Inject OidcConfigurationMetadata

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java

@@ -30,6 +30,7 @@
 import io.quarkus.oidc.runtime.OidcAuthenticationMechanism;
 import io.quarkus.oidc.runtime.OidcBuildTimeConfig;
 import io.quarkus.oidc.runtime.OidcConfig;
+import io.quarkus.oidc.runtime.OidcConfigurationMetadataProducer;
 import io.quarkus.oidc.runtime.OidcIdentityProvider;
 import io.quarkus.oidc.runtime.OidcJsonWebTokenProducer;
 import io.quarkus.oidc.runtime.OidcRecorder;
@@ -72,6 +73,7 @@ public void additionalBeans(BuildProducer<AdditionalBeanBuildItem> additionalBea
         builder.addBeanClass(OidcAuthenticationMechanism.class)
                 .addBeanClass(OidcJsonWebTokenProducer.class)
                 .addBeanClass(OidcTokenCredentialProducer.class)
+                .addBeanClass(OidcConfigurationMetadataProducer.class)
                 .addBeanClass(OidcIdentityProvider.class)
                 .addBeanClass(DefaultTenantConfigResolver.class)
                 .addBeanClass(DefaultTokenStateManager.class);

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcConfigurationMetadata.java

@@ -1,5 +1,8 @@
 package io.quarkus.oidc;
 
+import java.util.Collections;
+import java.util.Set;
+
 import io.vertx.core.json.JsonObject;
 
 public class OidcConfigurationMetadata {
@@ -18,6 +21,7 @@ public class OidcConfigurationMetadata {
     private final String userInfoUri;
     private final String endSessionUri;
     private final String issuer;
+    private JsonObject json;
 
     public OidcConfigurationMetadata(String tokenUri,
             String introspectionUri,
@@ -43,6 +47,7 @@ public OidcConfigurationMetadata(JsonObject wellKnownConfig) {
         this.userInfoUri = wellKnownConfig.getString(USERINFO_ENDPOINT);
         this.endSessionUri = wellKnownConfig.getString(END_SESSION_ENDPOINT);
         this.issuer = wellKnownConfig.getString(ISSUER);
+        this.json = wellKnownConfig;
     }
 
     public String getTokenUri() {
@@ -72,4 +77,16 @@ public String getEndSessionUri() {
     public String getIssuer() {
         return issuer;
     }
+
+    public String get(String propertyName) {
+        return json != null ? null : json.getString(propertyName);
+    }
+
+    public boolean contains(String propertyName) {
+        return json.containsKey(propertyName);
+    }
+
+    public Set<String> getPropertyNames() {
+        return Collections.unmodifiableSet(json.fieldNames());
+    }
 }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java

@@ -149,8 +149,7 @@ public Uni<SecurityIdentity> apply(TokenVerificationResult result, Throwable t)
                                 JsonObject rolesJson = getRolesJson(vertxContext, resolvedContext, tokenCred, tokenJson,
                                         userInfo);
                                 SecurityIdentity securityIdentity = validateAndCreateIdentity(vertxContext, tokenCred,
-                                        resolvedContext.oidcConfig,
-                                        tokenJson, rolesJson, userInfo);
+                                        resolvedContext, tokenJson, rolesJson, userInfo);
                                 if (tokenAutoRefreshPrepared(tokenJson, vertxContext, resolvedContext.oidcConfig)) {
                                     return Uni.createFrom().failure(new TokenAutoRefreshException(securityIdentity));
                                 } else {
@@ -169,9 +168,7 @@ public Uni<SecurityIdentity> apply(TokenVerificationResult result, Throwable t)
                             QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
                             builder.addCredential(tokenCred);
                             OidcUtils.setSecurityIdentityUserInfo(builder, userInfo);
-
-                            // getRolesJson: make sure the introspection is picked up correctly
-                            // OidcRuntimeClient.verifyCodeToken - set the introspection there - which may be ambiguous
+                            OidcUtils.setSecurityIdentityConfigMetadata(builder, resolvedContext);
                             if (result.introspectionResult.containsKey(OidcConstants.INTROSPECTION_TOKEN_USERNAME)) {
                                 final String userName = result.introspectionResult
                                         .getString(OidcConstants.INTROSPECTION_TOKEN_USERNAME);
@@ -289,7 +286,7 @@ private static Uni<SecurityIdentity> validateTokenWithoutOidcServer(TokenAuthent
         try {
             TokenVerificationResult result = resolvedContext.provider.verifyJwtToken(request.getToken().getToken());
             return Uni.createFrom()
-                    .item(validateAndCreateIdentity(null, request.getToken(), resolvedContext.oidcConfig,
+                    .item(validateAndCreateIdentity(null, request.getToken(), resolvedContext,
                             result.localVerificationResult, result.localVerificationResult, null));
         } catch (Throwable t) {
             return Uni.createFrom().failure(new AuthenticationFailedException(t));

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProvider.java

@@ -34,9 +34,9 @@ public class OidcProvider {
 
     private static final Logger LOG = Logger.getLogger(OidcProvider.class);
 
-    private final OidcProviderClient client;
-    private final RefreshableVerificationKeyResolver keyResolver;
-    private final OidcTenantConfig oidcConfig;
+    final OidcProviderClient client;
+    final RefreshableVerificationKeyResolver keyResolver;
+    final OidcTenantConfig oidcConfig;
 
     public OidcProvider(OidcProviderClient client, OidcTenantConfig oidcConfig, JsonWebKeyCache jwks) {
         this.client = client;

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTokenCredentialProducer.java

@@ -65,7 +65,7 @@ RefreshToken currentRefreshToken() {
     @Produces
     @RequestScoped
     UserInfo currentUserInfo() {
-        UserInfo userInfo = (UserInfo) identity.getAttribute("userinfo");
+        UserInfo userInfo = (UserInfo) identity.getAttribute(OidcUtils.USER_INFO_ATTRIBUTE);
         if (userInfo == null) {
             throw new OIDCException("UserInfo can not be injected");
         }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java

@@ -28,6 +28,9 @@
 import io.vertx.ext.web.RoutingContext;
 
 public final class OidcUtils {
+    static final String CONFIG_METADATA_ATTRIBUTE = "configuration-metadata";
+    static final String USER_INFO_ATTRIBUTE = "userinfo";
+    static final String TENANT_ID_ATTRIBUTE = "tenant-id";
     /**
      * This pattern uses a positive lookahead to split an expression around the forward slashes
      * ignoring those which are located inside a pair of the double quotes.
@@ -133,8 +136,9 @@ private static List<String> convertJsonArrayToList(JsonArray claimValue) {
 
     static QuarkusSecurityIdentity validateAndCreateIdentity(
             RoutingContext vertxContext, TokenCredential credential,
-            OidcTenantConfig config, JsonObject tokenJson, JsonObject rolesJson, JsonObject userInfo) {
+            TenantConfigContext resolvedContext, JsonObject tokenJson, JsonObject rolesJson, JsonObject userInfo) {
 
+        OidcTenantConfig config = resolvedContext.oidcConfig;
         QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
         builder.addCredential(credential);
 
@@ -150,6 +154,7 @@ static QuarkusSecurityIdentity validateAndCreateIdentity(
         builder.setPrincipal(jwtPrincipal);
         setSecurityIdentityRoles(builder, config, rolesJson);
         setSecurityIdentityUserInfo(builder, userInfo);
+        setSecurityIdentityConfigMetadata(builder, resolvedContext);
         setBlockinApiAttribute(builder, vertxContext);
         setTenantIdAttribute(builder, config);
         return builder.build();
@@ -175,12 +180,19 @@ public static void setBlockinApiAttribute(QuarkusSecurityIdentity.Builder builde
     }
 
     public static void setTenantIdAttribute(QuarkusSecurityIdentity.Builder builder, OidcTenantConfig config) {
-        builder.addAttribute("tenant-id", config.tenantId.orElse("Default"));
+        builder.addAttribute(TENANT_ID_ATTRIBUTE, config.tenantId.orElse("Default"));
     }
 
     public static void setSecurityIdentityUserInfo(QuarkusSecurityIdentity.Builder builder, JsonObject userInfo) {
         if (userInfo != null) {
-            builder.addAttribute("userinfo", new UserInfo(userInfo.encode()));
+            builder.addAttribute(USER_INFO_ATTRIBUTE, new UserInfo(userInfo.encode()));
+        }
+    }
+
+    public static void setSecurityIdentityConfigMetadata(QuarkusSecurityIdentity.Builder builder,
+            TenantConfigContext resolvedContext) {
+        if (resolvedContext.provider.client != null) {
+            builder.addAttribute(CONFIG_METADATA_ATTRIBUTE, resolvedContext.provider.client.getMetadata());
         }
     }
 

integration-tests/oidc-code-flow/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java

@@ -14,6 +14,7 @@
 import io.quarkus.oidc.IdToken;
 import io.quarkus.oidc.IdTokenCredential;
 import io.quarkus.oidc.OIDCException;
+import io.quarkus.oidc.OidcConfigurationMetadata;
 import io.quarkus.oidc.RefreshToken;
 import io.quarkus.security.Authenticated;
 import io.quarkus.security.identity.SecurityIdentity;
@@ -26,6 +27,9 @@ public class ProtectedResource {
     @Inject
     SecurityIdentity identity;
 
+    @Inject
+    OidcConfigurationMetadata configMetadata;
+
     @Inject
     @IdToken
     JsonWebToken idToken;
@@ -51,6 +55,12 @@ public String hello() {
         return securityContext.getUserPrincipal().getName();
     }
 
+    @GET
+    @Path("configMetadataIssuer")
+    public String configMetadataIssuer() {
+        return configMetadata.getIssuer();
+    }
+
     @GET
     public String getName() {
         if (!idTokenCredential.getToken().equals(idToken.getRawToken())) {

integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java

@@ -66,6 +66,13 @@ public void testCodeFlowNoConsent() throws IOException {
 
             assertEquals("Welcome to Test App", page.getTitleText(),
                     "A second request should not redirect and just re-authenticate the user");
+
+            page = webClient.getPage("http://localhost:8081/web-app/configMetadataIssuer");
+
+            assertEquals(
+                    KeycloakRealmResourceManager.KEYCLOAK_SERVER_URL + "/realms/" + KeycloakRealmResourceManager.KEYCLOAK_REALM,
+                    page.asText());
+
             webClient.getCookieManager().clearCookies();
         }
     }

integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/KeycloakRealmResourceManager.java

@@ -21,8 +21,8 @@
 
 public class KeycloakRealmResourceManager implements QuarkusTestResourceLifecycleManager {
 
-    private static final String KEYCLOAK_SERVER_URL = System.getProperty("keycloak.url", "http://localhost:8180/auth");
-    private static final String KEYCLOAK_REALM = "quarkus";
+    public static final String KEYCLOAK_SERVER_URL = System.getProperty("keycloak.url", "http://localhost:8180/auth");
+    public static final String KEYCLOAK_REALM = "quarkus";
     private List<RealmRepresentation> realms = new ArrayList<>();
 
     @Override