Skip to content

Commit

Permalink
OIDC - Harden conditions for token verification with user info
Browse files Browse the repository at this point in the history
follow up to quarkusio#29715

I think previous condition was typo and it worked as by default `allow-opaque-token-introspection` is set to true (which is going to change in the future). We should only allow empty introspection result if that's a way how user info verification says "verification has been successful".
  • Loading branch information
michalvavrik committed Dec 16, 2022
1 parent c0673cb commit 607104a
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,8 @@ public Uni<SecurityIdentity> apply(TokenVerificationResult result, Throwable t)
OidcUtils.setSecurityIdentityConfigMetadata(builder, resolvedContext);
final String userName;
if (result.introspectionResult == null) {
if (resolvedContext.oidcConfig.token.allowJwtIntrospection) {
if (resolvedContext.oidcConfig.token.allowOpaqueTokenIntrospection &&
resolvedContext.oidcConfig.token.verifyAccessTokenWithUserInfo) {
userName = "";
} else {
// we don't expect this to ever happen
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ quarkus.oidc.code-flow-user-info-github.credentials.secret=AyM1SysPpbyDfgZld3umj

quarkus.oidc.bearer-user-info-github-service.provider=github
quarkus.oidc.bearer-user-info-github-service.token.verify-access-token-with-user-info=true
quarkus.oidc.bearer-user-info-github-service.token.allow-jwt-introspection=false
quarkus.oidc.bearer-user-info-github-service.application-type=service
quarkus.oidc.bearer-user-info-github-service.auth-server-url=${keycloak.url}/realms/quarkus/
quarkus.oidc.bearer-user-info-github-service.user-info-path=github/userinfo
Expand Down

0 comments on commit 607104a

Please sign in to comment.