OIDC - Unable to read signed / jwt UserInfo response

[airone-x1]

Describe the bug

We use an OpenidConnect identity provider for which the UserInfo response is signed, therefore in jwt format.
Quarkus does not recognize such a response and expects a simple json.

Quarkus logs (char 101 => 'e' from jwt encoding)

2024-08-06 18:13:10,585 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-2) Get token on: https://fca.integ01.dev-agentconnect.fr/api/v2/token params: grant_type=authorization_code
code=x-masked-bearer-x
redirect_uri=https://my.app
 headers: user-agent=Vert.x-WebClient/4.5.8
content-type=application/x-www-form-urlencoded
accept=application/json
authorization=Basic x-masked-bearer-x


2024-08-06 18:13:10,712 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-2) Request succeeded: {"access_token":"x-masked-accesstoken-x","expires_in":60,"id_token":"ey-x-masked-idtoken-x","scope":"openid","token_type":"Bearer"}

2024-08-06 18:13:10,718 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-2) Authorization code has been exchanged, verifying ID token
2024-08-06 18:13:10,720 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-2) Starting creating SecurityIdentity
2024-08-06 18:13:10,722 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-2) Registered TenantResolver has not provided the configuration for tenant '6f670181-767b-4000-a5ff-b87e12243468', using the default tenant
2024-08-06 18:13:10,723 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-2) Verifying the JWT token with the local JWK keys
2024-08-06 18:13:10,731 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-2) Requesting UserInfo
2024-08-06 18:13:10,733 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-2) Get UserInfo on: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo auth: Bearer x-masked-accesstoken-x
2024-08-06 18:13:10,965 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-2) Request succeeded: ey-x-masked-signed-userinfo-x

2024-08-06 18:13:10,984 ERROR [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-2) ID token verification has failed: Unexpected char 101 at (line no=1, column no=1, offset=0

Expected behavior

Quarkus OIDC client accept and read UserInfo response in jwt format as allowed by OIDC specification (https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)

Actual behavior

Signed UserInfo responses are not supported by Quarkus

How to Reproduce?

Authenticates against an OIDC provider whose UserInfo responses are signed.
The error appears immediately

Output of uname -a or ver

Linux pc1 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Output of java -version

openjdk version "21.0.4" 2024-07-16 LTS OpenJDK Runtime Environment Temurin-21.0.4+7 (build 21.0.4+7-LTS) OpenJDK 64-Bit Server VM Temurin-21.0.4+7 (build 21.0.4+7-LTS, mixed mode, sharing)

Quarkus version or git rev

3.13.0

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.6

Additional information

No response

[quarkus-bot]

/cc @pedroigor (oidc), @sberyozkin (jwt,oidc)

[sberyozkin]

@airone-x1 Does it use a dedicated content type for Quarkus to immediately assume it is JWT containing UserInfo? Thanks

[sberyozkin]

Right, it must be application/jwt

[sberyozkin]

@airone-x1 Let me change it to the enhancement request, so that we can mark the fix as a release noteworthy feature. OIDC spec is very large, and signed UserInfo is only one of the many advanced options, the spec also allows returning encrypted UserInfo, IMHO it is not a bug that we don't support that yet, we will should a user requirement arises.

[airone-x1]

Thank you for the analysis, on vacation hence my late response.