Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC token refresh fails with 401, if user info is used and not available in the cache (anymore) #31714

Closed
sschellh opened this issue Mar 9, 2023 · 23 comments · Fixed by #31811
Labels
area/oidc kind/bug Something isn't working
Milestone

Comments

@sschellh
Copy link

sschellh commented Mar 9, 2023

Describe the bug

We are using Quarkus OIDC and for our clientId the following settings are configured with the Identity Provider:

OIDC Token Lifetime (Seconds): 300
Access Token Lifetime (Seconds): 300
Refresh Token Lifetime (Seconds): 600

(small numbers for testing only!)

We have configured Quarkus OIDC with following settings:

quarkus.oidc.enabled=true
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.user-info-required=true
quarkus.oidc.token.refresh-expired=true
quarkus.oidc.authentication.session-age-extension=PT300S
quarkus.oidc.token-cache.max-size=1000

After a users logs in, the q_session lifetime is set to the duration of the OIDC token plus the session-age-extension. In our case the session lifetime is exactly as long as the refresh token lifetime.

Expected behavior

When a user makes a request after the id token and access token expired, but before the refresh token and the session cookie expired, then the refresh token is used to retrieve a new pair of access token, id token and refresh token from the identity provider.

Actual behavior

When a user makes a request after the id token and access token expired, but before the refresh token and the session cookie expired, then an HTTP 401 exception is returned.

In the logs we can find the following DEBUG and ERROR statements:

2023-03-09 09:26:56,817 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-3) Requesting UserInfo
2023-03-09 09:26:56,818 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Get UserInfo on: https://.../userinfo auth: Bearer xxx-XX-XXXXXXXX_XXXXX
2023-03-09 09:26:56,906 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Request has failed: status: 401, error message: {"error_description":"The access token provided is expired, revoked, malformed, or invalid for other reasons.","error":"invalid_token"}
2023-03-09 09:26:56,908 ERROR [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) ID token verification failure: io.quarkus.oidc.OIDCException: {"error_description":"The access token provided is expired, revoked, malformed, or invalid for other reasons.","error":"invalid_token"}

How to Reproduce?

Steps to reproduce

  1. Start the server in DEV mode
  2. Open the web application and login
  3. Restart the server (in order to make sure there are not tokens cached anymore). This mimics the situation in a cloud environment where you have many pods running and they might restart during the lifespan of a user session (which will be in our case over 10h in reality)
  4. Perform an activity in your open session in the web app
  5. You see an HTTP 401

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.16.3.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Gradle 7.3.3

Additional information

No response

@sschellh sschellh added the kind/bug Something isn't working label Mar 9, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Mar 9, 2023

/cc @gwenneg (cache), @pedroigor (oidc), @sberyozkin (oidc)

@sberyozkin
Copy link
Member

@sschellh I think this issue was already fixed, can you please add quarkus.oidc.authentication.verify-access-token=true ?

@sberyozkin
Copy link
Member

sberyozkin commented Mar 9, 2023

The code flow access token is not used by Quarkus itself, it is expected the downstream service like the actual OIDC provider in case of the UserInfo request will verify it.
quarkus.oidc.authentication.verify-access-token=true is needed for the code flow access token only if the endpoint needs to do something with it as well, in addition to ID token. By default it is problematic, some providers return binary tokens but have no introspection endpoint

@sberyozkin
Copy link
Member

@sschellh FYI, #30485 (UserInfo precondition there is that if the access token is binary and no introspection point exists in which case requesting userinfo is the only way to verify the binary token)

@sschellh
Copy link
Author

sschellh commented Mar 9, 2023

Hi @sberyozkin

Many thanks for your response and your suggestion.

From what I see setting quarkus.oidc.authentication.verify-access-token=true does not help. It results now in the following error:

2023-03-09 14:31:10,702 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-3) Starting the opaque token introspection
2023-03-09 14:31:10,703 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Get token on: https://.../access_token params: token=xxxxxxxxxxxxxx
token_type_hint=access_token
client_id=xxxxxxxxxxxx
client_secret=xxxxxxxxxxxxxxxx
 headers: user-agent=Vert.x-WebClient/4.3.7
content-type=application/x-www-form-urlencoded
accept=application/json

2023-03-09 14:31:10,770 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Request succeeded: {"active":false}
2023-03-09 14:31:10,786 DEBUG [io.qua.oid.run.OidcProvider] (vert.x-eventloop-thread-3) Token issued to client xxxxxxxxxxxxx is not active
2023-03-09 14:31:10,786 ERROR [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) ID token verification failure: io.quarkus.security.AuthenticationFailedException

Are there any other settings you want me to verify?

@sberyozkin
Copy link
Member

sberyozkin commented Mar 9, 2023

@sschellh Thanks for verifying it. Hmm, so you have a binary access token, can you please check if the introspection response contains an expiry date for the inactive token (I can only think of putting a breakpoint in OidcProvider ? Right now if the introspection response says the token is inactive, 401 is immediately returned, but we can tweak it and return an exception requiring a refresh if it can be confirmed the token is inactive because it has expired

@sberyozkin
Copy link
Member

Or may be we just can add a property always requiring a refresh whatever the verification failure is

@sschellh
Copy link
Author

Hello @sberyozkin

If the access token is expired, then the introspection response is just like that: { "active": false}.

I would expect following behavior (not sure however if this is possible):

  • If the id_token is expired (information contained in the token), but the session is still valid (i.e. not expired yet), then the refresh token is used to refresh the access_token and the id_token.
  • If the refresh process fails, then the user receives 401 and the q_session is removed.

Ideally that process should be independent from the question whether access token validation is activated or not.
(i.e. quarkus.oidc.authentication.verify-access-token shall not have any relevance in that process as the dependency is not really obvious and intuitive).

Another question I ask myself in this context is why the session duration is derived from the id_token lifetime and not from the maximum out of id_token lifetime and refresh token lifetime). Because as long as the refresh token is valid, the session can be kept active as one can always ask for a new access_token and id_token.

@sberyozkin
Copy link
Member

@sschellh

Ideally that process should be independent from the question whether access token validation is activated or not.

But the whole problem is that your application requires UserInfo which can only be acquired with the active access token. For access tokens in JWT format it has been fixed - i.e, we can locally detect it has expired and if yes, refresh it.
In your case we can't do it because the token is binary, and we don't know why exactly the token is not active, may be it was removed by the admin

Another question I ask myself in this context is why the session duration is derived from the id_token lifetime and not from the maximum out of id_token lifetime and refresh token lifetime)

See #30766

@sberyozkin
Copy link
Member

The ID token verification failure in this context if this is what is logged is confusing and will have to be fixed, the code authentication mechanism dealing with the session is not aware why the OIDC identity provider failed the authentication request, so it should log a more precise message that ID token / session is valid but the request can not continue due to this or that failure

@sberyozkin
Copy link
Member

sberyozkin commented Mar 10, 2023

@sschellh, more about

Another question I ask myself in this context is why the session duration is derived from the id_token lifetime and not from the maximum out of id_token lifetime and refresh token lifetime)

So I linked to #30766, but does your provider return refresh token in JWT format ? How will Quarkus know what the refresh token lifespan is ?

@sschellh
Copy link
Author

@sberyozkin

So I linked to #30766, but does your provider return refresh token in JWT format ? How will Quarkus know what the refresh token lifespan is ?

The introspection endpoint returns the expire information of the refresh token.

@sschellh
Copy link
Author

The ID token verification failure in this context if this is what is logged is confusing and will have to be fixed, the code authentication mechanism dealing with the session is not aware why the OIDC identity provider failed the authentication request, so it should log a more precise message that ID token / session is valid but the request can not continue due to this or that failure

And the token refresh process should be started (if there is a refresh token).

@sberyozkin
Copy link
Member

@sschellh

The introspection endpoint returns the expire information of the refresh token.

Are you sure ? Did you mean a code exchange response and refresh_token_expires_in property ? Refresh tokens are never introspected by Quarkus.

And the token refresh process should be started (if there is a refresh token).

Only if it is proven that the ID or access token has expired. In your case we don't have any proof the access token has expired. If the introspection response was returning the access token expiry time then it would prove it.

Without this proof the DDOS surface for the binary tokens increases dramatically, anyone can send random blobs and Quarkus will be stressing the OIDC provider with the bound to fail introspection and/or refresh attempts, etc

However if the code exchange response returns expires_in for the binary token then this property can be used however the challenge there is how to retain this property in the session cookie - it has to be secured to be trusted to use its value to decide if the refresh is required. I need to think about it, how to secure the expires_in property for the binary tokens, may be I can get it signed with the client secret

@sschellh
Copy link
Author

Are you sure ? Did you mean a code exchange response and refresh_token_expires_in property ? Refresh tokens are never introspected by Quarkus.

No. The code exchange response does not contain this information. Only the introspection endpoint.

@sberyozkin
Copy link
Member

sberyozkin commented Mar 10, 2023

@sschellh

No. The code exchange response does not contain this information. Only the introspection endpoint.

I'm sorry, but if you'd like the refresh token lifetime be automatically used to to set the session lifespan then it will need to be returned from the code exchange response. I know Keycloak does it, Microsoft (https://learn.microsoft.com/en-us/linkedin/shared/authentication/programmatic-refresh-tokens) and possibly others. Requesting a remote refresh token introspection just to get its expiry time seems too expensive.

That is though is not really related to this issue. Can you give me a favor and confirm your provider returns expires_in for the access token, either in the code exchange or the access token introspection response (as we need to introspect the binary access token anyway) ? If it does I can try to build a fix for this issue around that.
Thanks

@sberyozkin
Copy link
Member

sberyozkin commented Mar 10, 2023

@sschellh Re the refresh token, that said, since auto-extending the session to the lifetime of RT will be optional, i.e, require a user approval (because of the RT lifetime is 1 month and ID token lifetime is 1 day then I don't think it will be wise for Quarkus support the session for 1 month out of the box - in real deployments users may not want that and may prefer re-authentication), I may as well try a falback with a refresh token introspection. I'd like quarkus-oidc support all sort of variations, I'll see how that goes when I get a chance to look at that issue.
For now lets finalize the details related to the access token expiry time, see my prev comment

@sschellh
Copy link
Author

That is though is not really related to this issue. Can you give me a favor and confirm your provider returns expires_in for the access token, either in the code exchange or the access token introspection response (as we need to introspect the binary access token anyway) ? If it does I can try to build a fix for this issue around that. Thanks

Yes the code exchange and the access token introspection response contain the expires_in

@sberyozkin
Copy link
Member

@sschellh sounds good. Thanks

@sberyozkin
Copy link
Member

sberyozkin commented Mar 13, 2023

@sschellh FYI, #31811, that update is all what should be required to get this issue fixed, I won't have time right now to add a test as we have another test for exactly the same scenario for JWT access tokens without the introspection, have a look please at this PR if you can to confirm it resolves the problem. Note the (code flow) access token verification should be enabled as discussed above.

@srozange
Copy link

@sberyozkin I have a similar issue (401 when requesting user info and (opaque) access token expired).
I added verify-access-token=true and used your PR but I found out that my provider does not return the "exp" field (introspectionResult only contains the active field). I don't know if there is a solution to this issue (I asked the provider if can return this field but I have little hope).

@sberyozkin
Copy link
Member

@srozange Sorry I missed your ping, I'm actually trying to complete that PR right now, just struggling a bit with the test.

We need to take it step by step, some providers will return that in the introspection response, so the PR will work for those cases. The next option is to retain the binary access token expiry date when it is provided in the code exchange response. I'll look into it at some point after the current PR is complete

@quarkus-bot quarkus-bot bot added this to the 3.0 - main milestone Mar 22, 2023
@sberyozkin
Copy link
Member

@srozange Please create another issue to have access token expiry saved un a cookie, it will be tricky and likely require encryption, but let's track it, thanks

@gsmet gsmet modified the milestones: 3.0 - main, 2.16.6.Final Mar 25, 2023
benkard added a commit to benkard/mulkcms2 that referenced this issue Apr 4, 2023
This MR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.201.0` -> `^0.203.0`](https://renovatebot.com/diffs/npm/flow-bin/0.201.0/0.203.1) |
| [com.rometools:rome](http://rometools.com) ([source](https://github.com/rometools/rome)) | compile | minor | `2.0.0` -> `2.1.0` |
| [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | minor | `42.5.4` -> `42.6.0` |
| [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | build | minor | `2.34.0` -> `2.35.0` |
| [org.apache.maven.plugins:maven-resources-plugin](https://maven.apache.org/plugins/) | build | patch | `3.3.0` -> `3.3.1` |
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.16.4.Final` -> `2.16.6.Final` |
| [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.16.4.Final` -> `2.16.6.Final` |

---

### Release Notes

<details>
<summary>flowtype/flow-bin</summary>

### [`v0.203.1`](flow/flow-bin@0c16b26...5e0645d)

[Compare Source](flow/flow-bin@0c16b26...5e0645d)

### [`v0.203.0`](flow/flow-bin@861f798...0c16b26)

[Compare Source](flow/flow-bin@861f798...0c16b26)

### [`v0.202.1`](flow/flow-bin@2b48bba...861f798)

[Compare Source](flow/flow-bin@2b48bba...861f798)

### [`v0.202.0`](flow/flow-bin@86aea9c...2b48bba)

[Compare Source](flow/flow-bin@86aea9c...2b48bba)

</details>

<details>
<summary>rometools/rome</summary>

### [`v2.1.0`](https://github.com/rometools/rome/releases/tag/2.1.0)

[Compare Source](rometools/rome@2.0.0...2.1.0)

<!-- Release notes generated using configuration in .github/release.yml at 2.1.0 -->

#### What's Changed

##### ⭐ New Features

-   Downgrade Java from version 11 to 8 by [@&#8203;PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#642
-   Add support for GraalVM native images by [@&#8203;artembilan](https://github.com/artembilan) in rometools/rome#636

##### 🔨 Dependency Upgrades

-   Bump maven-compiler-plugin from 3.10.1 to 3.11.0 by [@&#8203;dependabot](https://github.com/dependabot) in rometools/rome#635

##### 🧹 Cleanup

-   Remove unused config files by [@&#8203;PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#632
-   Polish GitHub workflows by [@&#8203;PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#633
-   Polish code by [@&#8203;antoniosanct](https://github.com/antoniosanct) in rometools/rome#631

##### ✔ Other Changes

-   Update configuration for automatically generated release notes by [@&#8203;PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#634

#### New Contributors

-   [@&#8203;artembilan](https://github.com/artembilan) made their first contribution in rometools/rome#636

**Full Changelog**: rometools/rome@2.0.0...2.1.0

</details>

<details>
<summary>pgjdbc/pgjdbc</summary>

### [`v42.6.0`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#&#8203;4260-2023-03-17-153434--0400)

##### Changed

fix: use PhantomReferences instead of `Obejct.finalize()` to track Connection leaks [MR #&#8203;2847](pgjdbc/pgjdbc#2847)

    The change replaces all uses of Object.finalize with PhantomReferences.
    The leaked resources (Connections) are tracked in a helper thread that is active as long as
    there are connections in use. By default, the thread keeps running for 30 seconds after all
    the connections are released. The timeout is set with pgjdbc.config.cleanup.thread.ttl system property.

refactor:(loom) replace the usages of synchronized with ReentrantLock [MR #&#8203;2635](pgjdbc/pgjdbc#2635)
Fixes [Issue #&#8203;1951](pgjdbc/pgjdbc#1951)

</details>

<details>
<summary>diffplug/spotless</summary>

### [`v2.35.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#&#8203;2350---2023-02-10)

##### Added

-   CleanThat Java Refactorer. ([#&#8203;1560](diffplug/spotless#1560))
-   Introduce `LazyArgLogger` to allow for lazy evaluation of log messages in slf4j logging. ([#&#8203;1565](diffplug/spotless#1565))

##### Fixed

-   Allow multiple instances of the same npm-based formatter to be used by separating their `node_modules` directories. ([#&#8203;1565](diffplug/spotless#1565))
-   `ktfmt` default style uses correct continuation indent. ([#&#8203;1562](diffplug/spotless#1562))

##### Changes

-   Bump default `ktfmt` version to latest `0.42` -> `0.43` ([#&#8203;1561](diffplug/spotless#1561))
-   Bump default `jackson` version to latest `2.14.1` -> `2.14.2` ([#&#8203;1536](diffplug/spotless#1536))

</details>

<details>
<summary>quarkusio/quarkus</summary>

### [`v2.16.6.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.6.Final)

[Compare Source](quarkusio/quarkus@2.16.5.Final...2.16.6.Final)

##### Complete changelog

-   [#&#8203;32319](quarkusio/quarkus#32319) - \[2.16] Revert io.netty.noUnsafe change
-   [#&#8203;32302](quarkusio/quarkus#32302) - Qute - fix validation of expressions with the "cdi" namespace
-   [#&#8203;32253](quarkusio/quarkus#32253) - (2.16) Upgrade to graphql-java 19.4
-   [#&#8203;32223](quarkusio/quarkus#32223) - (2.16) Upgrade wildfly-elytron to 1.20.3.Final
-   [#&#8203;32110](quarkusio/quarkus#32110) - Prevent splitting of cookie header values when using AWS Lambda
-   [#&#8203;32107](quarkusio/quarkus#32107) - Fix Podman detection on Windows
-   [#&#8203;32106](quarkusio/quarkus#32106) - Native building with container: Podman not detected on Windows
-   [#&#8203;32093](quarkusio/quarkus#32093) - Re-use current ApplicationModel for JaCoCo reports when testing Gradle projects
-   [#&#8203;32090](quarkusio/quarkus#32090) - K8s moved its registry
-   [#&#8203;32088](quarkusio/quarkus#32088) - Remove the session cookie if ID token verification failed
-   [#&#8203;32082](quarkusio/quarkus#32082) - Add missing quote in Hibernate Reactive with Panache guide
-   [#&#8203;32079](quarkusio/quarkus#32079) - Quarkus JaCoCo extension fails to start Gradle daemon
-   [#&#8203;32058](quarkusio/quarkus#32058) - Allow use of null in REST Client request body
-   [#&#8203;32047](quarkusio/quarkus#32047) - rest client reactive throws npe on null request body
-   [#&#8203;32041](quarkusio/quarkus#32041) - K8s is moving it's images
-   [#&#8203;32037](quarkusio/quarkus#32037) - Set-Cookie Header is Split when using OIDC together with AWS Lambda
-   [#&#8203;32015](quarkusio/quarkus#32015) - Support repeatable Incomings annotation for reactive messaging
-   [#&#8203;32002](quarkusio/quarkus#32002) - Quarkus: Kafka Event Processor with 2 `@incoming` annotations throws Null Pointer SRMSG00212
-   [#&#8203;31984](quarkusio/quarkus#31984) - Only substitute OctetKeyPair\* classes when on the classpath
-   [#&#8203;31978](quarkusio/quarkus#31978) - Remove quarkus.hibernate-orm.database.generation=drop-and-create from Hibernate ORM codestart
-   [#&#8203;31930](quarkusio/quarkus#31930) - Native build fails for JWT
-   [#&#8203;31893](quarkusio/quarkus#31893) - Docker or Podman required for tests since 3.0.0.Alpha6
-   [#&#8203;31857](quarkusio/quarkus#31857) - Container runtime detection cached in sys prop, container-docker extension
-   [#&#8203;31811](quarkusio/quarkus#31811) - Check the expiry date for inactive OIDC tokens
-   [#&#8203;31717](quarkusio/quarkus#31717) - Quarkus OIDC Session Cookie not deleted in case of 401 unauthorized
-   [#&#8203;31714](quarkusio/quarkus#31714) - OIDC token refresh fails with 401, if user info is used and not available in the cache (anymore)
-   [#&#8203;31662](quarkusio/quarkus#31662) - Warning when docker is not running
-   [#&#8203;31525](quarkusio/quarkus#31525) - Bump Keycloak version to 21.0.1
-   [#&#8203;31490](quarkusio/quarkus#31490) - Enable Podman and Docker Windows quarkus-container-image-docker testing
-   [#&#8203;31307](quarkusio/quarkus#31307) - Native Build on Windows has incorrect resource slashes
-   [#&#8203;30383](quarkusio/quarkus#30383) - Create a new base classloader including parent-first test scoped dependencies when bootstrapping for CT

### [`v2.16.5.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.5.Final)

[Compare Source](quarkusio/quarkus@2.16.4.Final...2.16.5.Final)

