From 105fc0069ad670dc2a65d29894f5e5d7509130fa Mon Sep 17 00:00:00 2001
From: Sergey Beryozkin <sberyozkin@gmail.com>
Date: Wed, 28 Feb 2024 16:11:17 +0000
Subject: [PATCH] Fix the OIDC token verification failure with the inlined cert
 chain

---
 .../io/quarkus/oidc/OidcTenantConfig.java     |  28 +++++++-
 .../runtime/CertChainPublicKeyResolver.java   |  32 ++++++++-
 .../runtime/X509IdentityProvider.java         |   2 +-
 .../io/quarkus/it/keycloak/AdminResource.java |   8 +++
 .../src/main/resources/application.properties |  12 ++--
 .../main/resources/truststore-rootcert.p12    | Bin 0 -> 1862 bytes
 .../src/main/resources/truststore.p12         | Bin 1638 -> 3238 bytes
 .../BearerTokenAuthorizationTest.java         |  66 ++++++++++++++++--
 8 files changed, 132 insertions(+), 16 deletions(-)
 create mode 100644 integration-tests/oidc-wiremock/src/main/resources/truststore-rootcert.p12

diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
index f261186045c1c..19419851a9474 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -176,14 +176,32 @@ public void setIncludeClientId(boolean includeClientId) {
 
     /**
      * Configuration of the certificate chain which can be used to verify tokens.
-     * If the certificate chain trusstore is configured, the tokens can be verified using the certificate
+     * If the certificate chain truststore is configured, the tokens can be verified using the certificate
      * chain inlined in the Base64-encoded format as an `x5c` header in the token itself.
+     * <p/>
+     * The certificate chain inlined in the token is verified.
+     * Signature of every certificate in the chain but the root certificate is verified by the next certificate in the chain.
+     * Thumbprint of the root certificate in the chain must match a thumbprint of one of the certificates in the truststore.
+     * <p/>
+     * Additionally, a direct trust in the leaf chain certificate which will be used to verify the token signature must
+     * be established.
+     * By default, the leaf certificate's thumbprint must match a thumbprint of one of the certificates in the truststore.
+     * If the truststore does not have the leaf certificate imported, then the leaf certificate must be identified by its Common
+     * Name.
      */
     @ConfigItem
     public CertificateChain certificateChain = new CertificateChain();
 
     @ConfigGroup
     public static class CertificateChain {
+        /**
+         * Common name of the leaf certificate. It must be set if the {@link #trustStoreFile} does not have
+         * this certificate imported.
+         *
+         */
+        @ConfigItem
+        public Optional<String> leafCertificateName = Optional.empty();
+
         /**
          * Truststore file which keeps thumbprints of the trusted certificates.
          */
@@ -233,6 +251,14 @@ public Optional<String> getTrustStoreFileType() {
         public void setTrustStoreFileType(Optional<String> trustStoreFileType) {
             this.trustStoreFileType = trustStoreFileType;
         }
+
+        public Optional<String> getLeafCertificateName() {
+            return leafCertificateName;
+        }
+
+        public void setLeafCertificateName(String leafCertificateName) {
+            this.leafCertificateName = Optional.of(leafCertificateName);
+        }
     }
 
     /**
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CertChainPublicKeyResolver.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CertChainPublicKeyResolver.java
index ae0105fce3bcf..069ad2efb7704 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CertChainPublicKeyResolver.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CertChainPublicKeyResolver.java
@@ -3,6 +3,7 @@
 import java.security.Key;
 import java.security.cert.X509Certificate;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 
 import org.jboss.logging.Logger;
@@ -12,11 +13,13 @@
 
 import io.quarkus.oidc.OidcTenantConfig.CertificateChain;
 import io.quarkus.runtime.configuration.ConfigurationException;
+import io.quarkus.security.runtime.X509IdentityProvider;
 import io.vertx.ext.auth.impl.CertificateHelper;
 
 public class CertChainPublicKeyResolver implements RefreshableVerificationKeyResolver {
     private static final Logger LOG = Logger.getLogger(OidcProvider.class);
     final Set<String> thumbprints;
+    final Optional<String> expectedLeafCertificateName;
 
     public CertChainPublicKeyResolver(CertificateChain chain) {
         if (chain.trustStorePassword.isEmpty()) {
@@ -25,6 +28,7 @@ public CertChainPublicKeyResolver(CertificateChain chain) {
         }
         this.thumbprints = TrustStoreUtils.getTrustedCertificateThumbprints(chain.trustStoreFile.get(),
                 chain.trustStorePassword.get(), chain.trustStoreCertAlias, chain.getTrustStoreFileType());
+        this.expectedLeafCertificateName = chain.leafCertificateName;
     }
 
