Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authenticating to OpenID Introspection endpoint #26917

Merged
merged 1 commit into from Jul 25, 2022
Merged

Support authenticating to OpenID Introspection endpoint #26917

merged 1 commit into from Jul 25, 2022

Conversation

sberyozkin
Copy link
Member

Fixes #26796.

This PR supports a case where, according to #29796, introspection endpoint is protected by basic auth and a different client-id/client-secret combination than the usual combination used for authorization code flow and I believe it is not the first time I'm hearing about such a requirement.

PR itself is simple, it adds an option to configure quarkus.oidc.introspection-credentials.name and quarkus.oidc.introspection-credentials.secret (I just called the last one secret instead of password because we already have quarkus.oidc.credentials.secret for the usual client authentication). If the introspection credentials are configured and it is introspection then they will be sent as a basic auth scheme value. And finally the tests are modified to check that in one of the tests involving the introspection the the introspection credentials are indeed used to form a Basic Authentication scheme value.

@gastaldi Have a look please as Pedro may not be available right now. It is really only about adding one more (basic auth) way for Quarkus to authenticate to OpenId Connect provider, does not change anything with respect to the way OIDC flows are handled.

@sberyozkin sberyozkin mentioned this pull request Jul 25, 2022
Closed
gastaldi
gastaldi approved these changes Jul 25, 2022
View reviewed changes
Copy link
Contributor

@gastaldi gastaldi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but it would be interesting to have something in the security guide about this

@sberyozkin
Copy link
Member Author

@gastaldi Thanks, sure, I'll follow up with the minor update to the client authentication section now

@sberyozkin sberyozkin force-pushed the oidc_introspection_authentication branch from bb46bc2 to 5ea4462 Compare July 25, 2022 18:23
@sberyozkin
Copy link
Member Author

@gastaldi Updated the docs as well, thanks

@sberyozkin sberyozkin merged commit 022602f into quarkusio:main Jul 25, 2022
@quarkus-bot quarkus-bot bot added this to the 2.12 - main milestone Jul 25, 2022
@sberyozkin sberyozkin deleted the oidc_introspection_authentication branch July 25, 2022 21:16
@quarkus-bot quarkus-bot bot added the kind/enhancement New feature or request label Jul 25, 2022
@mqs24d
Copy link

mqs24d commented Aug 22, 2022
edited

@sberyozkin found a potential bug in the implementation :

OidcProviderClient#getHttpResponse

private UniOnItem<HttpResponse<Buffer>> getHttpResponse(String uri, MultiMap formBody, boolean introspect) {
        HttpRequest<Buffer> request = client.postAbs(uri);
        request.putHeader(CONTENT_TYPE_HEADER, APPLICATION_X_WWW_FORM_URLENCODED);
        request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
        if (introspect && introspectionBasicAuthScheme != null) {
            request.putHeader(AUTHORIZATION_HEADER, introspectionBasicAuthScheme);
            if (oidcConfig.clientId.isPresent()) {
                formBody.set(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
            }
        }

Imho the client_id which is set in line: formBody.set(OidcConstants.CLIENT_ID, oidcConfig.clientId.get()); Should be the one of the introspectionBasicAuthScheme (quarkus.oidc.introspection-credentials.name) or maybe don't set it at all?

The oidc server we need to use interprets the introspection credentials as separate client and therefore returns with a 401 if the client_id is set to the client_id which is used for the token/userinfo requests

@DCCSKrezovic DCCSKrezovic mentioned this pull request Aug 23, 2022
Closed
@sberyozkin sberyozkin mentioned this pull request Aug 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gastaldi gastaldi gastaldi approved these changes

@pedroigor pedroigor Awaiting requested review from pedroigor

Assignees
No one assigned
Labels
area/documentation area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
2.12.0.CR1
Development

Successfully merging this pull request may close these issues.

[quarkus-oidc] Support authenticating to OpenID Introspection endpoint
3 participants
@sberyozkin @mqs24d @gastaldi