Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC JWK refresh support #9891

Merged
merged 3 commits into from
Jun 15, 2020
Merged

OIDC JWK refresh support #9891

merged 3 commits into from
Jun 15, 2020

Conversation

sberyozkin
Copy link
Member

@sberyozkin sberyozkin commented Jun 9, 2020
edited
Loading

Fixes #5003
Fixes #7286

This PR:

  • Supports a forced JWK refresh based on a missingKeyHandler Vertx Auth 3.9.1 feature with a controlled refresh interval period (10 mins by default). Right now, if the rotation happens and the current token has no local JWK with a matching kid to verify it then 2 requests will go to OIDC server, 1 JWK refresh from our handler and one fallback introspection request - this is not really a problem for now as it will happen only once in some long enough irregular rotation interval in a long running application
  • Along the way the opaque access tokens are now also supported
  • adds a test OidcResource server endpoint to emulate Keycloak
  • adds a test that confirms that a JWK refresh alone, without the introspection, is enough to verify a token after the key rotation, plus checks the fallback introspection is effective for the opaque token

CC @pmlopes

@sberyozkin sberyozkin added this to the 1.6.0 - master milestone Jun 9, 2020
stuartwdouglas
stuartwdouglas requested changes Jun 10, 2020
View reviewed changes
Copy link
Member

@stuartwdouglas stuartwdouglas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM except for some minor changes.

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java Outdated Show resolved Hide resolved
extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java Outdated Show resolved Hide resolved
pedroigor
pedroigor requested changes Jun 10, 2020
View reviewed changes
extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java Outdated
@@ -193,7 +193,8 @@ public SecurityIdentity apply(Throwable throwable) {
LOG.debug("State parameter can not be empty or multi-valued");
return Uni.createFrom().failure(new AuthenticationCompletionException());
} else if (!stateCookie.getValue().startsWith(values.get(0))) {
LOG.debug("State cookie does not match the state parameter");
LOG.debugf("State cookie value '%s' does not match the state query parameter value '%s'",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if it is a good idea to log the state value considering it is used in OAuth2 to prevent CSRF.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pedroigor I just added it because the user was getting this error, but I suppose seeing 2 different uuids in the logs won't help the users to figure out why it happened :-). OK, let me revert it

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java
@@ -32,6 +35,31 @@ private OidcUtils() {

}

public static boolean isOpaqueToken(String token) {
return new StringTokenizer(token, ".").countTokens() != 3;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A minor comment. Right now we only support JWS, but JWE uses 5 tokens.

But I guess we would handle JWEs as opaque tokens considering that you would need an introspection call to check claims.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pedroigor Right, at the moment no local JWE decryption is possible, so they are technically opaque for Quarkus

@pedroigor pedroigor self-requested a review June 12, 2020 13:02
@sberyozkin sberyozkin merged commit fd413f3 into quarkusio:master Jun 15, 2020
@sberyozkin sberyozkin deleted the refresh_jwk branch June 15, 2020 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pedroigor pedroigor pedroigor approved these changes

@stuartwdouglas stuartwdouglas stuartwdouglas approved these changes

Assignees
No one assigned
Labels
area/oidc
Projects
None yet
Milestone
1.6.0.CR1
Development

Successfully merging this pull request may close these issues.

OIDC needs to support the opaque access tokens Refresh the verification JWK sets on demand
3 participants
@sberyozkin @stuartwdouglas @pedroigor