diff --git a/docs/src/main/asciidoc/images/oidc-twitch-1.png b/docs/src/main/asciidoc/images/oidc-twitch-1.png new file mode 100644 index 0000000000000..e2e558f0e5438 Binary files /dev/null and b/docs/src/main/asciidoc/images/oidc-twitch-1.png differ diff --git a/docs/src/main/asciidoc/security-openid-connect-providers.adoc b/docs/src/main/asciidoc/security-openid-connect-providers.adoc index 83f9c3cf081bd..9010a4f53894b 100644 --- a/docs/src/main/asciidoc/security-openid-connect-providers.adoc +++ b/docs/src/main/asciidoc/security-openid-connect-providers.adoc @@ -412,6 +412,23 @@ quarkus.oidc.credentials.secret= `quarkus.oidc.provider=spotiify` will request `Spotify` to add `user-read-private` and `user-read-email` scopes to issued access tokens. For information about overriding these scopes or requesting more scopes, see the <> section. +[[twitch]] +=== Twitch + +Create a https://dev.twitch.tv/console/apps[Twitch application]: + +image::oidc-twitch-1.png[role="thumb"] + +You can now configure your `application.properties`: + +[source,properties] +---- +quarkus.oidc.provider=twitch +quarkus.oidc.client-id= +quarkus.oidc.credentials.client-secret.value= +---- + + [[provider-scope]] == Provider scopes @@ -512,6 +529,10 @@ quarkus.oidc.authentication.extra-params.scope=https://www.googleapis.com/auth/c quarkus.rest-client.google-calendar-api.url=https://www.googleapis.com/calendar/v3 ---- +== HTTPS Redirect URL + +Some providers will only accept HTTPS-based redirect URLs. Tools such as https://ngrok.com/[ngrok] https://linuxhint.com/set-up-use-ngrok/[can be set up] to help testing such providers with Quarkus endpoints running on localhost in devmode. + == References * xref:security-oidc-code-flow-authentication.adoc[OIDC code flow mechanism for protecting web applications] diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java index eceb91662125a..e97c36d45e9a3 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java @@ -1605,6 +1605,7 @@ public static enum Provider { GOOGLE, MICROSOFT, SPOTIFY, + TWITCH, TWITTER } diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/providers/KnownOidcProviders.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/providers/KnownOidcProviders.java index 97578c1078376..ffa89cdd5b1fc 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/providers/KnownOidcProviders.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/providers/KnownOidcProviders.java @@ -24,6 +24,8 @@ public static OidcTenantConfig provider(OidcTenantConfig.Provider provider) { return spotify(); } else if (OidcTenantConfig.Provider.TWITTER == provider) { return twitter(); + } else if (OidcTenantConfig.Provider.TWITCH == provider) { + return twitch(); } return null; } @@ -126,4 +128,15 @@ private static OidcTenantConfig spotify() { return ret; } + + private static OidcTenantConfig twitch() { + // Ref https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-grant-flow + + OidcTenantConfig ret = new OidcTenantConfig(); + ret.setAuthServerUrl("https://id.twitch.tv/oauth2"); + ret.setApplicationType(OidcTenantConfig.ApplicationType.WEB_APP); + ret.getAuthentication().setForceRedirectHttpsScheme(true); + ret.getCredentials().getClientSecret().setMethod(Method.POST); + return ret; + } } diff --git a/extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcUtilsTest.java b/extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcUtilsTest.java index 4a8a8e812768f..13a35d9a75423 100644 --- a/extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcUtilsTest.java +++ b/extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcUtilsTest.java @@ -342,6 +342,38 @@ public void testOverrideSpotifyProperties() { assertFalse(config.token.verifyAccessTokenWithUserInfo.get()); } + @Test + public void testAcceptTwitchProperties() throws Exception { + OidcTenantConfig tenant = new OidcTenantConfig(); + tenant.setTenantId(OidcUtils.DEFAULT_TENANT_ID); + OidcTenantConfig config = OidcUtils.mergeTenantConfig(tenant, KnownOidcProviders.provider(Provider.TWITCH)); + + assertEquals(OidcUtils.DEFAULT_TENANT_ID, config.getTenantId().get()); + assertEquals(ApplicationType.WEB_APP, config.getApplicationType().get()); + assertEquals("https://id.twitch.tv/oauth2", config.getAuthServerUrl().get()); + assertEquals(Method.POST, config.credentials.clientSecret.method.get()); + assertTrue(config.authentication.forceRedirectHttpsScheme.get()); + } + + @Test + public void testOverrideTwitchProperties() throws Exception { + OidcTenantConfig tenant = new OidcTenantConfig(); + tenant.setTenantId(OidcUtils.DEFAULT_TENANT_ID); + + tenant.setApplicationType(ApplicationType.HYBRID); + tenant.setAuthServerUrl("http://localhost/wiremock"); + tenant.credentials.clientSecret.setMethod(Method.BASIC); + tenant.authentication.setForceRedirectHttpsScheme(false); + + OidcTenantConfig config = OidcUtils.mergeTenantConfig(tenant, KnownOidcProviders.provider(Provider.FACEBOOK)); + + assertEquals(OidcUtils.DEFAULT_TENANT_ID, config.getTenantId().get()); + assertEquals(ApplicationType.HYBRID, config.getApplicationType().get()); + assertEquals("http://localhost/wiremock", config.getAuthServerUrl().get()); + assertFalse(config.getAuthentication().isForceRedirectHttpsScheme().get()); + assertEquals(Method.BASIC, config.credentials.clientSecret.method.get()); + } + @Test public void testCorrectTokenType() throws Exception { OidcTenantConfig.Token tokenClaims = new OidcTenantConfig.Token();