From 298b0080634d15368d9f3a174994bf993d03e106 Mon Sep 17 00:00:00 2001
From: Sergey Beryozkin <sberyozkin@gmail.com>
Date: Thu, 23 Mar 2023 20:00:04 +0000
Subject: [PATCH] Remove the session cookie if ID token verification failed

---
 .../runtime/CodeAuthenticationMechanism.java     |  9 +++++++--
 .../io/quarkus/it/keycloak/CodeFlowTest.java     | 16 ++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
index 55396274e51a0..0dde01e5b97c2 100644
--- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
+++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
@@ -321,8 +321,13 @@ public Uni<? extends SecurityIdentity> apply(Throwable t) {
 
                                             if (!expired) {
                                                 LOG.errorf("ID token verification failure: %s", t.getCause());
-                                                return Uni.createFrom()
-                                                        .failure(new AuthenticationCompletionException(t.getCause()));
+                                                return removeSessionCookie(context, configContext.oidcConfig)
+                                                        .replaceWith(Uni.createFrom()
+                                                                .failure(t
+                                                                        .getCause() instanceof AuthenticationCompletionException
+                                                                                ? t.getCause()
+                                                                                : new AuthenticationCompletionException(
+                                                                                        t.getCause())));
                                             }
                                             // Token has expired, try to refresh
                                             if (session.getRefreshToken() == null) {
diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java
index abe8b76675f3c..a67cd4eb3f94e 100644
--- a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java
+++ b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java
@@ -564,6 +564,22 @@ public void testIdTokenInjection() throws IOException {
             page = webClient.getPage("http://localhost:8081/web-app");
 
             assertEquals("alice", page.getBody().asNormalizedText());
+
+            Cookie sessionCookie = getSessionCookie(webClient, null);
+            assertNotNull(sessionCookie);
+            webClient.getCookieManager().clearCookies();
+            webClient.getCookieManager().addCookie(new Cookie(sessionCookie.getDomain(), sessionCookie.getName(),
+                    "1|2|3"));
+            sessionCookie = getSessionCookie(webClient, null);
+            assertEquals("1|2|3", sessionCookie.getValue());
+
+            try {
+                webClient.getPage("http://localhost:8081/web-app");
+                fail("401 status error is expected");
+            } catch (FailingHttpStatusCodeException ex) {
+                assertEquals(401, ex.getStatusCode());
+                assertNull(getSessionCookie(webClient, null));
+            }
             webClient.getCookieManager().clearCookies();
         }
     }