From f18af1b36d63100d8fc77b60ba8e6455bedba73d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Vav=C5=99=C3=ADk?= <mvavrik@redhat.com>
Date: Fri, 16 Dec 2022 17:42:50 +0100
Subject: [PATCH] OIDC - Harden conditions for token verification with user
 info

follow up to #29715

I think previous condition was typo and it worked as by default `allow-opaque-token-introspection` is set to true (which is going to change in the future). We should only allow empty introspection result if that's a way how user info verification says "verification has been successful".
---
 .../java/io/quarkus/oidc/runtime/OidcIdentityProvider.java     | 3 ++-
 .../oidc-wiremock/src/main/resources/application.properties    | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java
index 8f28ce75eee51..1046d54d2c910 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java
@@ -199,7 +199,8 @@ public Uni<SecurityIdentity> apply(TokenVerificationResult result, Throwable t)
                             OidcUtils.setSecurityIdentityConfigMetadata(builder, resolvedContext);
                             final String userName;
                             if (result.introspectionResult == null) {
-                                if (resolvedContext.oidcConfig.token.allowJwtIntrospection) {
+                                if (resolvedContext.oidcConfig.token.allowOpaqueTokenIntrospection &&
+                                        resolvedContext.oidcConfig.token.verifyAccessTokenWithUserInfo) {
                                     userName = "";
                                 } else {
                                     // we don't expect this to ever happen
diff --git a/integration-tests/oidc-wiremock/src/main/resources/application.properties b/integration-tests/oidc-wiremock/src/main/resources/application.properties
index 2722c5d273122..55c6643e7e2f7 100644
--- a/integration-tests/oidc-wiremock/src/main/resources/application.properties
+++ b/integration-tests/oidc-wiremock/src/main/resources/application.properties
@@ -74,6 +74,7 @@ quarkus.oidc.code-flow-user-info-github.credentials.secret=AyM1SysPpbyDfgZld3umj
 
 quarkus.oidc.bearer-user-info-github-service.provider=github
 quarkus.oidc.bearer-user-info-github-service.token.verify-access-token-with-user-info=true
+quarkus.oidc.bearer-user-info-github-service.token.allow-jwt-introspection=false
 quarkus.oidc.bearer-user-info-github-service.application-type=service
 quarkus.oidc.bearer-user-info-github-service.auth-server-url=${keycloak.url}/realms/quarkus/
 quarkus.oidc.bearer-user-info-github-service.user-info-path=github/userinfo