OIDC service applications should be able to accept GitHub tokens

[sberyozkin]

Description

Quarkus OIDC web-app applications can already acquire a GitHub access token and indirectly verify it by requesting a user profile info from GitHub - but if this web-app endpoint propagates this token to the downstream OIDC service endpoint then it will fail since GitHub has no introspection endpoint.
The same would be the case if SPA acquires a GitHub token and sends it to Quarkus.

Implementation ideas

OIDC service applications should indirectly verify GitHub token the same way this token is indirectly verified by web-app applications - by requesting some user info profile data via a configured GitHub userinfo endpoint.

In fact, I've realized now - it will solve similar issues with many other non Keycloak providers like for ex Auth0 or Google where the access token is binary but no introspection endpoint is provided - for ex - Auth0 binary access tokens sent by OIDC DevUI will always return 401 (as opposed to JWT ID tokens which can be verified by JWKs).

[quarkus-bot]

/cc @pedroigor

[sberyozkin]

CC @gastaldi

[gsmet]

@sberyozkin wouldn't this one be fixed by your ongoing PR? Or maybe already fixed?

[sberyozkin]

@gsmet Apologies, going through the list and finding I've missed a few comments.

Unfortunately not; GitHub is not an OpenId Connect provider, so with the Quarkus OIDC web-app applications (when the user is redirected to GitHub to authenticate) we make a few workarounds to treat it as if it were the OIDC provider, specifically, with the standard code flow the signed IdToken and access token must be returned, GitHub does not return IdToken - so the question is how to verify the user authentication has been successful - since even the GitHub access token is not signed - just a binary blob. So the way we do it we ensure that this access token can be used to fetch a UserInfo - as it will involve GitHub verifying this access token on our behalf.

So that works for web-app only for now.

For the bearer tokens, those coming with HTTP Authorization, we are again dealing with the binary access tokens. We can't verify them locally with the OIDC keys - GitHub does not provide any public ones, and we can't introspect - since GitHub has no introspection endpoint. So the question, how can we allow this request to proceed. I think we'd need to allow the same as for web-app applications - indirect verification via the UserInfo acquisition.