthConfig) AuthClientConfigRaw() string {
 }
 
 func (r AuthConfig) AuthClientPublicKeysURL() string {
-	return commonconfig.GetString(r.c.AuthClientPublicKeysURL, "https://sso.devsandbox.dev/realms/sandbox-dev/protocol/openid-connect/certs")
+	return commonconfig.GetString(r.c.AuthClientPublicKeysURL, "https://sso.devsandbox.dev/auth/realms/sandbox-dev/protocol/openid-connect/certs")
 }
 
 func (r AuthConfig) SSOBaseURL() string {

pkg/configuration/configuration_test.go

@@ -49,7 +49,7 @@ func TestRegistrationService(t *testing.T) {
 		assert.Equal(t, "application/json; charset=utf-8", regServiceCfg.Auth().AuthClientConfigContentType())
 		assert.Equal(t, `{"realm": "sandbox-dev","auth-server-url": "https://sso.devsandbox.dev/auth","ssl-required": "none","resource": "sandbox-public","clientId": "sandbox-public","public-client": true, "confidential-port": 0}`,
 			regServiceCfg.Auth().AuthClientConfigRaw())
-		assert.Equal(t, "https://sso.devsandbox.dev/realms/sandbox-dev/protocol/openid-connect/certs", regServiceCfg.Auth().AuthClientPublicKeysURL())
+		assert.Equal(t, "https://sso.devsandbox.dev/auth/realms/sandbox-dev/protocol/openid-connect/certs", regServiceCfg.Auth().AuthClientPublicKeysURL())
 		assert.Equal(t, "https://sso.devsandbox.dev", regServiceCfg.Auth().SSOBaseURL())
 		assert.Equal(t, "sandbox-dev", regServiceCfg.Auth().SSORealm())
 		assert.False(t, regServiceCfg.Verification().Enabled())

pkg/proxy/proxy.go

@@ -51,11 +51,11 @@ const (
 )
 
 func ssoWellKnownTarget() string {
-	return fmt.Sprintf("%s/realms/%s/.well-known/openid-configuration", configuration.GetRegistrationServiceConfig().Auth().SSOBaseURL(), configuration.GetRegistrationServiceConfig().Auth().SSORealm())
+	return fmt.Sprintf("%s/auth/realms/%s/.well-known/openid-configuration", configuration.GetRegistrationServiceConfig().Auth().SSOBaseURL(), configuration.GetRegistrationServiceConfig().Auth().SSORealm())
 }
 
 func openidAuthEndpoint() string {
-	return fmt.Sprintf("/realms/%s/protocol/openid-connect/auth", configuration.GetRegistrationServiceConfig().Auth().SSORealm())
+	return fmt.Sprintf("/auth/realms/%s/protocol/openid-connect/auth", configuration.GetRegistrationServiceConfig().Auth().SSORealm())
 }
 
 func authorizationEndpointTarget() string {
@@ -146,10 +146,10 @@ func (p *Proxy) StartProxy(port string) *http.Server {
 	// Here is the expected flow for the "oc login -w" command:
 	// 1. "oc login -w --server=<proxy_url>"
 	// 2. oc calls <proxy_url>/.well-known/oauth-authorization-server (wellKnownOauthConfigEndpoint endpoint)
-	// 3. proxy forwards it to <sso_url>/realms/<sso_realm>/.well-known/openid-configuration
-	// 4. oc starts an OAuth flow by opening a browser for <proxy_url>/realms/<realm>/protocol/openid-connect/auth
+	// 3. proxy forwards it to <sso_url>/auth/realms/<sso_realm>/.well-known/openid-configuration
+	// 4. oc starts an OAuth flow by opening a browser for <proxy_url>/auth/realms/<realm>/protocol/openid-connect/auth
 	// 5. proxy redirects (the request is not proxied but redirected via 403 See Others response!) the request
-	//    to <sso_url>/realms/<realm>/protocol/openid-connect/auth
+	//    to <sso_url>/auth/realms/<realm>/protocol/openid-connect/auth
 	//    Note: oc uses this hardcoded public (no secret) oauth client name: "openshift-cli-client" which has to exist in SSO to make this flow work.
 	// 6. user provides the login credentials in the sso login page
 	// 7. all following oc requests (<proxy_url>/auth/*) go to the proxy and forwarded to SSO as is. This is used to obtain the generated token by oc.

pkg/proxy/proxy_test.go

@@ -314,7 +314,7 @@ func (s *TestProxySuite) checkWebLogin() {
 			w.Header().Set("Content-Type", "application/json")
 			w.WriteHeader(http.StatusOK)
 			switch p := r.URL.Path; p {
-			case "/realms/sandbox-dev/.well-known/openid-configuration":
+			case "/auth/realms/sandbox-dev/.well-known/openid-configuration":
 				_, err := w.Write([]byte("mock SSO configuration"))
 				require.NoError(s.T(), err)
 			case "/auth/anything":
@@ -343,10 +343,10 @@ func (s *TestProxySuite) checkWebLogin() {
 				ExpectedResponse:   "mock SSO configuration",
 			},
 			"oidc": {
-				RequestURL:         "http://localhost:8081/realms/sandbox-dev/protocol/openid-connect/auth?state=mystate&code=mycode",
+				RequestURL:         "http://localhost:8081/auth/realms/sandbox-dev/protocol/openid-connect/auth?state=mystate&code=mycode",
 				ExpectedStatusCode: http.StatusSeeOther,
 				ExpectedHeaders: map[string]string{
-					"Location": testServer.URL + "/realms/sandbox-dev/protocol/openid-connect/auth?state=mystate&code=mycode",
+					"Location": testServer.URL + "/auth/realms/sandbox-dev/protocol/openid-connect/auth?state=mystate&code=mycode",
 				},
 			},
 			"other auth requests": {

test/fake/keycloak.go

@@ -10,7 +10,7 @@ var certsContent = `{"keys":[{"kid":"E3DKGdZQ7xTiIvfdFgVXLNupVupFBlcxNUgVCFhDwEg
 
 func MockKeycloakCertsCall(t *testing.T) {
 	gock.New("https://sso.devsandbox.dev").
-		Get("realms/sandbox-dev/protocol/openid-connect/certs").
+		Get("auth/realms/sandbox-dev/protocol/openid-connect/certs").
 		Persist().
 		Reply(200).
 		BodyString(certsContent)