Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for OIDC public-key property #7750

Merged
merged 1 commit into from
Mar 12, 2020
Merged

Support for OIDC public-key property #7750

merged 1 commit into from
Mar 12, 2020

Conversation

sberyozkin
Copy link
Member

Fixes #5828

CC @cescoffier

@pedroigor
Copy link
Contributor

Out of curiosity, what is the use case we are solving? Users that just want quarkus-oidc as a generic bearer JWT token authentication mechanism?

@sberyozkin
Copy link
Member Author

Hi @pedroigor Awhile back we touched on it with Stian and @stuartwdouglas as well, and it was only to support some simple service cases or, to simplify the tests.
And Clement, @cescoffier, also asked for this option, as using a docker image is not possible for the tests in his case... @cescoffier, can you clarify please ?
These changes do not affect at all the current code except that I had to extract some common code into the functions. Note a visible info log message is logged once. But I'm not 100% sure this PR will need to be backported.
Thinking more about it, the case where no OIDC server is involved can be well covered by quarkus-smallrye-jwt. @cescoffier, can that be an option ? This PR is a bit of a hack :-), though as I said the existing OIDC-aware code is not affected
Thanks

@pedroigor
Copy link
Contributor

Yeah, that is what I thought too so that smallrye-jwt could be an option to address the same use case (pure JWT bearer token authentication).

In any case, if you still think this one should go in. I'm OK with it too.

@sberyozkin
Copy link
Member Author

Hi @pedroigor thanks, I was wondering that may be it can be handy to, while already working with quarkus-oidc with the service application, have an option to quickly add public-key for testing the flow only excluding the OIDC connection. Something like that.
What I'm finding good that we'll actually do something about public-key :-), if this PR were found to be problematic then we'd just remove this property :-)
Thanks for the approval, I'll keep the PR open for a bit longer.

@cescoffier
Copy link
Member

My use case is very simple, and I'm pretty sure many will have the same case.
I have a REST endpoint, protected using OICD. In "prod" I use keycloak, no problem with this. Now I'm in dev or in test mode, I don't necessarily want to start keycloak, configuring the realms and so on. Today it can be very hard to check my API with openapi (because I don't have access to the token) or in my tests.

Of course, I can use the fake users/groups in dev and test - but that introduces quite some difference with the final behavior and it's a packaging dilemma (this unsafe extension is going to be in the classpath of the application).

The OIDC extension defines this public key attribute, and it would make sense to honor it. It would enable:

  • using Swagger / OpenAPI in dev mode
  • allowing tests to be blasting fast

Note: I use Jwtonizer to generate the token and the public key.

@sberyozkin
Copy link
Member Author

@cescoffier Thanks, IMHO it is reasonable to have it supported then as switching to the alternative with quarkus-smallrye-jwt won't make sense in such situations.
@pedroigor has already approved, @stuartwdouglas can you please review ?

gastaldi
gastaldi approved these changes Mar 12, 2020
View reviewed changes
Copy link
Contributor

@gastaldi gastaldi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gastaldi gastaldi added this to the 1.4.0 milestone Mar 12, 2020
@gastaldi
Copy link
Contributor

@sberyozkin should this PR be backported to 1.3.0.Final?

@sberyozkin
Copy link
Member Author

sberyozkin commented Mar 12, 2020
edited by cescoffier
Loading

Hi @gastaldi, thanks for the approval. I'd be inclined to keep it to 1.4.0 as even though the existing OIDC code has not been changed, it has been moved around. @cescoffier, are you OK with it or would really prefer to have in 1.3.0 ?
Thanks

@cescoffier
Copy link
Member

cescoffier commented Mar 12, 2020
edited
Loading

I let @gsmet decides. It's really a developer experience feature (testing your app).

@sberyozkin
Copy link
Member Author

@cescoffier, ok thanks, I'll merge to the master for now

@sberyozkin
Copy link
Member Author

This is nearly funny, I press on a green Merge pull request button and it does not work, I've logged out of GitHub and in again. Can someone merge please ?

@gastaldi gastaldi merged commit 1fc4f71 into quarkusio:master Mar 12, 2020
@gastaldi
Copy link
Contributor

Green merge button 1x0 @sberyozkin 😄

@sberyozkin
Copy link
Member Author

@gsmet, hi. I think something is wrong with my permissions, I can't even add a backport label for you to review it a backport candidate

@sberyozkin
Copy link
Member Author

@gsmet looks like I can do something here again :-). So I've added a backport label. It would be good if @stuartwdouglas could also have a quick look but it may be too late by then...

@gsmet
Copy link
Member

gsmet commented Mar 12, 2020

I don't understand. You say you don't want to backport it and then you add a backport label?

@sberyozkin
Copy link
Member Author

@gsmet I thought having a label was a pre-requisite to be even considered for a backport. Indeed I had the reservations because I moved the code around (encapsulated it inside the functions so that it can be reused between the OIDC and no OIDC flows and even though it looks Ok on the eye it has not been stressed yet. Clement suggested that we should leave it to you to decide, hence I thought I should have the label. Sorry for a confusion if any.

@gsmet
Copy link
Member

gsmet commented Mar 12, 2020

I think it's a bit too late for that kind of change.

Let's leave it for 1.4 and if someone complains, we can consider backport it at some point.

@StuartDouglas
Copy link

StuartDouglas commented Mar 13, 2020 via email

@gsmet
Copy link
Member

gsmet commented Mar 13, 2020

@StuartDouglas sorry, I think you probably have been mentioned at some point by mistake. That was apparently fixed as I don't find any mention of you now but GH still sends you the email so you should probably unsusbcribe yourself from the notifications (bottom of the left panel). Sorry about that!

@sberyozkin
Copy link
Member Author

sberyozkin commented Mar 13, 2020
edited
Loading

@gsmet, thanks and also another thanks for fixing the id of our Stuart @stuartwdouglas :-)
I had this bizarre situation yesterday when I could comment and then could not edit, I actually saw that error, GitHub actually 'fixed' stuartwdouglas to StuartDouglas, and then I could not fix it; had to update the browser and then forgot to fix.

@sberyozkin sberyozkin deleted the oidc_public_key branch September 16, 2020 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gastaldi gastaldi gastaldi approved these changes

@pedroigor pedroigor pedroigor approved these changes

@stuartwdouglas stuartwdouglas Awaiting requested review from stuartwdouglas

Assignees
No one assigned
Labels
area/oidc
Projects
None yet
Milestone
1.4.0.CR1
Development

Successfully merging this pull request may close these issues.

Verify OIDC 'public-key' property can be used
6 participants
@sberyozkin @pedroigor @cescoffier @gastaldi @gsmet @StuartDouglas