[I] Keycloak OIDC login fails with Druid 35.0.1 (druid)

Fri, 13 Feb 2026 08:34:01 -0800 


dervoeti opened a new issue, #19019:
URL: https://github.com/apache/druid/issues/19019

   ### Affected Version
   
   Verified with 35.0.1, 34.0.0 and before should not be affected. 35.0.0 and 
36.0.0 are probably affected as well.
   
   ### Description
   
   The upgrade of pac4j to 5.7.3 in Druid 35 introduced support for the 
`private_key_jwt` client authentication method (added in pac4j 5.7.0).
   Since Druid 35, OIDC login against Keycloak fails with an error.
   pac4j's `OidcAuthenticator` auto-detects the token-endpoint authentication 
method by calling `firstSupportedMethod()`, which iterates the methods 
advertised by the authorization server's 
`token_endpoint_auth_methods_supported` in priority order.
   Keycloak advertises `private_key_jwt` before `client_secret_post`.  pac4j 
therefore selects `private_key_jwt`, but Druid has no private-key material 
configured, only a client secret, so the request fails.
   
   #### Steps to reproduce
   
   1. Deploy Keycloak (any recent version). Create a realm and a client with 
Standard Flow enabled. Note the client-id and generate a client secret.
   
   2. Deploy Druid 35.0.1 with the `druid-pac4j` extension and the following 
properties (adjust to your environment):
   
    ```properties
    druid.auth.authenticatorChain=["DruidSystemAuthenticator","Oidc"]
    druid.auth.authenticator.Oidc.type=pac4j
    druid.auth.authenticator.Oidc.authorizerName=OidcAuthorizer
    druid.auth.pac4j.cookiePassphrase=<random-string>
    druid.auth.pac4j.oidc.clientID=<your-client-id>
    druid.auth.pac4j.oidc.clientSecret=<your-client-secret>
    
druid.auth.pac4j.oidc.discoveryURI=https://<keycloak-host>/realms/<realm>/.well-known/openid-configuration
    druid.auth.pac4j.oidc.oidcClaim=preferred_username
    druid.auth.pac4j.oidc.scope=openid email profile
   ```
   
   3. Open the Druid console in a browser, it should fail with an error like:
   `HTTP ERROR 500 org.pac4j.core.exception.TechnicalException: 
privateKeyJwtConfig cannot be null`
   
   I will raise a PR with a fix for this shortly.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to