Set OIDC user-info-required when UserInfo is known to be required

quarkusio · Apr 20, 2023 · f17778f · f17778f
1 parent a3c1b3a
commit f17778f
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java
@@ -172,6 +172,24 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
             return Uni.createFrom().failure(t);
         }
 
+        if (oidcConfig.roles.source.orElse(null) == Source.userinfo
+                || oidcConfig.token.verifyAccessTokenWithUserInfo
+                || !oidcConfig.authentication.isIdTokenRequired().orElse(true)) {
+
+            Optional<Boolean> userInfoRequired = oidcConfig.authentication.isUserInfoRequired();
+            if (userInfoRequired.isPresent()) {
+                if (!userInfoRequired.get()) {
+                    throw new ConfigurationException(
+                            "UserInfo is not required but one of the following conditions is true:"
+                                    + "1) Bearer access token verification via the UserInfo acquisition is required; "
+                                    + "2) UserInfo is expected to be the source of authorization roles; "
+                                    + "3) ID token is not required therefore the code flow access token must be verified via the UserInfo acquisition");
+                }
+            } else {
+                oidcConfig.authentication.setUserInfoRequired(true);
+            }
+        }
+
         if (!oidcConfig.discoveryEnabled.orElse(true)) {
             if (!isServiceApp(oidcConfig)) {
                 if (!oidcConfig.authorizationPath.isPresent() || !oidcConfig.tokenPath.isPresent()) {
@@ -226,10 +244,6 @@ private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConf
         }
 
         if (oidcConfig.token.verifyAccessTokenWithUserInfo) {
-            if (!oidcConfig.authentication.isUserInfoRequired().orElse(false)) {
-                throw new ConfigurationException(
-                        "UserInfo is not required but 'verifyAccessTokenWithUserInfo' is enabled");
-            }
             if (!oidcConfig.isDiscoveryEnabled().orElse(true)) {
                 if (oidcConfig.userInfoPath.isEmpty()) {
                     throw new ConfigurationException(

diff --git a/...n-tests/oidc-tenancy/src/main/java/io/quarkus/it/keycloak/CustomTenantConfigResolver.java b/...n-tests/oidc-tenancy/src/main/java/io/quarkus/it/keycloak/CustomTenantConfigResolver.java
@@ -137,6 +137,8 @@ public OidcTenantConfig get() {
                     config.setTokenPath(tokenUri);
                     String jwksUri = uri.replace("/tenant-refresh/tenant-web-app-refresh/api/user", "/oidc/jwks");
                     config.setJwksPath(jwksUri);
+                    String userInfoPath = uri.replace("/tenant-refresh/tenant-web-app-refresh/api/user", "/oidc/userinfo");
+                    config.setUserInfoPath(userInfoPath);
                     config.getToken().setIssuer("any");
                     config.tokenStateManager.setSplitTokens(true);
                     config.tokenStateManager.setEncryptionRequired(false);

diff --git a/integration-tests/oidc-tenancy/src/main/resources/application.properties b/integration-tests/oidc-tenancy/src/main/resources/application.properties
@@ -49,7 +49,6 @@ quarkus.oidc.tenant-web-app.auth-server-url=${keycloak.url}/realms/quarkus-webap
 quarkus.oidc.tenant-web-app.client-id=quarkus-app-webapp
 quarkus.oidc.tenant-web-app.credentials.secret=secret
 quarkus.oidc.tenant-web-app.application-type=web-app
-quarkus.oidc.tenant-web-app.authentication.user-info-required=true
 quarkus.oidc.tenant-web-app.roles.source=userinfo
 quarkus.oidc.tenant-web-app.allow-user-info-cache=false
 

diff --git a/integration-tests/oidc-wiremock/src/main/resources/application.properties b/integration-tests/oidc-wiremock/src/main/resources/application.properties
@@ -56,7 +56,6 @@ quarkus.oidc.code-flow-user-info-only.authorization-path=/
 quarkus.oidc.code-flow-user-info-only.token-path=access_token
 quarkus.oidc.code-flow-user-info-only.user-info-path=protocol/openid-connect/userinfo
 quarkus.oidc.code-flow-user-info-only.authentication.id-token-required=false
-quarkus.oidc.code-flow-user-info-only.authentication.user-info-required=true
 quarkus.oidc.code-flow-user-info-only.code-grant.extra-params.extra-param=extra-param-value
 quarkus.oidc.code-flow-user-info-only.code-grant.headers.X-Custom=XCustomHeaderValue
 quarkus.oidc.code-flow-user-info-only.client-id=quarkus-web-app