Skip to content

Commit

Permalink
Fail early if OIDC client password grant OIDC UserInfo access is misc…
Browse files Browse the repository at this point in the history
…onfigured
  • Loading branch information
sberyozkin committed Feb 19, 2024
1 parent 5f0dbbc commit 4d591f0
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 4 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
package io.quarkus.oidc.client;

import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertTrue;

import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;

import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.test.QuarkusUnitTest;

public class OidcClientPasswordGrantSecretIsMissingTestCase {

@RegisterExtension
static final QuarkusUnitTest test = new QuarkusUnitTest()
.withApplicationRoot((jar) -> jar
.addAsResource(new StringAsset(
"quarkus.oidc-client.token-path=http://localhost:8180/oidc/tokens\n"
+ "quarkus.oidc-client.client-id=quarkus\n"
+ "quarkus.oidc-client.credentials.secret=secret\n"
+ "quarkus.oidc-client.grant.type=password\n"
+ "quarkus.oidc-client.grant-options.password.user=alice\n"),
"application.properties"))
.assertException(t -> {
Throwable e = t;
ConfigurationException te = null;
while (e != null) {
if (e instanceof ConfigurationException) {
te = (ConfigurationException) e;
break;
}
e = e.getCause();
}
assertNotNull(te);
assertTrue(
te.getMessage()
.contains("Username and password must be set when a password grant is used"),
te.getMessage());
});

@Test
public void test() {
Assertions.fail();
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Supplier;
Expand Down Expand Up @@ -170,10 +171,16 @@ public OidcClient apply(OidcConfigurationMetadata metadata, Throwable t) {
// Without this block `password` will be listed first, before `username`
// which is not a technical problem but might affect Wiremock tests or the endpoints
// which expect a specific order.
tokenGrantParams.add(OidcConstants.PASSWORD_GRANT_USERNAME,
grantOptions.get(OidcConstants.PASSWORD_GRANT_USERNAME));
tokenGrantParams.add(OidcConstants.PASSWORD_GRANT_PASSWORD,
grantOptions.get(OidcConstants.PASSWORD_GRANT_PASSWORD));
final String userName = grantOptions.get(OidcConstants.PASSWORD_GRANT_USERNAME);
final String userPassword = grantOptions.get(OidcConstants.PASSWORD_GRANT_PASSWORD);
if (userName == null || userPassword == null) {
throw new ConfigurationException(
"Username and password must be set when a password grant is used",
Set.of("quarkus.oidc-client.grant.type",
"quarkus.oidc-client.grant-options"));
}
tokenGrantParams.add(OidcConstants.PASSWORD_GRANT_USERNAME, userName);
tokenGrantParams.add(OidcConstants.PASSWORD_GRANT_PASSWORD, userPassword);
for (Map.Entry<String, String> entry : grantOptions.entrySet()) {
if (!OidcConstants.PASSWORD_GRANT_USERNAME.equals(entry.getKey())
&& !OidcConstants.PASSWORD_GRANT_PASSWORD.equals(entry.getKey())) {
Expand Down

0 comments on commit 4d591f0

Please sign in to comment.