Get all code flow credentials visible to SecurityIdentityAugmentors #19548
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stuartwdouglas
approved these changes
Aug 22, 2021
sberyozkin
force-pushed
the
access_token_cred_in_augmentors
branch
from
d9817c2 to
9541ae2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A problem to do with
AccessTokenCredentialnot visible to customSecurityIdentityAugmentors for OIDCweb-appapplications was reported on Zulip (note they are all visible to the endpoint code).In the code flow, the primary
IdTokenCredentialonly used to be set byQuarkusIdentityProviderwithCodeAuthenticationMechanismaddingAccessTokenCredentialand alsoRefreshToken- but it is done as a follow up afterIdentityProviderManagerhas completed theSecurityIdentityconstruction withSecurityIdentityAugmentors already being checked.So this PR simply adds all the credentials at the same time,
IdTokenCredentialplusAccessTokenCredentialand alsoRefreshTokenas part of the IdentityProvider flow (thus making them all visible to the augmentors as well) and removes the unnecessary code to do with the identity augmentation fromCodeAuthenticationMechanism- saves on the identity copy, as apart from addingAccessTokenCredential/RefreshTokena bit late it also adds a permission checker - because it could not copy them from the existing one - which is not needed now.@stuartwdouglas I'll rebase it once your PR goes in :-)