Enhance TestSecurity OIDC module to support the injection of UserInfo and OidcConfigurationMetadata

[sberyozkin]

Description

OidcConfigurationMetadata can be initialized from quarkus.oidc.jwk-path, etc
UserInfo from a security attribute with a userinfo. prefix

[quarkus-bot]

/cc @manovotn, @mkouba, @pedroigor

[Marcus-Biel-idnow]

go go go :)

[hantsy]

@sberyozkin

It is not only the issue of the test-security and oidc used together.

I tried it more today in my sample application, https://github.com/hantsy/quarkus-sandbox/tree/master/oidc-api-auth0

This is a service application(the default application type is service).

I have an AudienceValidator class to validate the aud claim, see here.

If it is activated, and starts the application, then I used a client to test the APIs, see IntegrationTests, it will raise the OidcConfigurationMetadata can not be injected exceptions. (When disabling the AudienceValidator, it works)

So the final solution is in a service type application, OidcConfigurationMetadata should be provided in CDI context.

[hantsy]

@sberyozkin BTW, not sure it can be categorized as an issue.

When the quarkus.oidc.client-id is not set, it will throw an exception: Tenant configuration can not be resolved.

As I understand it, a service type application or the Resource server role in OAuth2 protocol, it should not contain a client-id.

The client-id and client-secrets are part of the client application when an Oauth2 Client application role is registered.

I also create a similar service API spring application, just need to declare it as a ResourceServer and specify the issuer-uri configuration, no need others, all work well, see: https://github.com/hantsy/spring-webmvc-auth0-sample/blob/master/src/main/resources/application.yml#L49

[sberyozkin]

Wow, I totally missed all the comments :-) (the secret is I only check the issues manually to minimize the amount of notifications), anyway, sorry for a delay...

@Marcus-Biel-idnow - OK :-), will try to prioritize soon enough, should be straightforward enough to fix

@hantsy

OidcConfigurationMetadata can not be injected exceptions

The problem is that if the path request is public then OidcConfigurationMetadata can not be injected - but it has just been fixed as part of this #16586. It will be injected if the path is protected.

As I understand it, a service type application or the Resource server role in OAuth2 protocol, it should not contain a client-id.

It has been discussed before - it is not a good idea to drop it (even if somewhere else it is not needed) since, when the token verification fails, all that can be logged is that the token fails - no way to link it to the client which requested this token - we don't log it yet - but I'll make sure the client id is logged - additionally, quarkus-oidc will do the remote token introspection for opaque tokens but also optionally for JWT tokens - where a client id is required.
We should probably do not require it if the token introspection is disabled: #17021