Use token endpoint URL as OIDC JWT authentication audience #21319
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Proposing for a backport - I'm not 100% sure it can qualify as a bug fix, so Guillaume, please remove the label if you prefer. |
gastaldi
approved these changes
Nov 9, 2021
|
Thanks @gastaldi, I'll wait till tomorrow just in case for Pedro to comment - though it is a safe fix IMHO |
|
Thanks @sberyozkin . I just want to confirm that this does work for my initial use case. |
gsmet
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #21310.
This PR is about improving (one may say about bug fixing of) the way OIDC JWT client authentication code sets the
audience.The client JWT authentication is specified here: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Quarkus supports and tests all the options there. The only problem, which has been caught by #21310 is that the audience claim value is not a recommended token endpoint URL (per the spec text:
The Audience SHOULD be the URL of the Authorization Server's Token Endpoint.).Currently it is the value of either
quarkus.oidc.auth-server-urlorquarkus.oidc-client.auth-server-url, so for example, in case of Keycloak, it would behttp://localhost:8180/auth/realms/quarkusvs the recommendedhttp://localhost:8180/auth/realms/quarkus/protocol/openid-connect/token(note the extra/protocol/openid-connect/tokenpath).Given that the OIDC spec does recommend using the token path and the token path is known to OIDC, suggesting as I did to fix #21310 with
is a poor deal for the users - here this is just redundant - but worse is the case where the auto-discovery works and the OIDC provider is as strict as the one used in #21310 - despite the endpoint URLs being discovered, one would still have to type the token endpoint URL as the audience which may not be even easy to find.
So this PR just improves the code a tiny bit only to use the token endpoint URL as opposed to the base URL of the provider.
We have 4 tests with Keycloak (3 in the oidc client module, one in he oidc code flow tests) - all of them pass, but, just in case (which I doubt will happen) I've still added an
audienceproperty so that one can refer to the base URL and updated one of the OidcClient tests (note Keycloak does not like audience values with the trailing path separators - so I added the code to strip it).It is hard to add the tests confirming the new audience property is effective - since the token does not reach Quarkus at all and goes directly into Keycloak, while trying to wiremock it would not be very useful - it is the behavior of Keycloak which is important to verify. So I can only confirm that the new property is effective - this is why I had to add the code to strip the path segment :-), otherwise Keycloak returns a failure.