OIDC: 401 when access-token needs to be refreshed and user-info-required=true #30208
Comments
|
/cc @pedroigor(oidc), @sberyozkin(oidc) |
|
I think you need to add ( The only problem is that it won't work in 2.15.2, as there the userinfo is checked before the ID token verification. |
|
Ignore it please, that needs to be investigated/reviewed further |
|
I'll need to tweak the order of the verification depending on what role is played by UserInfo in this verification |
|
@yoadey Looking at it right now. So, in 2.15.x the order of the verification of the code flow access token is correct, but is not complete enough for such a token be refreshed (as opposed to the ID token) - but it does make sense to support refreshing both types of tokens since they are coming from the same code flow response. In 2.16 the order (that was my idea) got wrong for this case be supported - in 2.16 we now support the optional verification of the opaque/binary tokens based on the presence of UserInfo. In my PR I'll restore the original 2.15 order of the code flow access token verification for the cases where UserInfo is not a prerequisite for verifying such tokens as well as add an expiration check for this type of token |
|
@sberyozkin Thank you very much for the fast response and reaction, really appreciate it! These changes seem to solve the case I have, will upgrade as soon as the new Release is available. |
|
@yoadey Np, let us know please if that PR helps. Where I know it won't help yet is when we have a case with a provider like Azure returning an ID token plus a |
|
@sberyozkin triage/backport* labels may not be added to an issue. Please add them to the corresponding pull request.
|
benkard
added a commit
to benkard/mulkcms2
that referenced
this issue
Apr 2, 2023
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.198.0` -> `^0.199.0`](https://renovatebot.com/diffs/npm/flow-bin/0.198.0/0.199.0) | | [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | patch | `42.5.1` -> `42.5.2` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.16.0.Final` -> `2.16.1.Final` | | [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.16.0.Final` -> `2.16.1.Final` | | [org.apache.maven.plugins:maven-enforcer-plugin](https://maven.apache.org/enforcer/) | build | minor | `3.1.0` -> `3.2.1` | --- ### Release Notes <details> <summary>flowtype/flow-bin</summary> ### [`v0.199.0`](flow/flow-bin@0568b6e...05bb4e3) [Compare Source](flow/flow-bin@0568b6e...05bb4e3) ### [`v0.198.2`](flow/flow-bin@0d01841...0568b6e) [Compare Source](flow/flow-bin@0d01841...0568b6e) ### [`v0.198.1`](flow/flow-bin@2b180bb...0d01841) [Compare Source](flow/flow-bin@2b180bb...0d01841) </details> <details> <summary>pgjdbc/pgjdbc</summary> ### [`v42.5.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4252-2023-01-31-143046--0500) ##### Changed docs: specify that timeouts are in seconds and there is a maximum. Housekeeping on some tests fixes [#Issue 2671](pgjdbc/pgjdbc#2671) [MR #​2686](pgjdbc/pgjdbc#2686) docs: clarify binaryTransfer and add it to README [MR# 2698](pgjdbc/pgjdbc#2698) docs: Document the need to encode reserved characters in the connection URL [MR #​2700](pgjdbc/pgjdbc#2700) feat: Define binary transfer for custom types dynamically/automatically fixes [Issue #​2554](pgjdbc/pgjdbc#2554) [MR #​2556](pgjdbc/pgjdbc#2556) ##### Added fix: added gssResponseTimeout as part of [MR #​2687](pgjdbc/pgjdbc#2687) to make sure we don't wait forever on a GSS RESPONSE ##### Fixed fix: Ensure case of XML tags in Maven snippet is correct [MR #​2682](pgjdbc/pgjdbc#2682) fix: Make sure socket is closed if an exception is thrown in createSocket fixes [Issue #​2684](pgjdbc/pgjdbc#2684) [MR #​2685](pgjdbc/pgjdbc#2685) fix: Apply patch from [Issue #​2683](pgjdbc/pgjdbc#2683) to fix hanging ssl connections [MR #​2687](pgjdbc/pgjdbc#2687) fix - binary conversion of (very) long numeric values (longer than 4 \* 2^15 digits) [MR #​2697](pgjdbc/pgjdbc#2697) fixes [Issue #​2695](pgjdbc/pgjdbc#2695) minor: enhance readability connection of startup params [MR #​2705](pgjdbc/pgjdbc#2785) </details> <details> <summary>quarkusio/quarkus</summary> ### [`v2.16.1.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.1.Final) [Compare Source](quarkusio/quarkus@2.16.0.Final...2.16.1.Final) ##### Complete changelog - [#​30729](quarkusio/quarkus#30729) - Bump mariadb-java-client from 3.1.1 to 3.1.2 - [#​30724](quarkusio/quarkus#30724) - Upgrade to Mutiny 1.9.0 - [#​30722](quarkusio/quarkus#30722) - Set SameSite Strict only on OIDC session cookie - [#​30720](quarkusio/quarkus#30720) - Bump picocli.version from 4.7.0 to 4.7.1 - [#​30719](quarkusio/quarkus#30719) - Bump jackson-bom from 2.14.1 to 2.14.2 - [#​30715](quarkusio/quarkus#30715) - PanacheRepositoryResource should implement ReactiveRestDataResource - [#​30713](quarkusio/quarkus#30713) - Use MapProperty instead of Map - [#​30694](quarkusio/quarkus#30694) - Use newer API for creating tmp files in RESTEasy Reactive - [#​30692](quarkusio/quarkus#30692) - Bump htmlunit version to 2.70.0 - [#​30686](quarkusio/quarkus#30686) - Don't fail send when a sse sink has been closed - [#​30681](quarkusio/quarkus#30681) - RESTEasy Reactive: SSE broadcaster fails if a sink has been closed - [#​30680](quarkusio/quarkus#30680) - Mark methods generatred by ASM transformations as synthetic - [#​30659](quarkusio/quarkus#30659) - Drop unused class GradleLogger - [#​30653](quarkusio/quarkus#30653) - Fix opening in IDE when more than IDE is running - [#​30652](quarkusio/quarkus#30652) - Match prometheus export metrics format - [#​30651](quarkusio/quarkus#30651) - ArC - use reflection fallback for PreDestroy callbacks if needed - [#​30649](quarkusio/quarkus#30649) - Document redirect options in RESTEasy Reactive - [#​30644](quarkusio/quarkus#30644) - Adjust source language absent in documentation code blocks - [#​30636](quarkusio/quarkus#30636) - PreDestroy hooks fail depending on method modifiers - [#​30635](quarkusio/quarkus#30635) - Introduce a `minimum-java-version` in the extension descriptor metadata - [#​30625](quarkusio/quarkus#30625) - OIDC authentication loop if Cookie Policy sameSite=strict - [#​30624](quarkusio/quarkus#30624) - Fix NPE obtaining a project map from Maven session - [#​30622](quarkusio/quarkus#30622) - Update invalid package in guide - [#​30612](quarkusio/quarkus#30612) - Fix import file name in redis-reference.adoc - [#​30609](quarkusio/quarkus#30609) - Qute generated resolvers - getters should take precedence over fields - [#​30593](quarkusio/quarkus#30593) - Qute validation - improve hierarchy indexing to fix assignability issues - [#​30591](quarkusio/quarkus#30591) - Resolve correct version when application version is unset - [#​30589](quarkusio/quarkus#30589) - Bump junit-bom from 5.9.1 to 5.9.2 - [#​30585](quarkusio/quarkus#30585) - Bump Microsoft SQL Server JDBC driver to 11.2.3 - [#​30584](quarkusio/quarkus#30584) - Update MS SQL JDBC driver to version 11.2.3 - [#​30576](quarkusio/quarkus#30576) - Use accept header to choose metrics export format - [#​30574](quarkusio/quarkus#30574) - Handle empty source directory for included builds - [#​30569](quarkusio/quarkus#30569) - Add default implementation for REST Data interfaces - [#​30564](quarkusio/quarkus#30564) - Update security-openid-connect-client.adoc - [#​30559](quarkusio/quarkus#30559) - container-image extension running with kubernetes extension - [#​30557](quarkusio/quarkus#30557) - AWT: JniRuntimeAccess: freetypeScaler.c calls sun.font.FontUtilities - [#​30548](quarkusio/quarkus#30548) - Add a blurb about not supporting validation.xml in Quarkus - [#​30526](quarkusio/quarkus#30526) - RESTEasy classic servlets - add RoutingContext to active request context - [#​30515](quarkusio/quarkus#30515) - Native build fails with hibernate-orm-rest-data-panache + elytron-security-properties-file - [#​30513](quarkusio/quarkus#30513) - Limit application.properties lookup to main source set - [#​30510](quarkusio/quarkus#30510) - Simplify logic in create-app.adoc and allow to define stream - [#​30501](quarkusio/quarkus#30501) - Fix HibernateOrmCodestart - [#​30500](quarkusio/quarkus#30500) - Place extension with an unknown category in the uncategorized category - [#​30496](quarkusio/quarkus#30496) - Update documentation - [#​30490](quarkusio/quarkus#30490) - Avoid adding the exception itself as a suppressed exception - [#​30488](quarkusio/quarkus#30488) - Updates to Infinispan 14.0.6.Final - [#​30485](quarkusio/quarkus#30485) - Verify code flow access token first if no UserInfo precondition exists - [#​30479](quarkusio/quarkus#30479) - Define defaultValueDocumentation for builderImage - [#​30474](quarkusio/quarkus#30474) - Docs - default value of `quarkus.native.builder-image` is not shown - [#​30470](quarkusio/quarkus#30470) - Revert --enable-monitoring with no arguments support - [#​30460](quarkusio/quarkus#30460) - Bump kafka3.version from 3.3.1 to 3.3.2 - [#​30453](quarkusio/quarkus#30453) - Gradle build failing w/ Quarkus 2.16.0 - [#​30430](quarkusio/quarkus#30430) - Bump gizmo from 1.5.0.Final to 1.6.0.Final - [#​30429](quarkusio/quarkus#30429) - Bump Keycloak version to 20.0.3 - [#​30426](quarkusio/quarkus#30426) - Fix redundant push when using buildx - [#​30424](quarkusio/quarkus#30424) - Building of container images with buildx causes build failures - [#​30423](quarkusio/quarkus#30423) - 2.15+ - Services dependent on libraries without classes no longer build - [#​30418](quarkusio/quarkus#30418) - Disable -D argument propagation in DevMojo - [#​30415](quarkusio/quarkus#30415) - Arc - Change Types#getTypeClosure so that superclasses and interfaces of producer types no longer throw on finding wildcards - [#​30412](quarkusio/quarkus#30412) - Arc - wildcard detection for producer methods/fields is too aggressive - [#​30410](quarkusio/quarkus#30410) - Introduce support for GraalVM `--enable-monitoring` - [#​30408](quarkusio/quarkus#30408) - Warning: Option 'AllowVMInspection' is deprecated and might be removed from future versions: Please use --enable-monitoring - [#​30405](quarkusio/quarkus#30405) - Quarkus Undertow doesn't work with blocking SecurityIdentityAugmentor - [#​30399](quarkusio/quarkus#30399) - Fix ElasticSearch Dev Services container restart - [#​30384](quarkusio/quarkus#30384) - Elasticsearch Dev Services restarts container on every auto-compile - [#​30368](quarkusio/quarkus#30368) - Allow Environment variables to populate property Maps in build time Config - [#​30354](quarkusio/quarkus#30354) - AWT `io.quarkus.awt.it.ImageGeometryFontsIT` native integration test failing with "GraalVM for Java 20" dev builds - [#​30347](quarkusio/quarkus#30347) - Bump junit-jupiter from 5.9.1 to 5.9.2 - [#​30343](quarkusio/quarkus#30343) - Trailing comma is lost from prometheus metrics - [#​30335](quarkusio/quarkus#30335) - Add native compilation section to Hibernate Validator guide - [#​30332](quarkusio/quarkus#30332) - NPE in toString method for Processor Parameters in kafka-streams 3.3.1 version - [#​30275](quarkusio/quarkus#30275) - Inline Log category property doesn't work - [#​30208](quarkusio/quarkus#30208) - OIDC: 401 when access-token needs to be refreshed and user-info-required=true - [#​30179](quarkusio/quarkus#30179) - Add an owasp-check profile - [#​28781](quarkusio/quarkus#28781) - RESTEasy Reactive: document redirects - [#​24027](quarkusio/quarkus#24027) - Hibernate Validator does not use META-INF/validation.xml, it should work or be stated in the documentation. - [#​23002](quarkusio/quarkus#23002) - if more than two running IDE while launching 'x' gives error </details> <details> <summary>quarkusio/quarkus-platform</summary> ### [`v2.16.1.Final`](quarkusio/quarkus-platform@2.16.0.Final...2.16.1.Final) [Compare Source](quarkusio/quarkus-platform@2.16.0.Final...2.16.1.Final) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
We're using OIDC extension with storing all tokens (id, access and refresh token) in the q_session cookie. In the application, we require the userinfo also, so we set
quarkus.oidc.authentication.user-info-required=true. When the access token expires and the userinfo is not cached (e.g. because of a server restart), we get a 401 as response.Expected behavior
The access token is refreshed before the userinfo is retrieved and we are successfully authenticated
Actual behavior
The user info endpoint is called before the access token is refreshed and the exception of the call does not trigger the token to refresh, resulting in a 401 access denied
How to Reproduce?
Output of
uname -aorverNo response
Output of
java -versionopenjdk version "17.0.3" 2022-04-19 LTS
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.15.2
Build tool (ie. output of
mvnw --versionorgradlew --version)Apache Maven 3.8.6
Additional information
Log from the 401 response:
The text was updated successfully, but these errors were encountered: