Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Throw the exception if OIDC client fails to acquire the token #32505

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
import jakarta.ws.rs.client.ClientRequestContext;
import jakarta.ws.rs.client.ClientRequestFilter;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;

import org.jboss.logging.Logger;

Expand All @@ -26,10 +25,11 @@ public void filter(ClientRequestContext requestContext) throws IOException {
final String accessToken = getAccessToken();
requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, BEARER_SCHEME_WITH_SPACE + accessToken);
} catch (DisabledOidcClientException ex) {
requestContext.abortWith(Response.status(500).build());
LOG.debug("Client is disabled, aborting the request");
throw ex;
} catch (Exception ex) {
LOG.debugf("Access token is not available, aborting the request with HTTP 401 error: %s", ex.getMessage());
requestContext.abortWith(Response.status(401).build());
LOG.debugf("Access token is not available, cause: %s, aborting the request", ex.getMessage());
throw (ex instanceof RuntimeException) ? (RuntimeException) ex : new RuntimeException(ex);
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
import java.util.function.Consumer;

import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;

import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.client.spi.ResteasyReactiveClientRequestContext;
Expand Down Expand Up @@ -40,13 +39,11 @@ public void accept(Tokens tokens) {
@Override
public void accept(Throwable t) {
if (t instanceof DisabledOidcClientException) {
LOG.debug("Client is disabled");
requestContext.abortWith(Response.status(Response.Status.INTERNAL_SERVER_ERROR).build());
LOG.debug("Client is disabled, aborting the request");
} else {
LOG.debugf("Access token is not available, aborting the request with HTTP 401 error: %s", t.getMessage());
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
LOG.debugf("Access token is not available, cause: %s, aborting the request", t.getMessage());
}
requestContext.resume();
requestContext.resume((t instanceof RuntimeException) ? t : new RuntimeException(t));
}
});
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
package io.quarkus.it.keycloak;

import java.util.function.Function;

import jakarta.inject.Inject;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
Expand All @@ -23,6 +25,10 @@ public class FrontendResource {
@RestClient
ProtectedResourceServiceNamedFilter protectedResourceServiceNamedFilter;

@Inject
@RestClient
MisconfiguredClientFilter misconfiguredClientFilter;

@GET
@Path("userNameCustomFilter")
@Produces("text/plain")
Expand All @@ -43,4 +49,19 @@ public Uni<String> userNameReactive() {
public Uni<String> userNameNamedFilter() {
return protectedResourceServiceNamedFilter.getUserName();
}

@GET
@Path("userNameMisconfiguredClientFilter")
@Produces("text/plain")
public Uni<String> userNameMisconfiguredClientFilter() {
return misconfiguredClientFilter.getUserName().onFailure(Throwable.class)
.recoverWithItem(new Function<Throwable, String>() {

@Override
public String apply(Throwable t) {
return t.getMessage();
}

});
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
package io.quarkus.it.keycloak;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;

import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;

import io.quarkus.oidc.client.filter.OidcClientFilter;
import io.smallrye.mutiny.Uni;

@RegisterRestClient
@OidcClientFilter("misconfigured-client")
@Path("/")
public interface MisconfiguredClientFilter {

@GET
@Produces("text/plain")
@Path("userNameReactive")
Uni<String> getUserName();
}
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,17 @@ quarkus.oidc-client.named-client.grant.type=password
quarkus.oidc-client.named-client.grant-options.password.username=jdoe
quarkus.oidc-client.named-client.grant-options.password.password=jdoe

quarkus.oidc-client.misconfigured-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.misconfigured-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.misconfigured-client.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc-client.misconfigured-client.grant.type=password
quarkus.oidc-client.misconfigured-client.grant-options.password.username=jdoe
quarkus.oidc-client.misconfigured-client.grant-options.password.password=bob

io.quarkus.it.keycloak.ProtectedResourceServiceCustomFilter/mp-rest/url=http://localhost:8081/protected
io.quarkus.it.keycloak.ProtectedResourceServiceReactiveFilter/mp-rest/url=http://localhost:8081/protected
io.quarkus.it.keycloak.ProtectedResourceServiceNamedFilter/mp-rest/url=http://localhost:8081/protected
io.quarkus.it.keycloak.MisconfiguredClientFilter/mp-rest/url=http://localhost:8081/protected

quarkus.log.category."io.quarkus.oidc.client.runtime.OidcClientImpl".min-level=TRACE
quarkus.log.category."io.quarkus.oidc.client.runtime.OidcClientImpl".level=TRACE
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import static org.awaitility.Awaitility.await;
import static org.awaitility.Awaitility.given;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.junit.jupiter.api.Assertions.assertEquals;

Expand Down Expand Up @@ -44,6 +45,15 @@ public void testGetUserNameNamedFilter() {
.body(equalTo("jdoe"));
}

@Test
public void testGetUserNameMisconfiguredClientFilter() {
RestAssured.given().header("Accept", "text/plain")
.when().get("/frontend/userNameMisconfiguredClientFilter")
.then()
.statusCode(200)
.body(containsString("invalid_grant"));
}

@Test
public void testGetUserNameReactive() {
RestAssured.given().header("Accept", "text/plain")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import jakarta.inject.Inject;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;

import org.eclipse.microprofile.context.ManagedExecutor;
import org.eclipse.microprofile.rest.client.inject.RestClient;
Expand All @@ -29,6 +30,10 @@ public class FrontendResource {
@RestClient
ProtectedResourceServiceNonDefaultOidcClient protectedResourceServiceNonDefaultOidcClient;

@Inject
@RestClient
MisconfiguredClientFilter misconfiguredClientFilter;

@Inject
ManagedExecutor managedExecutor;

Expand All @@ -47,6 +52,17 @@ public String userNameNonDefaultOidcClient() {
return protectedResourceServiceNonDefaultOidcClient.getUserName();
}

@GET
@Path("userNameMisconfiguredClientFilter")
@Produces("text/plain")
public String userNameMisconfiguredClientFilter() {
try {
return misconfiguredClientFilter.getUserName();
} catch (Throwable t) {
return t.getMessage();
}
}

@GET
@Path("userOidcClientManagedExecutor")
public String userNameOidcClientManagedExecutor() throws Exception {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
package io.quarkus.it.keycloak;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;

import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;

import io.quarkus.oidc.client.filter.OidcClientFilter;

@RegisterRestClient
@OidcClientFilter("misconfigured-client")
@Path("/")
public interface MisconfiguredClientFilter {

@GET
String getUserName();
}
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,14 @@ quarkus.oidc-client.named.grant.type=password
quarkus.oidc-client.named.grant-options.password.username=alice
quarkus.oidc-client.named.grant-options.password.password=alice

quarkus.oidc-client.misconfigured-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.misconfigured-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.misconfigured-client.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc-client.misconfigured-client.grant.type=password
quarkus.oidc-client.misconfigured-client.grant-options.password.username=jdoe
quarkus.oidc-client.misconfigured-client.grant-options.password.password=bob
quarkus.oidc-client.misconfigured-client.early-tokens-acquisition=false

quarkus.oidc-client.non-default-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.non-default-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.non-default-client.credentials.secret=${quarkus.oidc.credentials.secret}
Expand All @@ -28,6 +36,7 @@ io.quarkus.it.keycloak.ProtectedResourceServiceOidcClient/mp-rest/url=http://loc
io.quarkus.it.keycloak.ProtectedResourceServiceNamedOidcClient/mp-rest/url=http://localhost:8081/protected
io.quarkus.it.keycloak.ProtectedResourceServiceNoOidcClient/mp-rest/url=http://localhost:8081/protected
io.quarkus.it.keycloak.ProtectedResourceServiceNonDefaultOidcClient/mp-rest/url=http://localhost:8081/protected
io.quarkus.it.keycloak.MisconfiguredClientFilter/mp-rest/url=http://localhost:8081/protected

quarkus.tls.trust-all=true
quarkus.log.category."io.quarkus.oidc.client.runtime.OidcClientImpl".min-level=TRACE
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import static org.awaitility.Awaitility.await;
import static org.awaitility.Awaitility.given;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.junit.jupiter.api.Assertions.assertEquals;

Expand Down Expand Up @@ -36,6 +37,15 @@ public void testGetUserNameOidcClient() {
.body(equalTo("alice"));
}

@Test
public void testGetUserNameMisconfiguredClientFilter() {
RestAssured.given().header("Accept", "text/plain")
.when().get("/frontend/userNameMisconfiguredClientFilter")
.then()
.statusCode(200)
.body(containsString("invalid_grant"));
}

@Test
public void testGetUserNameNonDefaultOidcClient() {
RestAssured.when().get("/frontend/userNonDefaultOidcClient")
Expand Down