Affected Version

Verified with 35.0.1, 34.0.0 and before should not be affected. 35.0.0 and 36.0.0 are probably affected as well.

Description

The upgrade of pac4j to 5.7.3 in Druid 35 introduced support for the private_key_jwt client authentication method (added in pac4j 5.7.0).
Since Druid 35, OIDC login against Keycloak fails with an error.
pac4j's OidcAuthenticator auto-detects the token-endpoint authentication method by calling firstSupportedMethod(), which iterates the methods advertised by the authorization server's token_endpoint_auth_methods_supported in priority order.
Keycloak advertises private_key_jwt before client_secret_post. pac4j therefore selects private_key_jwt, but Druid has no private-key material configured, only a client secret, so the request fails.

Steps to reproduce

1. Deploy Keycloak (any recent version). Create a realm and a client with Standard Flow enabled. Note the client-id and generate a client secret.

2. Deploy Druid 35.0.1 with the druid-pac4j extension and the following properties (adjust to your environment):

druid.auth.authenticatorChain=["DruidSystemAuthenticator","Oidc"]
druid.auth.authenticator.Oidc.type=pac4j
druid.auth.authenticator.Oidc.authorizerName=OidcAuthorizer
druid.auth.pac4j.cookiePassphrase=<random-string>
druid.auth.pac4j.oidc.clientID=<your-client-id>
druid.auth.pac4j.oidc.clientSecret=<your-client-secret>
druid.auth.pac4j.oidc.discoveryURI=https://<keycloak-host>/realms/<realm>/.well-known/openid-configuration
druid.auth.pac4j.oidc.oidcClaim=preferred_username
druid.auth.pac4j.oidc.scope=openid email profile

3. Open the Druid console in a browser, it should fail with an error like:
   HTTP ERROR 500 org.pac4j.core.exception.TechnicalException: privateKeyJwtConfig cannot be null

I will raise a PR with a fix for this shortly.