Enable OIDC code flow access token verification if JsonWebToken is injected
#32958
Assignees
Labels
area/oidc
kind/enhancement
New feature or request
triage/duplicate
This issue or pull request already exists
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
OIDC bearer access token are always verified, with the code flow, ID token is a primary token which is verified by default, the code flow access tokens are of no of interest to Quarkus itself in many cases, but the users
can tell Quarkus to verify the access tokenif the access token is used a source of roles for example.Code flow access token verification was enabled by default at some point but with so many providers issuing binary access tokens, and having no way to directly introspect them, it caused a lot of problems for the users.
However, if, at build time, we can detect that the access token is not binary but JSON, i.e,
JsonWebTokenis injected, and therefore the endpoint may use its claims to make some decisions, the verification will have to be enabled by default, without requiring the users to enable the access token verification themselves, making it more secure by default.This issue is based on the feedback from @pmlopes, thanks Paulo.
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: