From 3cc528b80122d69b394c1cba1872ee0f65cb2915 Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Mon, 16 Oct 2023 15:34:23 +0100 Subject: [PATCH] Let custom OIDC token propagation filters customize the exchange status --- .../AccessTokenRequestReactiveFilter.java | 8 ++++++-- .../CustomAccessTokenRequestFilter.java | 15 +++++++++++++++ .../propagation/AccessTokenRequestFilter.java | 8 ++++++-- .../keycloak/AccessTokenPropagationService.java | 5 ++--- .../keycloak/CustomAccessTokenRequestFilter.java | 15 +++++++++++++++ .../src/main/resources/application.properties | 3 --- 6 files changed, 44 insertions(+), 10 deletions(-) create mode 100644 extensions/oidc-token-propagation/deployment/src/test/java/io/quarkus/oidc/token/propagation/CustomAccessTokenRequestFilter.java create mode 100644 integration-tests/oidc-token-propagation/src/main/java/io/quarkus/it/keycloak/CustomAccessTokenRequestFilter.java diff --git a/extensions/oidc-token-propagation-reactive/runtime/src/main/java/io/quarkus/oidc/token/propagation/reactive/AccessTokenRequestReactiveFilter.java b/extensions/oidc-token-propagation-reactive/runtime/src/main/java/io/quarkus/oidc/token/propagation/reactive/AccessTokenRequestReactiveFilter.java index 10052f4740f97..c965359200950 100644 --- a/extensions/oidc-token-propagation-reactive/runtime/src/main/java/io/quarkus/oidc/token/propagation/reactive/AccessTokenRequestReactiveFilter.java +++ b/extensions/oidc-token-propagation-reactive/runtime/src/main/java/io/quarkus/oidc/token/propagation/reactive/AccessTokenRequestReactiveFilter.java @@ -59,13 +59,13 @@ public AccessTokenRequestReactiveFilter() { @PostConstruct public void initExchangeTokenClient() { - if (exchangeToken) { + if (isExchangeToken()) { OidcClients clients = Arc.container().instance(OidcClients.class).get(); String clientName = getClientName(); exchangeTokenClient = clientName != null ? clients.getClient(clientName) : clients.getClient(); Grant.Type exchangeTokenGrantType = ConfigProvider.getConfig() .getValue( - "quarkus.oidc-client." + (oidcClientName.isPresent() ? oidcClientName.get() + "." : "") + "quarkus.oidc-client." + (clientName != null ? clientName + "." : "") + "grant.type", Grant.Type.class); if (exchangeTokenGrantType == Grant.Type.EXCHANGE) { @@ -79,6 +79,10 @@ public void initExchangeTokenClient() { } } + protected boolean isExchangeToken() { + return exchangeToken; + } + @Override public void filter(ResteasyReactiveClientRequestContext requestContext) { if (verifyTokenInstance(requestContext)) { diff --git a/extensions/oidc-token-propagation/deployment/src/test/java/io/quarkus/oidc/token/propagation/CustomAccessTokenRequestFilter.java b/extensions/oidc-token-propagation/deployment/src/test/java/io/quarkus/oidc/token/propagation/CustomAccessTokenRequestFilter.java new file mode 100644 index 0000000000000..bf9d5d11f9808 --- /dev/null +++ b/extensions/oidc-token-propagation/deployment/src/test/java/io/quarkus/oidc/token/propagation/CustomAccessTokenRequestFilter.java @@ -0,0 +1,15 @@ +package io.quarkus.oidc.token.propagation; + +public class CustomAccessTokenRequestFilter extends AccessTokenRequestFilter { + + @Override + protected String getClientName() { + return "exchange"; + } + + @Override + protected boolean isExchangeToken() { + return true; + } + +} diff --git a/extensions/oidc-token-propagation/runtime/src/main/java/io/quarkus/oidc/token/propagation/AccessTokenRequestFilter.java b/extensions/oidc-token-propagation/runtime/src/main/java/io/quarkus/oidc/token/propagation/AccessTokenRequestFilter.java index 1fe17e73ea0f7..f5f90f8b2d283 100644 --- a/extensions/oidc-token-propagation/runtime/src/main/java/io/quarkus/oidc/token/propagation/AccessTokenRequestFilter.java +++ b/extensions/oidc-token-propagation/runtime/src/main/java/io/quarkus/oidc/token/propagation/AccessTokenRequestFilter.java @@ -52,13 +52,13 @@ public AccessTokenRequestFilter() { @PostConstruct public void initExchangeTokenClient() { - if (exchangeToken) { + if (isExchangeToken()) { OidcClients clients = Arc.container().instance(OidcClients.class).get(); String clientName = getClientName(); exchangeTokenClient = clientName != null ? clients.getClient(clientName) : clients.getClient(); Grant.Type exchangeTokenGrantType = ConfigProvider.getConfig() .getValue( - "quarkus.oidc-client." + (oidcClientName.isPresent() ? oidcClientName.get() + "." : "") + "quarkus.oidc-client." + (clientName != null ? clientName + "." : "") + "grant.type", Grant.Type.class); if (exchangeTokenGrantType == Grant.Type.EXCHANGE) { @@ -72,6 +72,10 @@ public void initExchangeTokenClient() { } } + protected boolean isExchangeToken() { + return exchangeToken; + } + @Override public void filter(ClientRequestContext requestContext) throws IOException { if (acquireTokenCredentialFromCtx(requestContext)) { diff --git a/integration-tests/oidc-token-propagation/src/main/java/io/quarkus/it/keycloak/AccessTokenPropagationService.java b/integration-tests/oidc-token-propagation/src/main/java/io/quarkus/it/keycloak/AccessTokenPropagationService.java index ecaa12d82de9e..a417fbf217792 100644 --- a/integration-tests/oidc-token-propagation/src/main/java/io/quarkus/it/keycloak/AccessTokenPropagationService.java +++ b/integration-tests/oidc-token-propagation/src/main/java/io/quarkus/it/keycloak/AccessTokenPropagationService.java @@ -3,12 +3,11 @@ import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; +import org.eclipse.microprofile.rest.client.annotation.RegisterProvider; import org.eclipse.microprofile.rest.client.inject.RegisterRestClient; -import io.quarkus.oidc.token.propagation.AccessToken; - @RegisterRestClient(configKey = "access-token-propagation") -@AccessToken +@RegisterProvider(CustomAccessTokenRequestFilter.class) @Path("/") public interface AccessTokenPropagationService { diff --git a/integration-tests/oidc-token-propagation/src/main/java/io/quarkus/it/keycloak/CustomAccessTokenRequestFilter.java b/integration-tests/oidc-token-propagation/src/main/java/io/quarkus/it/keycloak/CustomAccessTokenRequestFilter.java new file mode 100644 index 0000000000000..1805c36a4d96f --- /dev/null +++ b/integration-tests/oidc-token-propagation/src/main/java/io/quarkus/it/keycloak/CustomAccessTokenRequestFilter.java @@ -0,0 +1,15 @@ +package io.quarkus.it.keycloak; + +import io.quarkus.oidc.token.propagation.AccessTokenRequestFilter; + +public class CustomAccessTokenRequestFilter extends AccessTokenRequestFilter { + @Override + protected String getClientName() { + return "exchange-token"; + } + + @Override + protected boolean isExchangeToken() { + return true; + } +} diff --git a/integration-tests/oidc-token-propagation/src/main/resources/application.properties b/integration-tests/oidc-token-propagation/src/main/resources/application.properties index 01fa61296556b..0f4470b393a83 100644 --- a/integration-tests/oidc-token-propagation/src/main/resources/application.properties +++ b/integration-tests/oidc-token-propagation/src/main/resources/application.properties @@ -18,9 +18,6 @@ quarkus.oidc-client.exchange-token.credentials.secret=${quarkus.oidc.credentials quarkus.oidc-client.exchange-token.grant.type=exchange quarkus.oidc-client.exchange-token.grant-options.exchange.audience=quarkus-app-exchange -quarkus.oidc-token-propagation.exchange-token=true -quarkus.oidc-token-propagation.client-name=exchange-token - quarkus.rest-client.jwt-token-propagation.uri=http://localhost:8081/protected quarkus.rest-client.jwt-token-propagation.verify-host=false quarkus.rest-client.access-token-propagation.uri=http://localhost:8081/protected