     @Override
@@ -37,9 +41,29 @@ public Key resolveKey(JsonWebSignature jws, List<JsonWebStructure> nestingContex
                 LOG.debug("Token does not have an 'x5c' certificate chain header");
                 return null;
             }
-            String thumbprint = TrustStoreUtils.calculateThumprint(chain.get(0));
-            if (!thumbprints.contains(thumbprint)) {
-                throw new UnresolvableKeyException("Certificate chain thumprint is invalid");
+            if (chain.size() == 0) {
+                LOG.debug("Token 'x5c' certificate chain is empty");
+                return null;
+            }
+            LOG.debug("Checking a thumbprint of the root chain certificate");
+            String rootThumbprint = TrustStoreUtils.calculateThumprint(chain.get(chain.size() - 1));
+            if (!thumbprints.contains(rootThumbprint)) {
+                LOG.error("Thumprint of the root chain certificate is invalid");
+                throw new UnresolvableKeyException("Thumprint of the root chain certificate is invalid");
+            }
+            if (expectedLeafCertificateName.isEmpty()) {
+                LOG.debug("Checking a thumbprint of the leaf chain certificate");
+                String thumbprint = TrustStoreUtils.calculateThumprint(chain.get(0));
+                if (!thumbprints.contains(thumbprint)) {
+                    LOG.error("Thumprint of the leaf chain certificate is invalid");
+                    throw new UnresolvableKeyException("Thumprint of the leaf chain certificate is invalid");
+                }
+            } else {
+                String leafCertificateName = X509IdentityProvider.getCommonName(chain.get(0).getSubjectX500Principal());
+                if (!expectedLeafCertificateName.get().equals(leafCertificateName)) {
+                    LOG.errorf("Wrong leaf certificate common name: %s", leafCertificateName);
+                    throw new UnresolvableKeyException("Wrong leaf certificate common name");
+                }
             }
             //TODO: support revocation lists
             CertificateHelper.checkValidity(chain, null);
@@ -50,6 +74,8 @@ public Key resolveKey(JsonWebSignature jws, List<JsonWebStructure> nestingContex
                 root.verify(root.getPublicKey());
             }
             return chain.get(0).getPublicKey();
+        } catch (UnresolvableKeyException ex) {
+            throw ex;
         } catch (Exception ex) {
             throw new UnresolvableKeyException("Invalid certificate chain", ex);
         }
diff --git a/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/X509IdentityProvider.java b/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/X509IdentityProvider.java
index d7bcff7deb67c..63d79961e261b 100644
--- a/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/X509IdentityProvider.java
+++ b/extensions/security/runtime/src/main/java/io/quarkus/security/runtime/X509IdentityProvider.java
@@ -60,7 +60,7 @@ private Set<String> extractRoles(X509Certificate certificate, Map<String, Set<St
         return Set.of();
     }
 
-    private static String getCommonName(X500Principal principal) {
+    public static String getCommonName(X500Principal principal) {
         try {
             LdapName ldapDN = new LdapName(principal.getName());
 
diff --git a/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/AdminResource.java b/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/AdminResource.java
index 3a6e8c4eb2825..59664d4e21510 100644
--- a/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/AdminResource.java
+++ b/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/AdminResource.java
@@ -61,6 +61,14 @@ public String bearerCertificateFullChain() {
         return "granted:" + identity.getRoles();
     }
 
+    @Path("bearer-certificate-full-chain-root-only")
+    @GET
+    @RolesAllowed("admin")
+    @Produces(MediaType.APPLICATION_JSON)
+    public String bearerCertificateFullChainRootOnly() {
+        return "granted:" + identity.getRoles();
+    }
+
     @Path("bearer-kid-or-chain")
     @GET
     @RolesAllowed("admin")
diff --git a/integration-tests/oidc-wiremock/src/main/resources/application.properties b/integration-tests/oidc-wiremock/src/main/resources/application.properties
index f78e4dc9dd018..f775048d5ac31 100644
--- a/integration-tests/oidc-wiremock/src/main/resources/application.properties
+++ b/integration-tests/oidc-wiremock/src/main/resources/application.properties
@@ -104,7 +104,6 @@ quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.credentials.client-sec
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.credentials.client-secret.method=query
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.certificate-chain.trust-store-file=truststore.p12
 quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.certificate-chain.trust-store-password=storepassword
-quarkus.oidc.code-flow-user-info-github-cached-in-idtoken.certificate-chain.trust-store-cert-alias=fullchain
 
 
 quarkus.oidc.code-flow-token-introspection.provider=github
@@ -134,7 +133,6 @@ quarkus.oidc.bearer-kid-or-chain.token.audience=https://service.example.com
 quarkus.oidc.bearer-kid-or-chain.allow-token-introspection-cache=false
 quarkus.oidc.bearer-kid-or-chain.certificate-chain.trust-store-file=truststore.p12
 quarkus.oidc.bearer-kid-or-chain.certificate-chain.trust-store-password=storepassword
-quarkus.oidc.bearer-kid-or-chain.certificate-chain.trust-store-cert-alias=fullchain
 
 quarkus.oidc.bearer-id.auth-server-url=${keycloak.url}/realms/quarkus/
 quarkus.oidc.bearer-id.client-id=quarkus-app
@@ -156,7 +154,6 @@ quarkus.oidc.bearer-azure.token.lifespan-grace=2147483647
 quarkus.oidc.bearer-azure.token.customizer-name=azure-access-token-customizer
 quarkus.oidc.bearer-azure.certificate-chain.trust-store-file=truststore.p12
 quarkus.oidc.bearer-azure.certificate-chain.trust-store-password=storepassword
-quarkus.oidc.bearer-azure.certificate-chain.trust-store-cert-alias=fullchain
 
 quarkus.oidc.bearer-role-claim-path.auth-server-url=${keycloak.url}/realms/quarkus/
 quarkus.oidc.bearer-role-claim-path.client-id=quarkus-app
@@ -173,7 +170,14 @@ quarkus.oidc.bearer-no-introspection.token.allow-jwt-introspection=false
 
 quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-file=truststore.p12
 quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-password=storepassword
-quarkus.oidc.bearer-certificate-full-chain.certificate-chain.trust-store-cert-alias=fullchain
+
+quarkus.oidc.bearer-certificate-full-chain-root-only.certificate-chain.trust-store-file=truststore-rootcert.p12
+quarkus.oidc.bearer-certificate-full-chain-root-only.certificate-chain.trust-store-password=storepassword
+quarkus.oidc.bearer-certificate-full-chain-root-only.certificate-chain.leaf-certificate-name=www.quarkustest.com
+
+quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.trust-store-file=truststore-rootcert.p12
+quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.trust-store-password=storepassword
+quarkus.oidc.bearer-certificate-full-chain-root-only-wrongcname.certificate-chain.leaf-certificate-name=www.quarkusio.com
 
 quarkus.oidc.bearer-key-without-kid-thumbprint.auth-server-url=${keycloak.url}/realms/quarkus/
 quarkus.oidc.bearer-key-without-kid-thumbprint.discovery-enabled=false
diff --git a/integration-tests/oidc-wiremock/src/main/resources/truststore-rootcert.p12 b/integration-tests/oidc-wiremock/src/main/resources/truststore-rootcert.p12
new file mode 100644
index 0000000000000000000000000000000000000000..e6a5a80173a456b27d3b92838280ea0e24f0e5fb
GIT binary patch
literal 1862
zcmV-M2f6q#f(JqZ0Ru3C2J8k2Duzgg_YDCD0ic2g-2{RL*)W0z)i8nv(FO@BhDe6@
z4FLxRpn?X%FoFiY0s#Opf(Ew+2`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1QeZGou1{Ee#@c343|(bj@*3aXM6$zClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q3gq`{dQW<s=S8R~aXb>c@bB20%|E54N$P+QzS#6<4_SJ8X{N
z^QIqSz3_PeGJbvEsINt?>p`bfyt(L#mvQGtN1wG*OS1`~6<k~Fw9f{wkl!i3a$BTT
z;WxLVisn!KjYR6o3%^bKePg-_nB<3bY&oorgyiv@Nd&Q{{G`7%s_tCcxU4G-VT>FT
z*+<C1Mxmq!5IOXXw<y%Nv{>=sLB~J!X#%6@SQG$rib9=|MyseFVrIEAJrT*WtNyBd
zc+KPna<_%8YdmA<OA^$5!@jut;~RJ0qkiEzV!l^$$Qo&Mvq2`9K29OW@4LA21(ZTF
z(3g8$ZBf$t2HeYYPnD#|xhF8XWCYwuD^K;3&Cz&ipv+Qk3*#8Q`(pS^h4PR(y)Obm
zVXbk?WGd@Pu^U6-3*NGBZomc1RPJ)Xz=9zkzq8~gKgB{^$Hc^_riI6V8pTVMj!4oH
zx0U!F5hGh1oatD*s-^zQlHa}!MaQ+Icxd}SCsL{<2Sij5*(!8C#Hk`%d+KA%RCis(
z5nR;S^0yU%9M1qy*jeR^_SV-HU_iD@IUuxghlrcESSs<`7|>O-rQi>?7JBq+1Odgx
zg2!gIcZ2<w`F;4zUROu42dNA;vN6T5q+8NHoAU{kHW*IL^=_?ROAV6zyQO_h#D=h*
zomR(^o~lMPc(*#|sDi@$%c^Fb5%zyiX=_++3VH`NCX2>(D?;;QlT#`K41vGP**m4K
zv&!3S1P6K<dJ#!hvgsK362yCq6N#4=@z(;G<XR~ULF3cduMR2Tbp*6Mv}Vw5(rn{y
zRb@b%IaxO@lb+G~ebJSH)_74!zxDpAYzM6|*Pp)pDyY~wT%WS8Kg<j3n7y0!y=kRM
zHw7+;X1Z`A(A$(!be=kd*l0V?-}`CK>CzyvThOKnn`kUzM*fknOk=PXaC>OSDWPpX
z2tjKugnA#<(L$WkaV@~wDkcfO6I!n2DF#N&>@3xYbok7xZQmZur=mK*%sHLEy%kCS
zYChphDX5ZlfNSdYhsp_V@LgObgUwX6*QoyTvzemWxZJO6`57ub_58O6>IB<V?RRQ+
zJE~X8F_Vkf1SncmDR(${q#)~lc$)Ye4gUGJn#(f8bW*VZR>yZRJ<*#!@!(E#ok#YX
zcNxACg~_DSmO;tAZ2)q|<hBrst4Y+GT%rW~b@(Qx-=09TR%33E?ndYKOZg+k%c~vO
zXD?|oAJs(xST^8nddu6~ipLX$)hl`j0rV3rNZlJ<Ad;v;K8XV>rYT;2`sKKX?Gc)b
zoKra#A*gv(nFXoDoS#wCunoTUE(w|r1(Wa+$cFV)QF3Ic%s|KQRzfkBjN=Sir_~;E
z>N3y#B7`V1RBPNz*Nhn-FygYiTE1LM0zO#NB+vY;CVo&UIL$t=+B@_sv*HiC=X9_r
z)S=UHiOPAlP0^y=XA?K9K9-&dz&Q293PM!+<tRgzoGIXqE+7cJ)n}tF_1k%L^hd6}
zO=A^fakWIp7(MD8o2a3Fo&tOy%MdASXHsh|1HZ0z6%Jg+f<vr$JHpe{5L1JCK_dy2
z5CIQSHZ30iW{BTXFvjbjoR0YfeW4`QI}YLqWw^t|BvmD_$*9Ci@yaChaL7b_KkEDd
zUP53tiw$b}4Vff+=L6*qshp=jDcvL!t~#~|W!JpN*3-AzEj6hg*%W`G?6ywJ`(`+S
zMqQTRAg3szZurpJ43Qbcklh>f>=avLlIT2lL{3dXh##?ZXV~wtrC7C@pC4m0+S9_u
zc;;>IvwrZ|#ksofds!Z%=MgRxgj)TY<J^CYXcN7-t%#1#JW8(r+Grit!xtYbS$FDt
z=A|GmxoPBi;pvjZyYUVUpH~@#(D&H72m5R9u-nFYKc&MU&G_V)nQ}oLaUgb3>@12e
zbvw463b;1Ohy-uBV@7D?&O>cao#!aEEH;Y6MbR(Ac`jqfyXW`FXo0o!4iAlp0{ARh
zqp5cis&e>c;af#vM}kz;`6KTMgFZIlRPsUqY2(I%$(WL@^IoC*&Wu(%9R<Ri+2bvc
zVse(I(_AgG0~q}m<0Qp@iQHxrylU(h>Z5$fE$};f)I74cVZ)JwLG?G3Sli|}C0W)3
zU^L(P*`7J~)-;R_Zr}g|30#F<c#<$pFflL<1_@w>NC9O71OfpC00bb}ni)SqkMA-2
zKt1@jFp48R!rV!`zZ3cq6tZ&=4~0hr6gSQPH-h^YW8?LM;J@nkEt7F+?g9cQ5J6;z
AH~;_u

literal 0
HcmV?d00001

diff --git a/integration-tests/oidc-wiremock/src/main/resources/truststore.p12 b/integration-tests/oidc-wiremock/src/main/resources/truststore.p12
index 81b0be2ede57e8ec7271b59b475d41bc6789a450..b0c1f8bcb4164b99b5efca0cf4ab719bb66d7210 100644
GIT binary patch
delta 3196
zcmV-?41@FL45k@CFoF!C0s#Xsf(%Rs2`Yw2hW8Bt2LYgh3_S#b3^_1@3^g!<3^4`?
zDuzgg_YDCD2B3lrA~1ps9s&UXFoFyhkw7aHZBXl6c50+W*iu^*?TPTSl7@{Ck$)tA
z)xR%yUhlKrnkB!EP#L6EfPxF4lrAvBR-K^?CC#o)KGky{Zq!`0nR>ILCGW44TRv<k
zz_vB1`=hefBu9*yBiK;Im!CA3zbSYssct<)S5fi}*rh~s#RS%)1!7u?#1m%l>JQpL
z(OunF1|XaT0xzeuHzh1WQ8gPEZMJ=Xi>qzsRc&y8n%AXcQ^E;RBT;dELLYEvFM$hV
z<Fy<h!F8UmcaR>;{Y)R9DM_1O{tjJHN*4klJYPWHUbd*jsSjV|-Rcp?F}ayNNJ&^>
zH477A`QH17Dv;Idl;Ehq_{QtwqHH<Npx>yPDa$;@hha*cnK?;$$|iuw70@JqGtZ2=
z%Lv`nwDWnFeRV}f9_7vfB&hW<Y9<smls%LomW<(Bveq4niEojcvmB^YO6cx>rI&x*
z1S+fY!l3Cl!ZwA#jCts;8q%g6>>QC-ZN=aIrY7s{o8H%=>!hNmyRm3X|8pcJ?1}Ch
zd`vze4L>b$mkOESKm@Bh1&bqp%^ErYNP*H353gP2xOqZ03wqT~N3s>_|3JU!_E6rN
z907=Zzzy_60@c;9Vsl`(FwmQIp)TBmPn(mv-RrH#!??;Ths#+KrGvgZa3r#e05)TN
zFdPpshsNOif(1b%|0YOs+6^jCyyq|G1dZ0E9}J{Sd%+(>svafnX;^lD33|T`9gZ6R
z3*P&+fhZ>2DBZM<Vh*HMF3B?NM1qCtP`5^^-ZsWn<F1lxV6^IM<~YOD-OO+6Gu|gb
zW)yMPF#yk|KG<D{pI(UZbh@H5IfkXS{9Pi1Vks;?e_no7tN4+35E$%A?^?V>b0&{h
zl8#IAz*`8lq>vXSV6y;!$3ex!Moo?-Nz9Ngw&hcHVwFEH<0OPbF{#;U<o5BQF2-d7
zU^C9qKUQHSP{=NE0(tMn>E{$)lH>ENAvP7O1vWR}wt&PW$_j@T`phX@WNrO24xUJk
z(asNYMQZat<JOeOwk6$8n@I35c|v3~Xtl3nYn2zb{-UbF<u}TIWYXP^;mpTNAEgLX
za5V0u_T@U(OoOr!u1dncBV{WMd{2E>x947vN40>N$bjXWw@k~)P$bPCC#9tq*80=+
zXFV@)()rk|eYI+cp}yrnpmWykk#LEZUM&$}2y*>9A2iRA@dia1vsJgMQDH^TqEL%s
zhhAu&jCnno&<V|dZ4Z8GR;x@6iNi)(RhcgW2%CL3TeL7>z4ewjmqAy#OvtFye`q{8
znZIPr6M{!f3a1^S*(zYvL841Dsa=li<<dnvyimNfBJoS-E4$ji%2ctM80QP>7LZ>g
z5@R!5(c*{0Ipg67QzG|(y;xo}U*A8HTaQCGGOCh5Apx&{GX0mB%7OseK>pivRv>OS
zNyxxSS1$*7esfx?{*9tK<+cF{BeGx_iAYxLs0c!QUbQQhRv3`QDOB}eFIad*h97?p
zK8XhMzJHH6iRFOhsDCi}Xi^pDoN+0ZbWip`@M<(5q^0?m^4Hq-jVRD23oVpX)Ypp5
zf=Hg&?2s^j<T%{$N_^kE#()%zDugiGQtiGB@O)jiXo`j#u2%KryA1^cMh<{=NUVEB
z@ro+pAlbS(Mm;SC6~H`S-H@Y%lxnK?{8s>R0>+uZGo8(7FiUHz@{Kd|9_R~c?_P1r
zRYqe|GHbC!v>Wm8zJI!!-o3Jd(Rbvv$jB&6rC>yV15JGVJOVA~*53n`Vqa>M0Frc*
zq+-fn^b9qjE^JT}q!^NZ%c94R`DjN>*8FdqRlUGd5}uc{S`DY)tl2paBB3KISid1V
z7jN`o`mhU<9p{R>Gaov_5HbDQcX$m8Vnvg~DNfV)xi6|FBR!>V4k9|u(|`bmhe6@%
zKBuaGbYsG$AASI2bTpZ3I9ZFi>Cog278&S+*f}{C`URv2vI+f1(~R2Uf@pD=Z5~PW
zm+k;p2Pn3O>r78noVKyD1dzhLQkmH|3qfZo@!>rr)w{}tCUMqnDHeG10Xsde!3TXD
zXN`ty|CojgR-v=CJ+zsf)=ART)cO*nd}F|Wj~sSFWP@0%DW(#qpJB0kPeLYpYD%iP
ze^z(6aysvKJzBuuk5p75Knp`JPYQWGGy@&BdIRgJ<xWDroDuqF+Y2eP0LrtYO~U<n
zQqV#76TDO2sL#F=bPZ#3Hsbpwf&3_;PT0zE_IzfN4z82vx~r+AbbH_CjoBCcKWSKh
zt{*}5on1Q4n_;KQM^~K3vQ8_aX?>>J1G_OIy{<k^Kr%`CTX>qoJ9}8C^g*HJq{nJR
zTorrtlwgU`h+~n{R?{YRtrB@S*ohj94EVmh`Yf46(fc5{QwCxbfg0!`Q%U;XKKNGm
z{7NtCmgAPcmg+9Aj>ZL%fQg2wlnQHqRyym@24E{NZIs-XWjF<zFt}D}S|%)+x$cB1
zpm}^21SvG{j>7fQkk}AKnsjfI_zCjqY~<J2v#GS(S(;=QT!(Chg5w1$NGzv8P^RtC
zik$+UqqE;+<0r_yXclBN%u?HwJy>{+s+S)Uy@I-_!%(IC&fCM=#b@T0dJ)8bVkHeJ
zcdkuvl0(seqZjqizL`08-FIaj@|Ej8E|p7hkHh54^{|nuK0<L=)dM($$UB5YmEb!j
zA-JcI@CF`0Gy~M?^NmU9Qi8x;6(zL{dJ7RAuTkA&6`Hrps}}A$Da-~fh}(ajP|#C7
ztnAt*_#%aHJlL4vgD_k|GkpwyVyht$EBjmdF!%arB9lYGPs6C`VXlRP;d65R{}afO
z^s{MhZCIU>t?6e?Jufv|bE(EE0j!w;u{|o5{_Vw5snkA~Kc~P_XYZMf@CZYYBnxaI
zZ4ce^hLb~wB3{hD^>!dNw3yEh2*I)2JsfXYW>6KW@0#$&hw7-Bf(3AYa;JoKE0fAr
zd$LZ5cM?zEmkpg@tkR^B!D!pb`tS7i4OXaqYmTj(@6ueR$_eLvbr4paSLs^HVE*J%
zOCyV|XI<?^I?~J}ZK%+O0D9TXkzLJOe!&NILXh(0R0yCMG3qG{Ut16GNcb}TM!r=B
zLZ_4|RTD`_5S`-1I+l=svJmm!*vKWpbRlfy_3}Xd9CLS^afwM~JRmLZ2Q!EnhPzTj
zeTBZRuDSKI=Wh}oKudBCi!dF|lB)jDwxSroAHP(a>I9?{Hm!={10=z*Q3>I#B$w0-
zg{B}14hZH53F)v>3C=>sLS{LH6m2IG@GtiXPD_b%%=%k%M}Q`OYb1&*cu7@$m71w6
zze10P3%?UbnA;xTntAE9ELc32U?#@D#hz)i3wQ?yC0<3r6yH8pA?fI3!72V2RE2;Z
z1rSN>gR1!q4#&ed$KB+B6Vv|7xP|t&>sn%D%4WqBzC^F6qoa`s+&K{MIgmZVUD^?A
zAzNM+#@-kUrp85o=*)``!a?h}M4;m1;>@p+H?SdE0zB4}E4v|y*Ov1^QJy}i(Mt1Q
z)L6&lDC@YudH{*<i87J77JyapjS;egO=$%`U=<m2V9&aL$|)N960%D--7`gK6s%0O
z?e^QdcNU0(?4xPRCl1CP%n&hEm>)#p$YnFgs%BG8-%8AX=0R(`{3D}@kkwL+wNilL
zFMj+mfQuAhw=mOK2CXDE=o+(pF=cyz(kQiA_2kH-ED*=lGH1Ucry7vB95hR&R~2Ic
zxdBf;YV^|*l?||~zphPPLkKa)y3=g7;{&?Ty_sRVn8Pi#!=jINa^U5bdDc-dv$BpT
zwpI|tP$27nlqP)ux*y(Y7eWrxym1z$Q@BzY3@wsYFG<Q$gN^-{sM|zha{msH`H!W)
zxP?>w37;)$1c3I(=_Z;#;oRgkR}kt!aBq3P)j?F`5shw_DS=(KNj~7rMP{u7jV03T
z**#fz0*QbB=y$rn2bPo`Rg<?;X}$s_be&fS`FkvXOIxDbZego2*)7Hk5TvvYM~qrs
zAS{BG`o!Qh$<iK##K#nHb!2`^GJI3@YRm1pQcIrpRPGQ02j#!+g?fwgE8SQB56ffs
zuI30ZO)xPq4F(BdhDZTr0|WvA1povfZDRQU0*MJJM=;YgA(*QK@e%TJ_zo_MZHY*k
i2~MvYC<GKG1u%Wg%FlSbl^*}nizN1b`vpt_0w)k~+XyZI

delta 1583
zcmV+~2GIGY8RiT?FoFhR0s#Xsf(8r*2`Yw2hW8Bt2LYgh1^onq1^F<71@$n31@Q(6
zDuzgg_YDCD2B3lk;xK{*-U0ytFoFfwkw7aHUx;A+`bk-U{2T>-4suU>OO!O)k$)tA
zE#Ir{dP%mq_Db*Fuk_m^fPw{J@5ENK5lXY2HQ!nW*<_Q0g*kOQ0IH32$!ayKit&aS
zbl1;F;^DO}JjSIQkW>tfN5=d#;`!(jmzfrm)ocs4Fr+cD`YzEoM6&DvBc-Q+F+1j!
zb_ByZ@(kG}mAG8c^K!UJMj#*YY%`*N^KgDTHw$gmhrE=lV!57cGP?%`PB1Kh|1})i
z96}6I4z16MEsZ={%2k73l|qjgtqEwpyy$>LJqQBNNlCx$FiPmr0-SuFjP?w%`=6N;
zY}uQ%!N7`jX%q1RHNm}d=F^8Ia;}dJ_pjsAG2`H3zfIn%#5y<__3hck^J0*H$~aD=
z+!p+boB!iBntuUzxhp{7_g19&nweBPBNsD04k(O3`n69mp^TgV2L9cv-wNWVfzXL6
ze4owY%cq0%{)$4u(Ndce%hsnYzS#zYIm%ZzOH7vV)7~UNUnV`_5G9DPczem*JE{}`
zK*A?)FNp>}Oc6u9Rv~Gevyi5L7cMOMFgdrhNg-32H{BduZ)QWoQUcl7D0X)DM-${$
zla@XVl9=*~*KoLSy$;(-?&LjR^+g;TyNyc#Xra|kDOefJ-5j+RhV&tMXdhxIwrc$(
z-Ed8Sjv#!sk*(vqh^<WnGetnUhbG|~F&uTQ(m&)sB?c_jQWk-M(yi8irUtOhRxE^D
zvo4j*h3or&Z-<9BqX?Akw*4Z3Ly%(g_djJC4OKe%I<q?qA{ozyF<4iH8m=|-9fCJJ
zC}Pit4snrRsbaqmK~Y~l^Yx?wC>8`qBDqV2t3f-*aSyEm?8y&$t}1!ibus!s!^Fy!
z(I(lOu%awYIcI*&f6}slDp25q)9gWT|2;X`5-9X|QK4vayv$|`Za}5niA8Iuv~Zw$
zxis^5hK3egd9!5>Fn@MF26O3j?|v^5lGLCGoxLJT3vCy6H!!<?2HTAI#~LTpn;Zqt
z(LE@fTB~MXJZ(I`ey&Oi`{Wb%84k2+s{V{5>ce|)(yotiNVREyEdJKel?^gYIX6o<
z#s5g{k<VYd^morVUaXTuKQU+zLD*^_DULD35rnz*SOp<gaa?lP_1s_2k)$o&VzMrO
zWj8x8*9R3&*7?Zn;e~xS<?atdcQNEA6YFAnJ{=S}(c+zg0;yxiMC*xs=ZhrUK@?hs
zSbBropI`C2?q7y~umQ`va2^mKzwwp+Qv^}b5tpB+gzd%9XH(hb-UWkoR*>jrgjayi
z-m}Cc3+<z@v23^})r@~dZts|DF~Nuk)fQ>rij+`b!y9s8Vj)PYj3DZjrFf+DR?9xk
zIpq#!j%WLHQ9v@BEBDHqfVoc6b_f^xGY)2~AYrQnu;>hbZC4&<O^Yajvp--muE|l|
zIn31-ch2wD2n5h6tw9QBmLMSmK+z=rL22^sOol-hP~n?tHH|;Y?W}OApr{h5++3$$
z_K$Dde;Co_2J2$|@VR{zB=*^pFgU#bIUlGBC6-l|n2}lk8>oR%<aPUtc;<2NgfL5h
zPm0m@=c~$pE2fFzVc|ZuPaPtPo-7m5KBR|QCS+4TRR}_%Z=zl86FiN)|1hXqKmx~`
zng3~@+#=Wn^||IEzQ~$IsEnr!#VZcKk+%~#op__i&zh(Sxx(RMvNrc_0^EnufS*@>
z<y4zgj!y}mUZNR7GA4**f7XPNZ?+PK$N#CK!SUFC&HhpO#v6wG1-$mcQeRo4;-Gxk
zjRp{L!emZ!d-zp`cvVQavw~n@SMkEeCr!lI@M>+pM=9h1l#Unjo9lOjf2}vMAn!XX
z@DI64PkTrT?Dg(R540H_l}09=*<z34zeG)|8mAWNt+(7eYW1U_i45T!Q3*m~zmX0$
z<%=**O)xPq4F(BdhDZTr0|WvA1povf+-1kmYOJFLf2;4~uYd}-Q-*HVMHpsVG3qdP
hp$6!I1QaaAg%sf{v#wN4iqUn9iUw^(OJV{7ClC_=_3!`y

diff --git a/integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java b/integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java
index ac7ddb516d975..bee2e7e42f83f 100644
--- a/integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java
+++ b/integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java
@@ -65,12 +65,12 @@ public void testAccessResourceAzure() throws Exception {
         wireMockServer.stubFor(WireMock.get("/auth/azure/jwk")
                 .withHeader("Authorization", matching("Access token: " + azureToken))
                 .willReturn(WireMock.aResponse().withBody(azureJwk)));
-        //        RestAssured.given().auth().oauth2(azureToken)
-        //                .when().get("/api/admin/bearer-azure")
-        //                .then()
-        //                .statusCode(200)
-        //                .body(Matchers.equalTo(
-        //                        "Name:jondoe@quarkusoidctest.onmicrosoft.com,Issuer:https://sts.windows.net/e7861267-92c5-4a03-bdb2-2d3e491e7831/"));
+        RestAssured.given().auth().oauth2(azureToken)
+                .when().get("/api/admin/bearer-azure")
+                .then()
+                .statusCode(200)
+                .body(Matchers.equalTo(
+                        "Name:jondoe@quarkusoidctest.onmicrosoft.com,Issuer:https://sts.windows.net/e7861267-92c5-4a03-bdb2-2d3e491e7831/"));
 
         String accessTokenWithCert = TestUtils.createTokenWithInlinedCertChain("alice-certificate");
 
@@ -217,7 +217,7 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception {
                 .then()
                 .statusCode(401);
 
-        // Send the token with the valid certificates but which are are in the wrong order in the chain
+        // Send the token with the valid certificates but which are in the wrong order in the chain
         accessToken = getAccessTokenWithCertChain(
                 List.of(intermediateCert, subjectCert, rootCert),
                 subjectPrivateKey);
@@ -246,6 +246,58 @@ public void testAccessAdminResourceWithFullCertChain() throws Exception {
 
     }
 
+    @Test
+    public void testFullCertChainWithOnlyRootInTruststore() throws Exception {
+        X509Certificate rootCert = KeyUtils.getCertificate(ResourceUtils.readResource("/ca.cert.pem"));
+        X509Certificate intermediateCert = KeyUtils.getCertificate(ResourceUtils.readResource("/intermediate.cert.pem"));
+        X509Certificate subjectCert = KeyUtils.getCertificate(ResourceUtils.readResource("/www.quarkustest.com.cert.pem"));
+        PrivateKey subjectPrivateKey = KeyUtils.readPrivateKey("/www.quarkustest.com.key.pem");
+
+        // Send the token with the valid certificate chain
+        String accessToken = getAccessTokenWithCertChain(
+                List.of(subjectCert, intermediateCert, rootCert),
+                subjectPrivateKey);
+
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only")
+                .then()
+                .statusCode(200)
+                .body(Matchers.containsString("admin"));
+
+        // Send the same token to the service expecting a different leaf certificate name
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only-wrongcname")
+                .then()
+                .statusCode(401);
+
+        // Send the token with the valid certificates but which are in the wrong order in the chain
+        accessToken = getAccessTokenWithCertChain(
+                List.of(intermediateCert, subjectCert, rootCert),
+                subjectPrivateKey);
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only")
+                .then()
+                .statusCode(401);
+
+        // Send the token with the valid certificates but with the intermediate one omitted from the chain
+        accessToken = getAccessTokenWithCertChain(
+                List.of(subjectCert, rootCert),
+                subjectPrivateKey);
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only")
+                .then()
+                .statusCode(401);
+
+        // Send the token with the only the last valid certificate
+        accessToken = getAccessTokenWithCertChain(
+                List.of(subjectCert),
+                subjectPrivateKey);
+        RestAssured.given().auth().oauth2(accessToken)
+                .when().get("/api/admin/bearer-certificate-full-chain-root-only")
+                .then()
+                .statusCode(401);
+    }
+
     @Test
     public void testAccessAdminResourceWithKidOrChain() throws Exception {
         // token with a matching kid, not x5c