Add Twitch OIDC Provider

[biswassri]

Fixes #24833

[quarkus-bot]

Thanks for your pull request!

The title of your pull request does not follow our editorial rules. Could you have a look?

• title should preferably start with an uppercase character (if it makes sense!)

This message is automatically generated by a bot.

[sberyozkin]

Hi @biswassri Glad you've found the time to go ahead and open this PR, nice work. I'm assuming it is still WIP, right ? Please add the tests (copy and paste a couple of them in OidcTestUtils and just update a few lines to match Twitch options, for example, copy these 2 tests and adapt them to Twitch or find a simpler pair of tests there for one of the other providers) and add a section at https://quarkus.io/guides/security-openid-connect-providers

[biswassri]

@sberyozkin my sincere apologies for the delay in progress on this due to holidays. Thank you for your review.
I'm hopeful to add in the additional changes you mentioned by this week. Meanwhile I had a question to ask? Can you point me to how do I successfully test it out? Would it be just by this ? https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#examples-of-the-two-flows or do I write a small application to do so? (I'm sorry, I'm fairly new to oidc)

[sberyozkin]

Hi @biswassri Np at all, and apologies I missed your question yesterday - we appreciate very much you trying to complete this PR, great effort 👍 .
Right, we can not do a real integration test it Quarkus against a provider like Twitch - but please verify your enhancement by following Twitch docs and create the account there. On the Quarkus end, the easiest way to have a running OIDC web-app application is to go to this quickstart and replace Keycloak connection properties with quarkus.oidc.provider=twitch, compile without running tests, start the application and access the demo endpoint from the browser and you should be able to login to Twitch and access the Quarkus endpoint.

When you confirm it is working, then make a few images showing a process of logging in to Twitch and update the Quarkus doc where all other providers are listed.
Lets try to get to that stage and then we can discuss one more minor follow up related to unit testing it - it would be the easiest one. If you'd like - you can start from this step - copy and paste a pair of tests for one of the other providers like twitter in extensions/oidc/runtime/src/test/.../OidcUtilsTest and just update it to check Twitch configuration works as expected

Thanks

[michalvavrik]

I'd suggest to add a new test to oidc-wiremock, you don't have really do too much, just full-text search all that belongs already tested trusted provider in oidc-wiremock modole (e.g. we do for github, but c&p won't do there :/): https://github.com/quarkusio/quarkus/blob/main/integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerOpaqueTokenAuthorizationTest.java#L114 https://github.com/quarkusio/quarkus/blob/main/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/CustomTenantResolver.java#L35 and adjust mocking to Twitcher endpoints.

Thing is that OidcUtilTest don't test whole flow and if you test it yourself and someone else add breaking change, no test will fail.

[sberyozkin]

@michalvavrik We don't really do Github tests in wiremock since the OIDC code supporting the connection to GitHub is in fact not GitHub specific. If GitHub changes something these wiremock tests won't help. IMHO to keep it simpler, adding a a couple of simple tests confirming quarkus.oidc.provider=twitch expands correctly into the required Quarkus properties would be enough, This PR does not contain anything that would require OIDC to do some extra Twitch specific actions

[michalvavrik]

@michalvavrik We don't really do Github tests in wiremock since the OIDC code supporting the connection to GitHub is in fact not GitHub specific. If GitHub changes something these wiremock tests won't help. IMHO to keep it simpler, adding a a couple of simple tests confirming quarkus.oidc.provider=twitch expands correctly into the required Quarkus properties would be enough, This PR does not contain anything that would require OIDC to do some extra Twitch specific actions

I understand the concept of mocking, but with end to end test that mocks current Twitch state, CI verifies that changes in Quarkus did not affect it. Otherwise you just trust you did everything right (in the future), so it must works. Anyway, I don't really see a point to discuss it, I accept your arguments and keep my fingers crossed it works.

