Throwing ForbiddenException if OidcUtils.findRoles throws an exception

[sberyozkin]

Fixes #5750
Fixes #5826

This PR simply completes the future with ForbiddenException, instead of propagating OIDCException. Note OidcUtils.findRoles does not itself throw ForbiddenException because it is not guaranteed to be called during the authentication, but it logs a warning now.
OidcUtilsTest has a test confirming OidcUtils.findRoles throws an exception with the invalid path

[sberyozkin]

@gsmet Hi, if it is approved and looks good to you too then please consider it for 1.0.1.Final.
I need to go offline now so may not have time to react to the review comments today, but it is not a blocker issue, thanks

[gsmet]

What bugs me a bit is that we don't handle the other exceptions if they happen?

This probably needs to be discussed so will be a bit late for 1.0.1.

[sberyozkin]

@gsmet Hi Guillaume, yes, sure. FYI, inside OidcUtils.findRoles there is only unchecked exception which can happen which is OIDCException when some paths can not be resolved (all that code does is it iterates over already prepared JSONObject). If something else escapes then I'd consider enhancing OidcUtils further.
However I can also add a RuntimeException catch to catch everything else ? Let me know what you think please, but yes, it can wait

[loicmathieu]

I would add the OIDCException as the cause of the ForbuddenException to not loose the exception context

[loicmathieu]

I'm OK with all other exceptions being not handled, they will all result to a ServerError.
We only want authentication exceptions being transformed to ForbiddenException.

[gsmet]

Can we keep the previous branch too?

I mean having something like:

                } catch (OIDCException e) {
                    result.completeExceptionally(new ForbiddenException());
                } catch (Exception e) {
                    result.completeExceptionally(e);
                }

That would have my preference.

[sberyozkin]

@gsmet sure

[sberyozkin]

@gsmet done

[loicmathieu]

I would add the OIDCException as the cause of the ForbuddenException to not loose the exception context

[loicmathieu]

I'm OK with all other exceptions being not handled, they will all result to a ServerError.
We only want authentication exceptions being transformed to ForbiddenException.

[gsmet]

Could you explain why you chose to do that this way? I.e. going from an exception message to a warn?

[sberyozkin]

@gsmet Please see my response to Loic, at the moment it is not possible to wrap the OIDC exception. I'll make it the error message again once ForbiddenException/etc are updated, does it sound OK ?

[sberyozkin]

I'll open an issue to track it so as I don't forget

[sberyozkin]

I'm going to do a small PR to the quarkus-security and will follow up with the updates to this code but also to other Quarkus code where the causes are not included for those exceptions

[stuartwdouglas]

FYI #5952

[sberyozkin]

@loicmathieu

I would add the OIDCException as the cause of the ForbuddenException to not loose the exception context

Not possible at the moment, since ForbiddenException only has a default constructor and it is in a separate quarkus-security repositoryright now.

I'm OK with all other exceptions being not handled...

Restoring that block would only make sure the future is cleanly completed exceptionally.

[loicmathieu]

@sberyozkin I tought it was the JAX-RS ForbiddenException ...
As soon as you create an issue to update the code later I'm OK with it.

[sberyozkin]

@loicmathieu @gsmet FYI, #5826
I'll do a quick PR for the quarkus-security as well
Thanks

[sberyozkin]

@gsmet PR to quarkus-security has been submitted so if you prefer we can wait till it is released so that I update this PR accordingly. Or I can follow up with the #5626 fix (have assigned that issue to me), either way works for me, thanks

[sberyozkin]

@gsmet, @loicmathieu Hi, FYI, I've now updated this PR to have the cause exception included across the Quarkus code :-), after Stuart has released the latest quarkus-security