Merge pull request #32809 from sberyozkin/oidc_userinfo_required_opti…

…onal

Set OIDC `user-info-required` when `UserInfo` is known to be required

extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/OpaqueTokenVerificationWithUserInfoValidationTest.java

@@ -16,7 +16,9 @@ public class OpaqueTokenVerificationWithUserInfoValidationTest {
     @RegisterExtension
     static final QuarkusUnitTest test = new QuarkusUnitTest()
             .withApplicationRoot((jar) -> jar
-                    .addAsResource(new StringAsset("quarkus.oidc.token.verify-access-token-with-user-info=true\n"),
+                    .addAsResource(new StringAsset(
+                            "quarkus.oidc.token.verify-access-token-with-user-info=true\n"
+                                    + "quarkus.oidc.authentication.user-info-required=false\n"),
                             "application.properties"))
             .assertException(t -> {
                 Throwable e = t;

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java

@@ -172,6 +172,19 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
             return Uni.createFrom().failure(t);
         }
 
+        if (oidcConfig.roles.source.orElse(null) == Source.userinfo && !enableUserInfo(oidcConfig)) {
+            throw new ConfigurationException(
+                    "UserInfo is not required but UserInfo is expected to be the source of authorization roles");
+        }
+        if (oidcConfig.token.verifyAccessTokenWithUserInfo && !enableUserInfo(oidcConfig)) {
+            throw new ConfigurationException(
+                    "UserInfo is not required but 'verifyAccessTokenWithUserInfo' is enabled");
+        }
+        if (!oidcConfig.authentication.isIdTokenRequired().orElse(true) && !enableUserInfo(oidcConfig)) {
+            throw new ConfigurationException(
+                    "UserInfo is not required but it will be needed to verify a code flow access token");
+        }
+
         if (!oidcConfig.discoveryEnabled.orElse(true)) {
             if (!isServiceApp(oidcConfig)) {
                 if (!oidcConfig.authorizationPath.isPresent() || !oidcConfig.tokenPath.isPresent()) {
@@ -226,10 +239,6 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
         }
 
         if (oidcConfig.token.verifyAccessTokenWithUserInfo) {
-            if (!oidcConfig.authentication.isUserInfoRequired().orElse(false)) {
-                throw new ConfigurationException(
-                        "UserInfo is not required but 'verifyAccessTokenWithUserInfo' is enabled");
-            }
             if (!oidcConfig.isDiscoveryEnabled().orElse(true)) {
                 if (oidcConfig.userInfoPath.isEmpty()) {
                     throw new ConfigurationException(
@@ -251,6 +260,18 @@ public TenantConfigContext apply(OidcProvider p) {
                 });
     }
 
+    private static boolean enableUserInfo(OidcTenantConfig oidcConfig) {
+        Optional<Boolean> userInfoRequired = oidcConfig.authentication.isUserInfoRequired();
+        if (userInfoRequired.isPresent()) {
+            if (!userInfoRequired.get()) {
+                return false;
+            }
+        } else {
+            oidcConfig.authentication.setUserInfoRequired(true);
+        }
+        return true;
+    }
+
     private static TenantConfigContext createTenantContextFromPublicKey(OidcTenantConfig oidcConfig) {
         if (!isServiceApp(oidcConfig)) {
             throw new ConfigurationException("'public-key' property can only be used with the 'service' applications");

integration-tests/oidc-tenancy/src/main/java/io/quarkus/it/keycloak/CustomTenantConfigResolver.java

@@ -137,6 +137,8 @@ public OidcTenantConfig get() {
                     config.setTokenPath(tokenUri);
                     String jwksUri = uri.replace("/tenant-refresh/tenant-web-app-refresh/api/user", "/oidc/jwks");
                     config.setJwksPath(jwksUri);
+                    String userInfoPath = uri.replace("/tenant-refresh/tenant-web-app-refresh/api/user", "/oidc/userinfo");
+                    config.setUserInfoPath(userInfoPath);
                     config.getToken().setIssuer("any");
                     config.tokenStateManager.setSplitTokens(true);
                     config.tokenStateManager.setEncryptionRequired(false);

integration-tests/oidc-tenancy/src/main/resources/application.properties

@@ -49,7 +49,6 @@ quarkus.oidc.tenant-web-app.auth-server-url=${keycloak.url}/realms/quarkus-webap
 quarkus.oidc.tenant-web-app.client-id=quarkus-app-webapp
 quarkus.oidc.tenant-web-app.credentials.secret=secret
 quarkus.oidc.tenant-web-app.application-type=web-app
-quarkus.oidc.tenant-web-app.authentication.user-info-required=true
 quarkus.oidc.tenant-web-app.roles.source=userinfo
 quarkus.oidc.tenant-web-app.allow-user-info-cache=false
 

integration-tests/oidc-wiremock/src/main/resources/application.properties

@@ -56,7 +56,6 @@ quarkus.oidc.code-flow-user-info-only.authorization-path=/
 quarkus.oidc.code-flow-user-info-only.token-path=access_token
 quarkus.oidc.code-flow-user-info-only.user-info-path=protocol/openid-connect/userinfo
 quarkus.oidc.code-flow-user-info-only.authentication.id-token-required=false
-quarkus.oidc.code-flow-user-info-only.authentication.user-info-required=true
 quarkus.oidc.code-flow-user-info-only.code-grant.extra-params.extra-param=extra-param-value
 quarkus.oidc.code-flow-user-info-only.code-grant.headers.X-Custom=XCustomHeaderValue
 quarkus.oidc.code-flow-user-info-only.client-id=quarkus-web-app