Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose potential extension points on authorization code flow-related provider clients #27482

Closed
FelixMundial opened this issue Aug 24, 2022 · 8 comments · Fixed by #27540
Closed

Expose potential extension points on authorization code flow-related provider clients #27482

FelixMundial opened this issue Aug 24, 2022 · 8 comments · Fixed by #27540
Labels
area/oidc kind/enhancement New feature or request
Milestone
2.13.0.CR1

Comments

@FelixMundial
Copy link

Description

Our self-hosted authorization server is based largely upon basic authorization code flow backed by OIDC, but slightly modified the "code -> token" process as several non-standard parameters are required, which are primarily headers and bodies for signature submission intended for customized client authentication based on methods other than the standard ones like base/post/jwt or secret_key_jwt, for the exchange of id/access/refresh tokens.
This whole process is not at all universal in terms of keycloak or other well-known providers, but the ability of extention/decoration of the authorization code flow would be of benefit.
Thank you for your time :))

Implementation ideas

In io.quarkus.oidc.runtime.OidcProviderClient#getHttpResponse(String, MultiMap), it seems that headers and bodies are not somewhat customizable, I wonder if it's feasible to enable passage of customized header/body values to the http client, through configuration properties.
Or is it possible to enable decoration of the whole io.quarkus.oidc.runtime.CodeAuthenticationMechanism, through conditional injection of user-defined OidcProviderClients.
@FelixMundial FelixMundial added the kind/enhancement New feature or request label Aug 24, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Aug 24, 2022

/cc @pedroigor

@sberyozkin
Copy link
Member

sberyozkin commented Aug 24, 2022
edited
Loading

@FelixMundial
Do you need to have an option to pass the extra HTTP headers and extra form parameters with the code grant request ?
We can just add 2 more Map configuration properties, one accepting the extra headers (we have such an option for quarkus-oidc-client too), and another one - the extra form parameters.

Will that work for you ?

@FelixMundial
Copy link
Author

@FelixMundial Do you need to have an option to pass the extra HTTP headers and extra form parameters with the code grant request ? We can just add 2 more Map configuration properties, one accepting the extra headers (we have such an option for quarkus-oidc-client too), and another one - the extra form parameters.

Will that work for you ?

Thank you for your instant reply!
These two configuration properties would help a lot for such "weird" situations as ours:))
Still, I am not quite sure whether this "customizability" should be included in the core quarkus-oidc/quarkus-oidc-client, or should instead be made possible by means of other extensions closely related to them (in the form of different artifacts), because I am afraid these configuration properties would have barely any use to other quarkus-oidc users tackling general authorization code grant processes, thus making the quarkus-oidc polluted or abused by "my proposes":(
And given these worries, I wonder how you would regard the "user-defined OidcProviders injection" approach, which is inspired by Spring Security filter chains, as opposed to what most of the discussions were covering, the "configuration properties" approach.

@sberyozkin
Copy link
Member

sberyozkin commented Aug 24, 2022
edited
Loading

@FelixMundial Np, adding the configuration properties is the simplest approach and trying to make it more complex without real need for it is not needed IMHO - doing the extra grant handlers will increase the margin of a user error and complicate the already complex quarkus-oidc code even more.
For example, users can already supply the additional parameters which will be sent to the authorization endpoint as query parameters at the start of the code flow - it makes sense to match it with having the same feature when completing the code flow.
And as I said, quarkus-oidc-client already has an option to send custom HTTP headers during its grant requests, so makes sense to have the same option at the quarkus-oidc level.
It will be optional so won't affect other users who do not need it

@FelixMundial
Copy link
Author

@sberyozkin Then this enhancement is currently the best option for it, thank you very much for your explanation and help🥳🥳

@sberyozkin
Copy link
Member

@FelixMundial Np, I'll let you know when PR is available, once I get to it...

@sberyozkin sberyozkin mentioned this issue Aug 26, 2022
Merged
@sberyozkin
Copy link
Member

@FelixMundial FYI, #27482 will close this issue once approved/merged. It can be of general interest - but please give it a try and re-open the issue if some extra customizations may be necessary

@quarkus-bot quarkus-bot bot added this to the 2.13 - main milestone Aug 26, 2022
@FelixMundial
Copy link
Author

@FelixMundial FYI, #27482 will close this issue once approved/merged. It can be of general interest - but please give it a try and re-open the issue if some extra customizations may be necessary

OK, sure :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
2.13.0.CR1
Development

Successfully merging a pull request may close this issue.

Allow to set OIDC code grant custom headers and params sberyozkin/quarkus
2 participants
@sberyozkin @FelixMundial