Optional configuration groups do not work

[sberyozkin]

Describe the bug
When I was working on updating quarkus-oidc OidcTenantResolver to support different client secret methods, we ended agreeing with @pedroigor on the following as an initial step:

@ConfigGroup
class Credentials {
    @ConfigItem
    Optional<String> secret;
    
    @ConfigItem
    Secret clientSecret = new Secret();

    @ConfigGroup
    public class Secret {
        @ConfigItem
        Optional<String> value;
        // etc
    } 
    // there will more groups like `Secret` here for other authentication methods
}

Note clientSecret has to be initialized immediately and Secret properties are optional, because all immediate Credentials properties (secret, clientSecret and more later on) are mutually exclusive.

I tried:

class Credentials {
    @ConfigItem
    Optional<String> secret;
    
    @ConfigItem
    Optional<Secret> clientSecret;

    @ConfigGroup
    public class Secret {
        @ConfigItem
        // non-optional
        String value;
        // etc
    } 
}

which looks nicer IMHO, and would've let me to just do if clientSecret.isPresent() instead of checking all of Secret properties if any of them has been unnecessarily set.

Expected behavior
It would super great if optional configuration groups were supported
Actual behavior
When I tried Optional<Secret> clientSecret and configured

quarkus.oidc.credentials.client-secret.value=mysecret

I got an exception (it was a class cast to Optional), I can find out....
It can be tricky to fix I guess, may be if at least one of a given optional group's properties is set then initialize and treat all other non initialized required properties in this group as optional because the group itself is optional

To Reproduce
See above

[sberyozkin]

CC @dmlloyd @gastaldi

[sberyozkin]

I guess

@ConfigItem
Optional<Secret> clientSecret;

@ConfigGroup
public class Secret {
   @ConfigItem
   Optional<String> value;
    // etc
 } 

would also be fine, clientSecret would be initialized if at least one of Secret properties is set

[dmlloyd]

First, initializing config properties is never necessary and you'll never observe a null config property (assuming everything is working correctly).

Second, we don't have any support for mutually exclusive properties at a config level, so that has to be done manually (or better yet, find a model that doesn't require mutual exclusion).

Other than that, it seems something has gotten broken here, which is odd because I was sure that we had tests for these cases. What ConfigPhase are you seeing this problem with? What are the stack trace(s) for the exception(s) you see?

[sberyozkin]

@dmlloyd I'm sorry, I've missed your question. I'll check asap and update

[gsmet]

For the record, I also tried to use optional config groups for my datasource PR and I got some very weird issues.

It was totally in the way and I already got other blocking issues in the way so worked around it.

[sberyozkin]

Looks like this issue is related, #8464

See https://github.com/quarkusio/quarkus/blob/master/extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerConfig.java#L59.
KeycloakPolicyEnforcerConfig is large so I suppose this is why a try was made to use an optional group

[arvidvillen]

Any updates on this?