##### Complete changelog

-   [#&#8203;31959](quarkusio/quarkus#31959) - New home for Narayana LRA coordinator Docker images
-   [#&#8203;31931](quarkusio/quarkus#31931) - Support raw collections in RESTEasy Reactive server and client
-   [#&#8203;31922](quarkusio/quarkus#31922) - Add more lenient Liquibase ZipPathHandler to work around includeAll not working in prod mode
-   [#&#8203;31904](quarkusio/quarkus#31904) - \[2.16] Upgrade SmallRye GraphQL to 1.9.4
-   [#&#8203;31894](quarkusio/quarkus#31894) - Supply missing extension metadata for reactive keycloak client
-   [#&#8203;31891](quarkusio/quarkus#31891) - Fix truststore REST Client config when password is not set
-   [#&#8203;31867](quarkusio/quarkus#31867) - Qute type-safe fragments - fix validation for loop metadata and globals
-   [#&#8203;31866](quarkusio/quarkus#31866) -  The behavior of the `@RestHeader` annotation is different from the `@HeaderParam` annotation when the parameter is of type List
-   [#&#8203;31864](quarkusio/quarkus#31864) - Fix incorrect generic type passed to MessageBodyWriter#writeTo
-   [#&#8203;31818](quarkusio/quarkus#31818) - Jackson JAX-RS YAML Provider for Resteasy Reactive
-   [#&#8203;31804](quarkusio/quarkus#31804) - \[2.16] A test to make sure non-existing modules are ignored during workspace discovery
-   [#&#8203;31793](quarkusio/quarkus#31793) - \[2.16] Fix NPE loading workspace modules
-   [#&#8203;31770](quarkusio/quarkus#31770) - Fix native compilation when using quarkus-jdbc-oracle with elasticsearch-java
-   [#&#8203;31769](quarkusio/quarkus#31769) - Capability added for quarkus-rest-client-reactive-jackson
-   [#&#8203;31756](quarkusio/quarkus#31756) - quarkus-rest-client-reactive-jackson doesn't provide capabilities
-   [#&#8203;31728](quarkusio/quarkus#31728) - Register additional cache implementations for reflection
-   [#&#8203;31718](quarkusio/quarkus#31718) - Properly close metadata file in integration tests
-   [#&#8203;31713](quarkusio/quarkus#31713) - "Too many open files" When test native image.
-   [#&#8203;31712](quarkusio/quarkus#31712) - Make request scoped beans work properly in ReaderInterceptors
-   [#&#8203;31705](quarkusio/quarkus#31705) - Remove all dev services for kubernetes dependencies from kubernetes-client-internal
-   [#&#8203;31692](quarkusio/quarkus#31692) - RequestScoped context not active when using a ReaderInterceptor with large HTTP requests
-   [#&#8203;31688](quarkusio/quarkus#31688) - Suppress config changed warning for quarkus.test.arg-line
-   [#&#8203;31643](quarkusio/quarkus#31643) - Fix iterator issue when executing a zrange with score on a missing key
-   [#&#8203;31626](quarkusio/quarkus#31626) - quarkus.test.arg-line has become a built-time fixed property in 2.16.4
-   [#&#8203;31624](quarkusio/quarkus#31624) - native compilation : quarkus-jdbc-oracle with elasticsearch-java strange behaviour
-   [#&#8203;31617](quarkusio/quarkus#31617) - Bump Stork version 1.4.2
-   [#&#8203;31579](quarkusio/quarkus#31579) - Reinitialize sun.security.pkcs11.P11Util at runtime
-   [#&#8203;31560](quarkusio/quarkus#31560) - Prevent SSE writing from potentially causing accumulation of headers
-   [#&#8203;31559](quarkusio/quarkus#31559) - `SseUtil` unexpectedly stores headers in `Serialisers.EMPTY_MULTI_MAP`
-   [#&#8203;31551](quarkusio/quarkus#31551) - Scheduler - detect scheduled methods of the same name on a class
-   [#&#8203;31547](quarkusio/quarkus#31547) - Scheduler - it's possible to declare two scheduled methods of the same name on the same class
-   [#&#8203;31545](quarkusio/quarkus#31545) - Append System.lineSeparator() to config error messages
-   [#&#8203;31536](quarkusio/quarkus#31536) - Missing newline characters in config error message
-   [#&#8203;31532](quarkusio/quarkus#31532) - Interpret negative/zero body-limit as infinite when logging REST Client request body
-   [#&#8203;31523](quarkusio/quarkus#31523) - Request rejected by CORS for fonts in dev UI when `quarkus.http.cors=true` is set
-   [#&#8203;31496](quarkusio/quarkus#31496) - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest
-   [#&#8203;31482](quarkusio/quarkus#31482) - Remove incorrect default value for keepAliveEnabled
-   [#&#8203;31440](quarkusio/quarkus#31440) - Several quarkus integration tests fail to compile to native with latest GraalVM master
-   [#&#8203;31384](quarkusio/quarkus#31384) - Ignore required documentation for `@ConfigMapping` default methods
-   [#&#8203;30757](quarkusio/quarkus#30757) - Allow same origin CORS requests without 3rd party origins being configured
-   [#&#8203;30744](quarkusio/quarkus#30744) - \[Quarkus Native] ClassNotFoundException: com.github.benmanes.caffeine.cache.SSSW
-   [#&#8203;30698](quarkusio/quarkus#30698) - CORS Request same origin ignored if no other origin set

</details>

<details>
<summary>quarkusio/quarkus-platform</summary>

### [`v2.16.6.Final`](quarkusio/quarkus-platform@2.16.5.Final...2.16.6.Final)

[Compare Source](quarkusio/quarkus-platform@2.16.5.Final...2.16.6.Final)

### [`v2.16.5.Final`](quarkusio/quarkus-platform@2.16.4.Final...2.16.5.Final)

[Compare Source](quarkusio/quarkus-platform@2.16.4.Final...2.16.5.Final)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants