From eb546ab9f9c24c112c6ead0f4626215c6479c40c Mon Sep 17 00:00:00 2001 From: dervoeti Date: Mon, 9 Mar 2026 11:42:55 +0100 Subject: [PATCH 1/2] docs: add a note about known OIDC issue in Druid 35 --- docs/modules/druid/pages/usage-guide/security.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/modules/druid/pages/usage-guide/security.adoc b/docs/modules/druid/pages/usage-guide/security.adoc index d0e54d32..de90f5a1 100644 --- a/docs/modules/druid/pages/usage-guide/security.adoc +++ b/docs/modules/druid/pages/usage-guide/security.adoc @@ -102,6 +102,9 @@ The secret containing the OIDC client credentials should be structured like this include::example$druid-oidc-authentication.yaml[tag=secret] ---- +NOTE: OIDC authentication may fail with Druid 35 due to a change in how the authentication method is selected when connecting to an OIDC provider. +If your OIDC provider (e.g. Keycloak) advertises `private_key_jwt` as a supported client authentication method, Druid 35 may attempt to use it, which causes authentication to fail. + === Current Limitations and Upcoming Work At the moment you can either use TLS, LDAP or OIDC authentication but not a combination of authentication methods. From 81c226355c8fe83022b9e9a29a86a9e987e06283 Mon Sep 17 00:00:00 2001 From: Lukas Krug Date: Tue, 10 Mar 2026 14:02:39 +0100 Subject: [PATCH 2/2] Update docs/modules/druid/pages/usage-guide/security.adoc Co-authored-by: Malte Sander --- docs/modules/druid/pages/usage-guide/security.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/modules/druid/pages/usage-guide/security.adoc b/docs/modules/druid/pages/usage-guide/security.adoc index de90f5a1..d5752f77 100644 --- a/docs/modules/druid/pages/usage-guide/security.adoc +++ b/docs/modules/druid/pages/usage-guide/security.adoc @@ -102,8 +102,8 @@ The secret containing the OIDC client credentials should be structured like this include::example$druid-oidc-authentication.yaml[tag=secret] ---- -NOTE: OIDC authentication may fail with Druid 35 due to a change in how the authentication method is selected when connecting to an OIDC provider. -If your OIDC provider (e.g. Keycloak) advertises `private_key_jwt` as a supported client authentication method, Druid 35 may attempt to use it, which causes authentication to fail. +NOTE: OIDC authentication may fail since Druid versions `35.x.x` and `36.x.x` due to a change in how the authentication method is selected when connecting to an OIDC provider. +If your OIDC provider (e.g. Keycloak) advertises `private_key_jwt` as a supported client authentication method, Druid may attempt to use it, which causes authentication to fail. === Current Limitations and Upcoming Work