Quarkus 3.10 fails to start if some OIDC providers don't support UserInfo #40412
Replies: 1 comment 7 replies
-
Hi @markusdlugi If you have multiple providers securing the endpoint code which has This recent minor enhancement has been done to address probably the most often heard concern, does Quarkus OIDC has too many properties to set ? This is a perfect example where users can rightly feel annoyed, by thinking something along these lines: we have already expressed an intent that So, IMHO, having In fact I've just looked at the code and it is done at the build time - and we can not detect that early if the provider has UserInfo supported or not. My preference is to update the 3.10 migration guide to highlight this update as a breaking change. Does it sound reasonable to you ? |
Beta Was this translation helpful? Give feedback.
-
Opening this as discussion since I don't know if this can actually be considered to be a bug. Just wanted to discuss this and raise awareness about the behavior 😄
With #39428 some behavior was introduced to automagically detect whether
UserInfo
is injected in the application or not. If that is the case, theuser-info-required
property will be enabled by Quarkus itself.While this is a nice QOL improvement for most Quarkus users, this can cause trouble when there are multiple OIDC providers configured and some of them don't support UserInfo acquisition. For example, we have a corporate OIDC provider that is used for user auth and additionally use an AWS EKS OIDC provider for M2M use-cases. The latter one does not have a user-info endpoint.
In such a scenario, Quarkus will fail to start with the following exception:
Our configuration prior to Quarkus 3.10 looked like this:
The failure can be worked around by explicitly disabling
user-info-required
for the EKS tenant. Therefore, I'm not sure whether this is a bug actually. But it's a little nuisance since such a configuration wasn't required previously. You might argue that most users will rather have a single OIDC provider and so they are less likely to run into this problem, therefore this might still be worth it 😅 But maybe we could have some smartness to avoid the failure in this scenario?Beta Was this translation helpful? Give feedback.
All reactions