IDCS Security Provider Requires Access Token for JWK Access

[jburgess]

Environment Details

• Helidon Version: 2.0.0-M2
• Helidon MP
• JDK version: jdk-11.0.2
• OS: all

---

Problem Description

When attempting to use IDCS security provider for protecting a REST endpoint in an MP implementation the application fails when accessing the IDCS JWK endpoint:

Server returned HTTP response code: 401 for URL: https://[idcs_tenency].oraclecloud.com:443/admin/v1/SigningCert/jwk

The IDCS documentation indicates this endpoint requires an Access Token in order to access this resource.

Expected Behavior

The Helidon IDCS Security provider should authenticate and provide an access token when retrieving the JWK from IDCS.

[tomas-langer]

The general documentation for OpenID connect lists the JWK endpoint as one of the publicly accessible endpoints (and it is also part of the "well-known" URIs listed.
There is an option to make this endpoint public in IDCS. As the endpoint exposes public keys, this should not be considered a security risk.
We can look into the possibility of authenticating against such an endpoint.

[tomas-langer]

This is a bit harder that expected, as requesting the token required to access the endpoint is IDCS specific.
Designing a way to override default behavior through server specific extensions, with idcs being provided out of the box.
This would allow the following oidc configuration:

identity-uri: "some-idcs-host"
client-id: ".."
client-secret: ".."
provider-type: "idcs" #optional key, can be set to "@default" to revert back to default behavior

[tomas-langer]

This approach would allow us (and our users) to add customized implementations for various providers. For 2.0 this is most likely going to be just internal API, as we lack information for well designed public API and we would like to introduce this update for IDCS asap.
Also for the future, we will replace use of Jersey client with Helidon WebClient, which would be an additional backward incompatible change.

[tomas-langer]

The PR changes the behavior as follows:

1. You can configure server-type to idcs to use a token to access JWK
2. If server-type is undefined or any other value, behavior is as before the change (e.g. JWK is expected to be a public endpoint).
3. Default value for server-type is @default for the purpose of reverting back to default via config
4. The change is currently created as a part of the current OidcConfig, as it does not require any third party dependency and is implemented as a single new class. We may decide to use a service loader in the future.