Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow skipping OIDC issuer verification #16324

Merged
merged 1 commit into from Apr 12, 2021
Merged

Allow skipping OIDC issuer verification #16324

merged 1 commit into from Apr 12, 2021

Conversation

sberyozkin
Copy link
Member

@sberyozkin sberyozkin commented Apr 7, 2021
edited

Fixes #16294.
Fixes #16384.

This PR allows the users to skip the issuer verification by setting quarkus.oidc.token.issuer=any. (it was a default for the bearer token verification in the earlier versions).
Also did a few tiny optimizations to pre-calculate the issuer, audience early as opposed do it during every request.
Unfortunately I could not test as InetAddress.getLocalAddress takes ages unless hosts is updated (I did try to optionally use the IP address in the Keycloak test module) but it is not realistic for CI.

@quarkus-bot quarkus-bot bot added the area/oidc label Apr 7, 2021
@sberyozkin
Copy link
Member Author

@gsmet not sure it will be ready to be merged today but even it will be I'll ping you to confirm it is ok to do it - and certainly won't do it tomorrow :-)

@sberyozkin sberyozkin mentioned this pull request Apr 7, 2021
Closed
@sberyozkin
Copy link
Member Author

@pedroigor Hi Pedro - let me update the java docs/guides to warn stronger against skipping the issuer check

@sberyozkin
Copy link
Member Author

sberyozkin commented Apr 9, 2021
edited

@pedroigor Hi Pedro - I've added a dedicated section providing more information about the claim verification and issuer verification in particular and added 2 suggestions how to deal with the issuer verification problems (as opposed to skipping it), have a look please.
Also CC @gastaldi

gastaldi
gastaldi approved these changes Apr 9, 2021
View reviewed changes
Copy link
Contributor

@gastaldi gastaldi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sberyozkin sberyozkin merged commit 7d9b3a5 into quarkusio:main Apr 12, 2021
@quarkus-bot quarkus-bot bot added this to the 2.0 - main milestone Apr 12, 2021
@sberyozkin sberyozkin deleted the oidc_any_issuer branch April 12, 2021 12:26
@gsmet gsmet modified the milestones: 2.0 - main, 1.13.2.Final Apr 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gastaldi gastaldi gastaldi approved these changes

@pedroigor pedroigor pedroigor approved these changes

Assignees
No one assigned
Labels
area/documentation area/oidc
Projects
None yet
Milestone
1.13.2.Final
Development

Successfully merging this pull request may close these issues.

OIDC Issuer Verification Quarkus 1.13.0: 401 Unauthorized using different host names for Keycloak
4 participants
@sberyozkin @gastaldi @pedroigor @gsmet