Update docs to make it easy to see that the code flow access token fails, update tests

[sberyozkin]

Closes #40494.

I've spent a lot of time today testing #40494 and so is @effusion :-), verifying several times all works as expected with latest Quarkus with the custom Azure customizer, but it was not clear at all why it worked in 3.8.3.

In the end of the day it occurred to me it must be due to a hardening (correct) fix where users inject an authorization code flow access token but do not enable its verification, in addition to the mandatory ID token verification. So the signature failure reported in #40521 was related to the extra code flow access token verification but is confusingly logged as ID token verification failure.

So this PR updates docs to make it much clearer when the code flow access token is also verified now and how it can be disabled back to the old (though not too secure state, if really necessary). Tests are also updated (with an extra UserInfo test too).

Note it is not a breaking change, but I'll add a note to the migration guide too once this PR is reviewed/merged

[michalvavrik]

I think this will help users. Thank you

[github-actions]

🙈 The PR is closed and the preview is expired.

[gastaldi]

The associated issue number seems wrong?

[michalvavrik]

The associated issue number seems wrong?

Good catch! I thought this issue is about #40494.

[sberyozkin]

Thanks @michalvavrik , @gastaldi , will address suggestions tomorrow morning, as I'm away from laptop, cheers

[sberyozkin]

Converted to draft as the exception related update is not great, need to improve it

[sberyozkin]

Hi @michalvavrik @gastaldi I'm happy enough now with how it is logged, the previous version was unfortunately incomplete, it was covering the initial authorization code completion failure logging but not the one during the re-authentication (when the authenticated user returns), and OidcIdentityProvider updates were looking strange to me this morning (but not yesterday :-) ), so I reverted them and have a single piece of code dealing with checking if it is the the code flow access token or ID token verification that has failed.

I've actually spent a couple of hours trying to figure out how to make it simpler :-), as I thought there was no obvious way at the code authentication mechanism level to detect which token failed the verification, but then I found the current boolean expression which is precise.

[sberyozkin]

@gastaldi Yeah, it looks nicer with your suggestion, applied to both docs

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit f030a33.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

⚠️ There are other workflow runs running, you probably need to wait for their status before merging.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit f030a33.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.