Support authenticating to OpenID Introspection endpoint #26917
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #26796.
This PR supports a case where, according to #29796,
introspection endpoint is protected by basic auth and a different client-id/client-secret combination than the usual combination used for authorization code flow
and I believe it is not the first time I'm hearing about such a requirement.PR itself is simple, it adds an option to configure
quarkus.oidc.introspection-credentials.name
andquarkus.oidc.introspection-credentials.secret
(I just called the last onesecret
instead ofpassword
because we already havequarkus.oidc.credentials.secret
for the usual client authentication). If the introspection credentials are configured and it is introspection then they will be sent as a basic auth scheme value. And finally the tests are modified to check that in one of the tests involving the introspection the the introspection credentials are indeed used to form a Basic Authentication scheme value.@gastaldi Have a look please as Pedro may not be available right now. It is really only about adding one more (basic auth) way for Quarkus to authenticate to OpenId Connect provider, does not change anything with respect to the way OIDC flows are handled.