Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update OIDC client filters to check if OIDC client feature is enabled #43374

Merged
merged 1 commit into from
Sep 20, 2024
Merged

Update OIDC client filters to check if OIDC client feature is enabled #43374

merged 1 commit into from
Sep 20, 2024

Conversation

sberyozkin
Copy link
Member

@sberyozkin sberyozkin commented Sep 18, 2024
edited
Loading

Fixes #41827.

When the OIDC client filter is registered with the @OidcClient annotation, disabling the OIDC client feature with quarkus.oidc-client.enabled=false makes @OidcClient ineffective because it is processed at the OIDC client filter build time and is preconditioned on the underlying OIDC client feature being enabled.

However, when the OIDC client filter is registered directly using a @RegisterRestClient annotation, the fact that the OIDC client feature is disabled with quarkus.oidc-client.enabled=false is not relevant, it is just a standard, generic JAX-RS provider registration. Then, when the request is made, the filter tries to do something with the disabled client and the request fails.

This PR attempts to fix it by updating OIDC client filters to check the build time quarkus.oidc-client.enabled property and avoid any OidcClient related initialization or processing if it is disabled.

The test has been updated. Specifically, when the OIDC client is disabled, the test gets 401 when a secured ProtectedResource method is called because it does not get an expected token. But it gets an empty response when a public method in the ProtectedResource is called, proving no token is arriving, with the OidcClient filter not impacting the request flow, even though the OidcClient is disabled.

When the OidcClient is enabled, the public method returns a user name, similarly to when a secured method is called, due to the proactive authentication, proving the token is flowing in this case as well

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 18, 2024
edited
Loading

🎊 PR Preview 14af184 has been successfully built and deployed to https://quarkus-pr-main-43374-preview.surge.sh/version/main/guides/

  • Images of blog posts older than 3 months are not available.
  • Newsletters older than 3 months are not available.

@sberyozkin sberyozkin force-pushed the disabled_oidc_client_filter branch from 2cae379 to 5c93205 Compare September 19, 2024 17:45
@sberyozkin sberyozkin marked this pull request as ready for review September 19, 2024 17:55
@quarkusio quarkusio deleted a comment from quarkus-bot bot Sep 19, 2024
@quarkus-bot quarkus-bot

This comment has been minimized.

Sign in to view
@quarkus-bot quarkus-bot

This comment has been minimized.

Sign in to view
michalvavrik
michalvavrik reviewed Sep 19, 2024
View reviewed changes
Copy link
Member

@michalvavrik michalvavrik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM.

@sberyozkin sberyozkin force-pushed the disabled_oidc_client_filter branch from 5c93205 to 6092c24 Compare September 20, 2024 10:28
@sberyozkin
Copy link
Member Author

@michalvavrik I've tried to make related log messages more informative as you suggested, have a look please

michalvavrik
michalvavrik approved these changes Sep 20, 2024
View reviewed changes
Copy link
Member

@michalvavrik michalvavrik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my eyes that's better, thank you

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Sep 20, 2024

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 6092c24.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Sep 20, 2024
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 6092c24.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

@sberyozkin sberyozkin merged commit b229e58 into quarkusio:main Sep 20, 2024
23 checks passed
@sberyozkin sberyozkin deleted the disabled_oidc_client_filter branch September 20, 2024 11:23
@quarkus-bot quarkus-bot bot added this to the 3.16 - main milestone Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gastaldi gastaldi gastaldi approved these changes

@michalvavrik michalvavrik michalvavrik approved these changes

Assignees
No one assigned
Labels
area/oidc kind/bugfix
Projects
None yet
Milestone
3.16.0.CR1
3 participants
@sberyozkin @gastaldi @michalvavrik