Support for OAuth2 Strava

docs/src/main/asciidoc/security-openid-connect-providers.adoc

@@ -8,9 +8,9 @@ https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
 include::_attributes.adoc[]
 :diataxis-type: concept
 :categories: security,web
-:keywords: oidc github twitter google facebook mastodon microsoft apple spotify twitch linkedin
+:keywords: oidc github twitter google facebook mastodon microsoft apple spotify twitch linkedin strava
 :toclevels: 3
-:topics: security,oidc,github,twitter,google,facebook,mastodon,microsoft,apple,spotify,twitch
+:topics: security,oidc,github,twitter,google,facebook,mastodon,microsoft,apple,spotify,twitch,linkedin,strava
 :extensions: io.quarkus:quarkus-oidc
 
 This document explains how to configure well-known social OIDC and OAuth2 providers.
@@ -525,7 +525,23 @@ quarkus.oidc.client-id=<Client ID>
 quarkus.oidc.credentials.client-secret=<Client Secret>
 ----
 
+[[strava]]
+=== Strava
 
+Create a https://www.strava.com/settings/api[Strava application]:
+
+image::oidc-strava-1.png[role="thumb"]
+
+For example, set `Category` to `SocialMotivation`, and set `ApplicationCallbackDomain` either to `localhost` or the domain name provided by Ngrok, see the <<redirect_url>> for more information.
+
+You can now configure your `application.properties`:
+
+[source,properties]
+----
+quarkus.oidc.provider=strava
+quarkus.oidc.client-id=<Client ID>
+quarkus.oidc.credentials.client-secret=<Client Secret>
+----
 
 [[provider-scope]]
 == Provider scopes
@@ -685,6 +701,7 @@ Follow the same approach if the endpoint must access other Google services.
 
 The pattern of authenticating with a given provider, where the endpoint uses either an ID token or UserInfo (especially if an OAuth2-only provider such as `GitHub` is used) to get some information about the currently authenticated user and using an access token to access some downstream services (provider or application specific ones) on behalf of this user can be universally applied, irrespectively of which provider is used to secure the application.
 
+[[redirect_url]]
 == HTTPS Redirect URL
 
 Some providers will only accept HTTPS-based redirect URLs. Tools such as https://ngrok.com/[ngrok] https://linuxhint.com/set-up-use-ngrok/[can be set up] to help testing such providers with Quarkus endpoints running on localhost in dev mode.

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java

@@ -176,7 +176,12 @@ public static enum Method {
                  * form
                  * parameters.
                  */
-                POST_JWT
+                POST_JWT,
+
+                /**
+                 * client id and secret are submitted as HTTP query parameters.
+                 */
+                QUERY
             }
 
             /**

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java

@@ -1812,6 +1812,7 @@ public static enum Provider {
         MASTODON,
         MICROSOFT,
         SPOTIFY,
+        STRAVA,
         TWITCH,
         TWITTER,
         // New name for Twitter

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProvider.java

@@ -39,6 +39,7 @@
 import io.quarkus.oidc.TokenCustomizer;
 import io.quarkus.oidc.TokenIntrospection;
 import io.quarkus.oidc.UserInfo;
+import io.quarkus.oidc.common.runtime.OidcCommonUtils;
 import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.credential.TokenCredential;
@@ -551,7 +552,7 @@ private class SymmetricKeyResolver implements VerificationKeyResolver {
         @Override
         public Key resolveKey(JsonWebSignature jws, List<JsonWebStructure> nestingContext)
                 throws UnresolvableKeyException {
-            return KeyUtils.createSecretKeyFromSecret(oidcConfig.credentials.secret.get());
+            return KeyUtils.createSecretKeyFromSecret(OidcCommonUtils.clientSecret(oidcConfig.credentials));
         }
     }
 

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProviderClient.java

@@ -19,6 +19,7 @@
 import io.quarkus.oidc.common.OidcEndpoint;
 import io.quarkus.oidc.common.OidcRequestContextProperties;
 import io.quarkus.oidc.common.OidcRequestFilter;
+import io.quarkus.oidc.common.runtime.OidcCommonConfig.Credentials.Secret.Method;
 import io.quarkus.oidc.common.runtime.OidcCommonUtils;
 import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.quarkus.oidc.common.runtime.OidcEndpointAccessException;
@@ -51,6 +52,7 @@ public class OidcProviderClient implements Closeable {
     private final String introspectionBasicAuthScheme;
     private final Key clientJwtKey;
     private final Map<OidcEndpoint.Type, List<OidcRequestFilter>> filters;
+    private final boolean clientSecretQueryAuthentication;
 
     public OidcProviderClient(WebClient client,
             Vertx vertx,
@@ -65,6 +67,7 @@ public OidcProviderClient(WebClient client,
         this.clientJwtKey = OidcCommonUtils.initClientJwtKey(oidcConfig);
         this.introspectionBasicAuthScheme = initIntrospectionBasicAuthScheme(oidcConfig);
         this.filters = filters;
+        this.clientSecretQueryAuthentication = oidcConfig.credentials.clientSecret.method.orElse(null) == Method.QUERY;
     }
 
     private static String initIntrospectionBasicAuthScheme(OidcTenantConfig oidcConfig) {
@@ -139,45 +142,62 @@ public Uni<AuthorizationCodeTokens> refreshAuthorizationCodeTokens(String refres
 
     private UniOnItem<HttpResponse<Buffer>> getHttpResponse(String uri, MultiMap formBody, boolean introspect) {
         HttpRequest<Buffer> request = client.postAbs(uri);
-        request.putHeader(CONTENT_TYPE_HEADER, APPLICATION_X_WWW_FORM_URLENCODED);
-        request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
-        if (oidcConfig.codeGrant.headers != null) {
-            for (Map.Entry<String, String> headerEntry : oidcConfig.codeGrant.headers.entrySet()) {
-                request.putHeader(headerEntry.getKey(), headerEntry.getValue());
-            }
-        }
-        if (introspect && introspectionBasicAuthScheme != null) {
-            request.putHeader(AUTHORIZATION_HEADER, introspectionBasicAuthScheme);
-            if (oidcConfig.clientId.isPresent() && oidcConfig.introspectionCredentials.includeClientId) {
-                formBody.set(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
-            }
-        } else if (clientSecretBasicAuthScheme != null) {
-            request.putHeader(AUTHORIZATION_HEADER, clientSecretBasicAuthScheme);
-        } else if (clientJwtKey != null) {
-            String jwt = OidcCommonUtils.signJwtWithKey(oidcConfig, metadata.getTokenUri(), clientJwtKey);
-            if (OidcCommonUtils.isClientSecretPostJwtAuthRequired(oidcConfig.credentials)) {
+
+        Buffer buffer = null;
+
+        if (!clientSecretQueryAuthentication) {
+            request.putHeader(CONTENT_TYPE_HEADER, APPLICATION_X_WWW_FORM_URLENCODED);
+            request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
+
+            if (introspect && introspectionBasicAuthScheme != null) {
+                request.putHeader(AUTHORIZATION_HEADER, introspectionBasicAuthScheme);
+                if (oidcConfig.clientId.isPresent() && oidcConfig.introspectionCredentials.includeClientId) {
+                    formBody.set(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
+                }
+            } else if (clientSecretBasicAuthScheme != null) {
+                request.putHeader(AUTHORIZATION_HEADER, clientSecretBasicAuthScheme);
+            } else if (clientJwtKey != null) {
+                String jwt = OidcCommonUtils.signJwtWithKey(oidcConfig, metadata.getTokenUri(), clientJwtKey);
+                if (OidcCommonUtils.isClientSecretPostJwtAuthRequired(oidcConfig.credentials)) {
+                    formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
+                    formBody.add(OidcConstants.CLIENT_SECRET, jwt);
+                } else {
+                    formBody.add(OidcConstants.CLIENT_ASSERTION_TYPE, OidcConstants.JWT_BEARER_CLIENT_ASSERTION_TYPE);
+                    formBody.add(OidcConstants.CLIENT_ASSERTION, jwt);
+                }
+            } else if (OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) {
                 formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
-                formBody.add(OidcConstants.CLIENT_SECRET, jwt);
+                formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));
             } else {
-                formBody.add(OidcConstants.CLIENT_ASSERTION_TYPE, OidcConstants.JWT_BEARER_CLIENT_ASSERTION_TYPE);
-                formBody.add(OidcConstants.CLIENT_ASSERTION, jwt);
+                formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
             }
-        } else if (OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) {
-            formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
-            formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));
+            buffer = OidcCommonUtils.encodeForm(formBody);
         } else {
             formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
+            formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));
+            for (Map.Entry<String, String> entry : formBody) {
+                request.addQueryParam(entry.getKey(), OidcCommonUtils.urlEncode(entry.getValue()));
+            }
+            request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
+            buffer = Buffer.buffer();
         }
+
+        if (oidcConfig.codeGrant.headers != null) {
+            for (Map.Entry<String, String> headerEntry : oidcConfig.codeGrant.headers.entrySet()) {
+                request.putHeader(headerEntry.getKey(), headerEntry.getValue());
+            }
+        }
+
         LOG.debugf("Get token on: %s params: %s headers: %s", metadata.getTokenUri(), formBody, request.headers());
         // Retry up to three times with a one-second delay between the retries if the connection is closed.
-        Buffer buffer = OidcCommonUtils.encodeForm(formBody);
 
