Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC ID token should be verified before UserInfo is accessed with the access token #33711

Closed
sberyozkin opened this issue May 30, 2023 · 1 comment · Fixed by #33712
Closed
Labels
area/oidc kind/bug Something isn't working
Milestone

Comments

@sberyozkin
Copy link
Member

Describe the bug

It is not really a bug as such but it is sub-optimal to start requesting UserInfo with the code flow access token if the ID token representing the user authentication is invalid, for example, it has expired, so the UserInfo remote call should not even go ahead in such a case.
And the OIDC certification test has flagged it as a bug.

Expected behavior

Simply change the order - instead of using the code flow access token to get UserInfo first and then verifying ID token, do it the other way around, verify ID token first, if all is good, proceed with the UserInfo acquisition if needed

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

@sberyozkin sberyozkin added the kind/bug Something isn't working label May 30, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented May 30, 2023

/cc @pedroigor (oidc)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant