Skip to content

Commit

Permalink
Allow access token verification for Google,Github
Browse files Browse the repository at this point in the history
  • Loading branch information
@sberyozkin
sberyozkin committed Apr 23, 2023
1 parent 7cd9c4e commit 2daee4a
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 7 deletions.
12 changes: 10 additions & 2 deletions extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1256,8 +1256,16 @@ public static Token fromAudience(String... audience) {
* provider does not have a token introspection endpoint.
* This property will have no effect when JWT tokens have to be verified.
*/
@ConfigItem(defaultValue = "false")
public boolean verifyAccessTokenWithUserInfo;
@ConfigItem(defaultValueDocumentation = "false")
public Optional<Boolean> verifyAccessTokenWithUserInfo = Optional.empty();

public Optional<Boolean> isVerifyAccessTokenWithUserInfo() {
return verifyAccessTokenWithUserInfo;
}

public void setVerifyAccessTokenWithUserInfo(boolean verify) {
this.verifyAccessTokenWithUserInfo = Optional.of(verify);
}

public Optional<String> getIssuer() {
return issuer;
Expand Down
6 changes: 3 additions & 3 deletions extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ private Uni<SecurityIdentity> validateAllTokensWithOidcServer(RoutingContext ver
TokenAuthenticationRequest request,
TenantConfigContext resolvedContext) {

if (resolvedContext.oidcConfig.token.verifyAccessTokenWithUserInfo
if (resolvedContext.oidcConfig.token.verifyAccessTokenWithUserInfo.orElse(false)
&& isOpaqueAccessToken(vertxContext, request, resolvedContext)) {
// UserInfo has to be acquired first as a precondition for verifying opaque access tokens.
// Typically it will be done for bearer access tokens therefore even if the access token has expired
Expand Down Expand Up @@ -269,7 +269,7 @@ && tokenAutoRefreshPrepared(result, vertxContext, resolvedContext.oidcConfig)) {
final String userName;
if (result.introspectionResult == null) {
if (resolvedContext.oidcConfig.token.allowOpaqueTokenIntrospection &&
resolvedContext.oidcConfig.token.verifyAccessTokenWithUserInfo) {
resolvedContext.oidcConfig.token.verifyAccessTokenWithUserInfo.orElse(false)) {
userName = "";
} else {
// we don't expect this to ever happen
Expand Down Expand Up @@ -386,7 +386,7 @@ private Uni<TokenVerificationResult> verifyTokenUni(TenantConfigContext resolved
throw new AuthenticationFailedException();
}
// verify opaque access token with UserInfo if enabled and introspection URI is absent
if (resolvedContext.oidcConfig.token.verifyAccessTokenWithUserInfo
if (resolvedContext.oidcConfig.token.verifyAccessTokenWithUserInfo.orElse(false)
&& resolvedContext.provider.getMetadata().getIntrospectionUri() == null) {
if (userInfo == null) {
return Uni.createFrom().failure(
Expand Down
4 changes: 2 additions & 2 deletions extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
throw new ConfigurationException(
"UserInfo is not required but UserInfo is expected to be the source of authorization roles");
}
if (oidcConfig.token.verifyAccessTokenWithUserInfo && !enableUserInfo(oidcConfig)) {
if (oidcConfig.token.verifyAccessTokenWithUserInfo.orElse(false) && !enableUserInfo(oidcConfig)) {
throw new ConfigurationException(
"UserInfo is not required but 'verifyAccessTokenWithUserInfo' is enabled");
}
Expand Down Expand Up @@ -238,7 +238,7 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
}
}

if (oidcConfig.token.verifyAccessTokenWithUserInfo) {
if (oidcConfig.token.verifyAccessTokenWithUserInfo.orElse(false)) {
if (!oidcConfig.isDiscoveryEnabled().orElse(true)) {
if (oidcConfig.userInfoPath.isEmpty()) {
throw new ConfigurationException(
Expand Down
3 changes: 3 additions & 0 deletions extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,9 @@ static OidcTenantConfig mergeTenantConfig(OidcTenantConfig tenant, OidcTenantCon
if (tenant.token.issuer.isEmpty()) {
tenant.token.issuer = provider.token.issuer;
}
if (tenant.token.verifyAccessTokenWithUserInfo.isEmpty()) {
tenant.token.verifyAccessTokenWithUserInfo = provider.token.verifyAccessTokenWithUserInfo;
}

return tenant;
}
Expand Down
2 changes: 2 additions & 0 deletions ...ions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/providers/KnownOidcProviders.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ private static OidcTenantConfig github() {
ret.getAuthentication().setScopes(List.of("user:email"));
ret.getAuthentication().setUserInfoRequired(true);
ret.getAuthentication().setIdTokenRequired(false);
ret.getToken().setVerifyAccessTokenWithUserInfo(true);
return ret;
}

Expand All @@ -63,6 +64,7 @@ private static OidcTenantConfig google() {
ret.setAuthServerUrl("https://accounts.google.com");
ret.setApplicationType(OidcTenantConfig.ApplicationType.WEB_APP);
ret.getAuthentication().setScopes(List.of("openid", "email", "profile"));
ret.getToken().setVerifyAccessTokenWithUserInfo(true);
return ret;
}

Expand Down
6 changes: 6 additions & 0 deletions extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcUtilsTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ public void testAcceptGitHubProperties() throws Exception {

assertFalse(config.authentication.idTokenRequired.get());
assertTrue(config.authentication.userInfoRequired.get());
assertTrue(config.token.verifyAccessTokenWithUserInfo.get());
assertEquals(List.of("user:email"), config.authentication.scopes.get());
}

Expand All @@ -66,6 +67,7 @@ public void testOverrideGitHubProperties() throws Exception {

tenant.authentication.setIdTokenRequired(true);
tenant.authentication.setUserInfoRequired(false);
tenant.token.setVerifyAccessTokenWithUserInfo(false);
tenant.authentication.setScopes(List.of("write"));

OidcTenantConfig config = OidcUtils.mergeTenantConfig(tenant, KnownOidcProviders.provider(Provider.GITHUB));
Expand All @@ -80,6 +82,7 @@ public void testOverrideGitHubProperties() throws Exception {

assertTrue(config.authentication.idTokenRequired.get());
assertFalse(config.authentication.userInfoRequired.get());
assertFalse(config.token.verifyAccessTokenWithUserInfo.get());
assertEquals(List.of("write"), config.authentication.scopes.get());
}

Expand Down Expand Up @@ -196,6 +199,7 @@ public void testAcceptGoogleProperties() throws Exception {
assertEquals(ApplicationType.WEB_APP, config.getApplicationType().get());
assertEquals("https://accounts.google.com", config.getAuthServerUrl().get());
assertEquals(List.of("openid", "email", "profile"), config.authentication.scopes.get());
assertTrue(config.token.verifyAccessTokenWithUserInfo.get());
}

@Test
Expand All @@ -206,13 +210,15 @@ public void testOverrideGoogleProperties() throws Exception {
tenant.setApplicationType(ApplicationType.HYBRID);
tenant.setAuthServerUrl("http://localhost/wiremock");
tenant.authentication.setScopes(List.of("write"));
tenant.token.setVerifyAccessTokenWithUserInfo(false);

OidcTenantConfig config = OidcUtils.mergeTenantConfig(tenant, KnownOidcProviders.provider(Provider.GOOGLE));

assertEquals(OidcUtils.DEFAULT_TENANT_ID, config.getTenantId().get());
assertEquals(ApplicationType.HYBRID, config.getApplicationType().get());
assertEquals("http://localhost/wiremock", config.getAuthServerUrl().get());
assertEquals(List.of("write"), config.authentication.scopes.get());
assertFalse(config.token.verifyAccessTokenWithUserInfo.get());
}

@Test
Expand Down

0 comments on commit 2daee4a

Please sign in to comment.