Support for OAuth2 Strava

docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc

@@ -266,6 +266,18 @@ quarkus.oidc.tls.trust-store-password=${trust-store-password}
 #quarkus.oidc.tls.trust-store-alias=certAlias
 ----
 
+===== POST query
+
+Some providers such as the xref:security-openid-connect-providers#strava[Strava OAuth2 provider] require client credentials be posted as HTTP POST query parameters:
+
+[source,properties]
+----
+quarkus.oidc.provider=strava
+quarkus.oidc.client-id=quarkus-app
+quarkus.oidc.credentials.client-secret.value=mysecret
+quarkus.oidc.credentials.client-secret.method=query
+----
+
 ==== Introspection endpoint authentication
 
 Some OIDC providers require authenticating to its introspection endpoint by using Basic authentication and with credentials that are different from the `client_id` and `client_secret`.

docs/src/main/asciidoc/security-openid-connect-providers.adoc

@@ -8,9 +8,9 @@ https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
 include::_attributes.adoc[]
 :diataxis-type: concept
 :categories: security,web
-:keywords: oidc github twitter google facebook mastodon microsoft apple spotify twitch linkedin
+:keywords: oidc github twitter google facebook mastodon microsoft apple spotify twitch linkedin strava
 :toclevels: 3
-:topics: security,oidc,github,twitter,google,facebook,mastodon,microsoft,apple,spotify,twitch
+:topics: security,oidc,github,twitter,google,facebook,mastodon,microsoft,apple,spotify,twitch,linkedin,strava
 :extensions: io.quarkus:quarkus-oidc
 
 This document explains how to configure well-known social OIDC and OAuth2 providers.
@@ -525,7 +525,26 @@ quarkus.oidc.client-id=<Client ID>
 quarkus.oidc.credentials.client-secret=<Client Secret>
 ----
 
+[[strava]]
+=== Strava
 
+Create a https://www.strava.com/settings/api[Strava application]:
+
+image::oidc-strava-1.png[role="thumb"]
+
+For example, set `Category` to `SocialMotivation`, and set `ApplicationCallbackDomain` to either `localhost` or the domain name provided by Ngrok, see the <<redirect_url>> for more information.
+
+You can now configure your `application.properties`:
+
+[source,properties]
+----
+quarkus.oidc.provider=strava
+quarkus.oidc.client-id=<Client ID>
+quarkus.oidc.credentials.client-secret=<Client Secret>
+# default value is '/strava'
+quarkus.oidc.authentication.redirect-path=/fitness/welcome <1>
+----
+<1> Strava does not enforce that the redirect (callback) URI which is provided as an authorization code flow parameter is equal to the URI registered in the Strava application because it only requires configuring `ApplicationCallbackDomain`. For example, if `ApplicationCallbackDomain` is set to `www.my-strava-example.com`, Strava will accept redirect URIs such as `www.my-strava-example.com/a`, `www.my-strava-example.com/path/a`, which is not recommended by OAuth2 best security practices, see, for example, link:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-insufficient-redirect-uri-v[Insufficent redirect_uri validation]. Therefore you must configure a redirect path when working with the Strava provider and Quarkus will itself enforce that the current request path matches the configured `quarkus.oidc.authentication.redirect-path` value before completing the authotization code flow. See the <<single_redirect_url_only>> for more information.
 
 [[provider-scope]]
 == Provider scopes
@@ -685,6 +704,30 @@ Follow the same approach if the endpoint must access other Google services.
 
 The pattern of authenticating with a given provider, where the endpoint uses either an ID token or UserInfo (especially if an OAuth2-only provider such as `GitHub` is used) to get some information about the currently authenticated user and using an access token to access some downstream services (provider or application specific ones) on behalf of this user can be universally applied, irrespectively of which provider is used to secure the application.
 