         OidcEndpoint.Type endpoint = introspect ? OidcEndpoint.Type.INTROSPECTION : OidcEndpoint.Type.TOKEN;
         Uni<HttpResponse<Buffer>> response = filter(endpoint, request, buffer, null).sendBuffer(buffer)
                 .onFailure(ConnectException.class)
                 .retry()
                 .atMost(oidcConfig.connectionRetryCount).onFailure().transform(t -> t.getCause());
         return response.onItem();
+
     }
 
     private AuthorizationCodeTokens getAuthorizationCodeTokens(HttpResponse<Buffer> resp) {

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/providers/KnownOidcProviders.java

@@ -20,6 +20,7 @@ public static OidcTenantConfig provider(OidcTenantConfig.Provider provider) {
             case MASTODON -> mastodon();
             case MICROSOFT -> microsoft();
             case SPOTIFY -> spotify();
+            case STRAVA -> strava();
             case TWITCH -> twitch();
             case TWITTER, X -> twitter();
         };
@@ -153,6 +154,27 @@ private static OidcTenantConfig spotify() {
         return ret;
     }
 
+    private static OidcTenantConfig strava() {
+        OidcTenantConfig ret = new OidcTenantConfig();
+        ret.setDiscoveryEnabled(false);
+        ret.setAuthServerUrl("https://www.strava.com/oauth");
+        ret.setApplicationType(OidcTenantConfig.ApplicationType.WEB_APP);
+        ret.setAuthorizationPath("authorize");
+
+        ret.setTokenPath("token");
+        ret.setUserInfoPath("https://www.strava.com/api/v3/athlete");
+
+        OidcTenantConfig.Authentication authentication = ret.getAuthentication();
+        authentication.setAddOpenidScope(false);
+        authentication.setScopes(List.of("activity:read"));
+        authentication.setIdTokenRequired(false);
+
+        ret.getToken().setVerifyAccessTokenWithUserInfo(true);
+        ret.getCredentials().getClientSecret().setMethod(Method.QUERY);
+
+        return ret;
+    }
+
     private static OidcTenantConfig twitch() {
         // Ref https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-grant-flow