[sberyozkin]

@michalvavrik As I said, quarkus.oidc.provider=twitch expands to a typical set of OIDC properties which are already tested dozens of times. What is important to test is that this expansion is correct.
We have users working with Azure, and lots of other providers, how can we test it all in Quarkus CI, what is the Azure state, Twitch state, etc.

Anyway, I don't really see a point to discuss it

Well you started a discussion and I tried to support it with my comments.

I accept your arguments and keep my fingers crossed it works.

If we test that these provider.N are correctly expanding it is already a step forward IMHO

[sberyozkin]

I propose to close this PR as it has been open for a while, @biswassri thanks for trying to complete it, can you confirm you can proceed and get to the completion ? I'd ask someone else who is interested if you have no time now, np, let me know please

[biswassri]

@sberyozkin Just saw your comment. Apologies for the delay haven't had any time to progress on this. Thank you for waiting on me. Allow me to give it a try once more time this week. If I'm not able to close this out by this weekend, please feel free to close this PR and re-assign the issue. Thanks again!

[sberyozkin]

@biswassri Hi, no problems at all, lets give it another 2 weeks, just to summarize what I hope to see being added to the PR:

• a very simple pair of tests, copy and paste a pair from OidcUtilsTest, one test has to check that quarkus.oidc.provider=twitch correctly sets various lower level OIDC properties it needs. And the 2nd test should check that any of those properties can be customized.
• and finally, a section has to be added to the well known providers doc showing a few steps how to set up a Twitch OIDC account.

And that is it.

Thanks

[sberyozkin]

Hi @gastaldi , would you be interested to finalize this PR next week if it has not been completed before then ?:I'm assuming you have a Twitch account already setup? May be we can do some demo afterwards...

[gastaldi]

@sberyozkin hey, I might be able to have a look at it next week, but no promises 😀

[sberyozkin]

@gastaldi sure, I meant more like starting from the next week as we agreed here to wait for another couple of weeks , so please take your time , next few weeks or so would be grand 😀

[sberyozkin]

@biswassri thanks for giving it a try, we do appreciate it, you will be welcome to pick up another issue once you find more time, thanks

[biswassri]

Thanks @sberyozkin ! Apologies for not being able to complete this. I think I picked up more than I could chew with this particular task. Thanks again.

[biswassri]

@gastaldi Please feel free to continue on this PR or close it out.

[sberyozkin]

Thanks @biswassri, hope to see you contributing in the future again, thanks

[sberyozkin]

Hey @gastaldi I plan to check if I can use this provider in demos so let me have a look at finalizing this PR a bit later, will ask you to review :-)

[sberyozkin]

@gastaldi This PR is now ready for review, I have verified it with my local demo.

[sberyozkin]

@FroMage FYI

[sberyozkin]

I might follow up with some minor updates

[gastaldi]

Cool, let me follow the instructions and test it with a Twitch account

[github-actions]

🙈 The PR is closed and the preview is expired.

[sberyozkin]

Hey @gastaldi , you can have @IdToken JsonWebToken injected and return name.
Access the endpoint using ngrok provided tunnel URL

[gastaldi]

@sberyozkin I keep getting Parameter redirect_uri does not match registered URI but I have no clue what I am doing wrong. I've squashed both commits and pushed to this branch

[sberyozkin]

@gastaldi I was getting it before realizing the provider had to enforce https redirect scheme.

Can you please compare url encoded redirect_uri query param (you can get it in URL at the moment Twitch says that you are about to leave Twitch due to this problem) with the one you set up at the app registration time ? They have to match precisely

[sberyozkin]

Your app can have a large uri space, for testing I setup a single method endpoint and registered that endpoint method address, replacing local host and port with the ngrok one. If you want to secure a larger space, add quarkus.oidc.authentication.redirect-path=/mycallback and have it also registered in Twitch.
We can have a call and have screens shared tomorrow or Mon, indeed, worth testing it, may be adding a few more instructions

[quarkus-bot]

✔️ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

[gastaldi]

Changed the Client secret and the URL and it works now. Let's merge this. Thanks for your support!