+[[single_redirect_url_only]]
+== Single redirect url only
+
+Most OIDC and OAuth2 providers with the exception of <<strava>> will enforce that the authorization code flow can be completed only if the redirect URL matches precisely the redirect URL configured in a given provider's dashboard.
+
+From the practical point of view, your Quarkus endpoint will most likely need to have the `quarkus.oidc.authentication.redirect-path` relative path property set to an initial entry path for all the authenticated users, for example, `quarkus.oidc.authentication.redirect-path=/authenticated`, which means that newly authenticated users will land on the `/authenticated` page, irrespectively of how many secured entry points your application has and which secured resource they initially accessed.
+
+It is a typical flow for many OIDC `web-app` applications. Once the user lands on the initial secured page, your application can return an HTML page which uses links to guide users to other parts of the application or users can be immediately redirected to other application resources with the help of JAX-RS API.
+
+If necessary, you can configure Quarkus to restore the original request URL after the authentication has been completed. For example:
+
+[source,properties]
+----
+quarkus.oidc.provider=strava <1>
+quarkus.oidc.client-id=<Client ID>
+quarkus.oidc.credentials.secret=<Secret>
+quarkus.oidc.authentication.restore-path-after-redirect=true <2>
+----
+<1> `strava` provider configuration is the only supported configuration which enforces the `quarkus.oidc.authentication.redirect-path` property with the `/strava` path which you can override with another path such as `/fitness`.
+<2> If the users access the `/run` endpoint before the authentication, then, once they have authenticated and been redirected to the configured redirect path such as `/strava`, they will land on the original request `/run` path.
+
+You do not have to set `quarkus.oidc.authentication.redirect-path` immediately because Quarkus assumes the current request URL is an authorization code flow redirect URL if no `quarkus.oidc.authentication.redirect-path` is configured. For example, to test that a <<google>> authentication is working, you can have a Quarkus endpoint listening on `/google` and update the Google dashboard that `http://localhost:8080/google` redirect URI is supported. Setting `quarkus.oidc.authentication.redirect-path` property will be required once your secured application URL space grows.
+
+[[redirect_url]]
 == HTTPS Redirect URL
 
 Some providers will only accept HTTPS-based redirect URLs. Tools such as https://ngrok.com/[ngrok] https://linuxhint.com/set-up-use-ngrok/[can be set up] to help testing such providers with Quarkus endpoints running on localhost in dev mode.

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java

@@ -176,7 +176,12 @@ public static enum Method {
                  * form
                  * parameters.
                  */
-                POST_JWT
+                POST_JWT,
+
+                /**
+                 * client id and secret are submitted as HTTP query parameters. This option is only supported for the OIDC extension.
+                 */
+                QUERY
             }
 
             /**

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java

@@ -1812,6 +1812,7 @@ public static enum Provider {
         MASTODON,
         MICROSOFT,
         SPOTIFY,
+        STRAVA,
         TWITCH,
         TWITTER,
         // New name for Twitter

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java

@@ -1247,8 +1247,13 @@ public AuthorizationCodeTokens apply(AuthorizationCodeTokens tokens) {
     private Uni<AuthorizationCodeTokens> getCodeFlowTokensUni(RoutingContext context, TenantConfigContext configContext,
             String code, String codeVerifier) {
 
-        // 'redirect_uri': typically it must match the 'redirect_uri' query parameter which was used during the code request.
+        // 'redirect_uri': it must match the 'redirect_uri' query parameter which was used during the code request.
         String redirectPath = getRedirectPath(configContext.oidcConfig, context);
+        if (configContext.oidcConfig.authentication.redirectPath.isPresent()
+                && !configContext.oidcConfig.authentication.redirectPath.get().equals(context.request().path())) {
+            LOG.warnf("Token redirect path %s does not match the current request path", redirectPath);
+            return Uni.createFrom().failure(new AuthenticationFailedException());
+        }
         String redirectUriParam = buildUri(context, isForceHttps(configContext.oidcConfig), redirectPath);
         LOG.debugf("Token request redirect_uri parameter: %s", redirectUriParam);
 

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProvider.java

@@ -39,6 +39,7 @@
 import io.quarkus.oidc.TokenCustomizer;
 import io.quarkus.oidc.TokenIntrospection;
 import io.quarkus.oidc.UserInfo;
+import io.quarkus.oidc.common.runtime.OidcCommonUtils;
 import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.credential.TokenCredential;
@@ -551,7 +552,7 @@ private class SymmetricKeyResolver implements VerificationKeyResolver {
         @Override
         public Key resolveKey(JsonWebSignature jws, List<JsonWebStructure> nestingContext)
                 throws UnresolvableKeyException {
-            return KeyUtils.createSecretKeyFromSecret(oidcConfig.credentials.secret.get());
+            return KeyUtils.createSecretKeyFromSecret(OidcCommonUtils.clientSecret(oidcConfig.credentials));
         }
     }
 

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProviderClient.java

@@ -19,6 +19,7 @@
 import io.quarkus.oidc.common.OidcEndpoint;
 import io.quarkus.oidc.common.OidcRequestContextProperties;
 import io.quarkus.oidc.common.OidcRequestFilter;
+import io.quarkus.oidc.common.runtime.OidcCommonConfig.Credentials.Secret.Method;
 import io.quarkus.oidc.common.runtime.OidcCommonUtils;
 import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.quarkus.oidc.common.runtime.OidcEndpointAccessException;
@@ -51,6 +52,7 @@ public class OidcProviderClient implements Closeable {
     private final String introspectionBasicAuthScheme;
     private final Key clientJwtKey;
     private final Map<OidcEndpoint.Type, List<OidcRequestFilter>> filters;
+    private final boolean clientSecretQueryAuthentication;
 
     public OidcProviderClient(WebClient client,
             Vertx vertx,
@@ -65,6 +67,7 @@ public OidcProviderClient(WebClient client,
         this.clientJwtKey = OidcCommonUtils.initClientJwtKey(oidcConfig);
         this.introspectionBasicAuthScheme = initIntrospectionBasicAuthScheme(oidcConfig);
         this.filters = filters;
+        this.clientSecretQueryAuthentication = oidcConfig.credentials.clientSecret.method.orElse(null) == Method.QUERY;
     }
 
     private static String initIntrospectionBasicAuthScheme(OidcTenantConfig oidcConfig) {
@@ -139,45 +142,62 @@ public Uni<AuthorizationCodeTokens> refreshAuthorizationCodeTokens(String refres
 
     private UniOnItem<HttpResponse<Buffer>> getHttpResponse(String uri, MultiMap formBody, boolean introspect) {
         HttpRequest<Buffer> request = client.postAbs(uri);
-        request.putHeader(CONTENT_TYPE_HEADER, APPLICATION_X_WWW_FORM_URLENCODED);
-        request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
-        if (oidcConfig.codeGrant.headers != null) {
-            for (Map.Entry<String, String> headerEntry : oidcConfig.codeGrant.headers.entrySet()) {
-                request.putHeader(headerEntry.getKey(), headerEntry.getValue());
-            }
-        }
-        if (introspect && introspectionBasicAuthScheme != null) {
-            request.putHeader(AUTHORIZATION_HEADER, introspectionBasicAuthScheme);
-            if (oidcConfig.clientId.isPresent() && oidcConfig.introspectionCredentials.includeClientId) {
-                formBody.set(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
-            }
-        } else if (clientSecretBasicAuthScheme != null) {
-            request.putHeader(AUTHORIZATION_HEADER, clientSecretBasicAuthScheme);
-        } else if (clientJwtKey != null) {
-            String jwt = OidcCommonUtils.signJwtWithKey(oidcConfig, metadata.getTokenUri(), clientJwtKey);
-            if (OidcCommonUtils.isClientSecretPostJwtAuthRequired(oidcConfig.credentials)) {
+
+        Buffer buffer = null;
+
+        if (!clientSecretQueryAuthentication) {
+            request.putHeader(CONTENT_TYPE_HEADER, APPLICATION_X_WWW_FORM_URLENCODED);
+            request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
+
+            if (introspect && introspectionBasicAuthScheme != null) {
+                request.putHeader(AUTHORIZATION_HEADER, introspectionBasicAuthScheme);
+                if (oidcConfig.clientId.isPresent() && oidcConfig.introspectionCredentials.includeClientId) {
+                    formBody.set(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
+                }
+            } else if (clientSecretBasicAuthScheme != null) {
+                request.putHeader(AUTHORIZATION_HEADER, clientSecretBasicAuthScheme);
+            } else if (clientJwtKey != null) {
+                String jwt = OidcCommonUtils.signJwtWithKey(oidcConfig, metadata.getTokenUri(), clientJwtKey);
+                if (OidcCommonUtils.isClientSecretPostJwtAuthRequired(oidcConfig.credentials)) {
+                    formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
+                    formBody.add(OidcConstants.CLIENT_SECRET, jwt);
+                } else {
+                    formBody.add(OidcConstants.CLIENT_ASSERTION_TYPE, OidcConstants.JWT_BEARER_CLIENT_ASSERTION_TYPE);
+                    formBody.add(OidcConstants.CLIENT_ASSERTION, jwt);
+                }
+            } else if (OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) {
                 formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
-                formBody.add(OidcConstants.CLIENT_SECRET, jwt);
+                formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));
             } else {
-                formBody.add(OidcConstants.CLIENT_ASSERTION_TYPE, OidcConstants.JWT_BEARER_CLIENT_ASSERTION_TYPE);
-                formBody.add(OidcConstants.CLIENT_ASSERTION, jwt);
+                formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
             }
-        } else if (OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) {
-            formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
-            formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));
+            buffer = OidcCommonUtils.encodeForm(formBody);
         } else {
             formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
+            formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));
+            for (Map.Entry<String, String> entry : formBody) {
+                request.addQueryParam(entry.getKey(), OidcCommonUtils.urlEncode(entry.getValue()));
+            }
+            request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
+            buffer = Buffer.buffer();
         }
+
+        if (oidcConfig.codeGrant.headers != null) {
+            for (Map.Entry<String, String> headerEntry : oidcConfig.codeGrant.headers.entrySet()) {
+                request.putHeader(headerEntry.getKey(), headerEntry.getValue());
+            }
+        }
+
         LOG.debugf("Get token on: %s params: %s headers: %s", metadata.getTokenUri(), formBody, request.headers());
         // Retry up to three times with a one-second delay between the retries if the connection is closed.
-        Buffer buffer = OidcCommonUtils.encodeForm(formBody);
 
         OidcEndpoint.Type endpoint = introspect ? OidcEndpoint.Type.INTROSPECTION : OidcEndpoint.Type.TOKEN;
         Uni<HttpResponse<Buffer>> response = filter(endpoint, request, buffer, null).sendBuffer(buffer)
                 .onFailure(ConnectException.class)
                 .retry()
                 .atMost(oidcConfig.connectionRetryCount).onFailure().transform(t -> t.getCause());
         return response.onItem();
+
     }
 
     private AuthorizationCodeTokens getAuthorizationCodeTokens(HttpResponse<Buffer> resp) {

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java

@@ -484,6 +484,9 @@ static OidcTenantConfig mergeTenantConfig(OidcTenantConfig tenant, OidcTenantCon
         if (tenant.authentication.responseMode.isEmpty()) {
             tenant.authentication.responseMode = provider.authentication.responseMode;
         }
+        if (tenant.authentication.redirectPath.isEmpty()) {
+            tenant.authentication.redirectPath = provider.authentication.redirectPath;
+        }
 
         // credentials
         if (tenant.credentials.clientSecret.method.isEmpty()) {

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/providers/KnownOidcProviders.java

@@ -20,6 +20,7 @@ public static OidcTenantConfig provider(OidcTenantConfig.Provider provider) {
             case MASTODON -> mastodon();
             case MICROSOFT -> microsoft();
             case SPOTIFY -> spotify();
+            case STRAVA -> strava();
             case TWITCH -> twitch();
             case TWITTER, X -> twitter();
         };
@@ -153,6 +154,28 @@ private static OidcTenantConfig spotify() {
         return ret;
     }
 
+    private static OidcTenantConfig strava() {
+        OidcTenantConfig ret = new OidcTenantConfig();
+        ret.setDiscoveryEnabled(false);
+        ret.setAuthServerUrl("https://www.strava.com/oauth");
+        ret.setApplicationType(OidcTenantConfig.ApplicationType.WEB_APP);
+        ret.setAuthorizationPath("authorize");
+
+        ret.setTokenPath("token");
+        ret.setUserInfoPath("https://www.strava.com/api/v3/athlete");
+
+        OidcTenantConfig.Authentication authentication = ret.getAuthentication();
+        authentication.setAddOpenidScope(false);
+        authentication.setScopes(List.of("activity:read"));
+        authentication.setIdTokenRequired(false);
+        authentication.setRedirectPath("/strava");
+
+        ret.getToken().setVerifyAccessTokenWithUserInfo(true);
+        ret.getCredentials().getClientSecret().setMethod(Method.QUERY);
+
+        return ret;
+    }
+
     private static OidcTenantConfig twitch() {
         // Ref https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-grant-flow