Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC: NPE when accessing IdToken when Bearer access token is sent #35964

Closed
tmulle opened this issue Sep 15, 2023 · 7 comments · Fixed by #35968
Closed

OIDC: NPE when accessing IdToken when Bearer access token is sent #35964

tmulle opened this issue Sep 15, 2023 · 7 comments · Fixed by #35968
Labels
area/oidc kind/bug Something isn't working
Milestone

Comments

@tmulle
Copy link
Contributor

tmulle commented Sep 15, 2023

Describe the bug

I'm testing out the multitenant solution in my application so I can support both code-flow and bearer token for my JSF UI and REST API code. I want the REST endpoints to be accessible from curl, postman, etc. so I can't use the hybrid type.

My JSF ui uses the web-app service type and my REST apis use the service type.

Things seem to be working ok and I can log in fine in the UI and also use postman to hit my rest endpoints passing an access token in the Authorization header.

However, I have a API method that I wanted to print out the token information that is available to me so I can learn what is actually provided during which calls.

I think I found a bug, in JsonWebToken and OidcSession when trying to access expirationDate.

Error:

2023-09-15 16:55:21,426 ERROR [io.qua.ver.htt.run.QuarkusErrorHandler] (executor-thread-1) HTTP Request to /api/tokeninfo failed, error id: 225fcb1e-3b82-4731-aec2-b982c3a26469-3: java.lang.NullPointerException: Cannot invoke "java.lang.Long.longValue()" because the return value of "org.eclipse.microprofile.jwt.JsonWebToken.getClaim(org.eclipse.microprofile.jwt.Claims)" is null
        at org.eclipse.microprofile.jwt.JsonWebToken.getExpirationTime(JsonWebToken.java:98)
        at org.eclipse.microprofile.jwt.OidcJsonWebTokenProducer_ProducerMethod_currentIdToken_fd05e4c440bc560635edfdf219600734450212ad_ClientProxy.getExpirationTime(Unknown Source)
        at org.primefaces.babylon.service.SecurityService.printTokenInfo(SecurityService.java:80)
        at org.primefaces.babylon.service.SecurityService_Subclass.printTokenInfo$$superforward(Unknown Source)
        at org.primefaces.babylon.service.SecurityService_Subclass$$function$$12.apply(Unknown Source)
        at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:73)
        at io.quarkus.arc.impl.AroundInvokeInvocationContext$NextAroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:97)

Below is the service I am hitting from both the UI and the REST end, and the UI calls via JSF work fine, but the Postman doesn't.

It looks like there is some sort of proxy object calls JsonNullWebToken or something that causing the initial null check to pass but then internally it blows up trying to access other information.

This happens for both the OidcSession and the JsonWebToken idToken.

Since I'm hitting the API with an AccessToken only, I would assume the IdToken would be null, but it is not. Which is why I put the null check in there to try to fix it.

When I call the same method via JSF #{securityService.printTokenInfo()} I see all the information print out which I expect.

@Named
@ApplicationScoped
@PermitAll
public class SecurityService implements Serializable {

    @Inject
    Logger log;

    @Inject
    SecurityIdentity identity;

    @Inject
    @IdToken
    JsonWebToken idToken;

    @Inject
    JsonWebToken accessToken;

    @Inject
    OidcSession session;

    public boolean isLoggedIn() {
        log.infof("User %s is logged in = %s and has roles %s", identity.getPrincipal().getName(), !identity.isAnonymous(),identity.getRoles() );
        return identity != null && !identity.isAnonymous();
    }

    public boolean hasRole(String role) {
        return identity.hasRole(role);
    }


    public void printTokenInfo() {
        Instant now = Instant.now();

        Instant accessTokenExpiration = null;
        Instant idTokenExpiration = null;
        Duration accessTokenDuration = null;
        Duration idTokenDuration = null;
        
        if (accessToken != null) {
            accessTokenExpiration = Instant.ofEpochSecond(accessToken.getExpirationTime());
            accessTokenDuration = Duration.between(now, accessTokenExpiration);

            log.infof("Access Token Duration is %d days, %d hours, %d minutes, and %d seconds.\n",
                    accessTokenDuration.toDays(),
                    accessTokenDuration.toHoursPart(),
                    accessTokenDuration.toMinutesPart(),
                    accessTokenDuration.toSecondsPart());
        } 
        
        if (idToken != null) {
            idTokenExpiration = Instant.ofEpochSecond(idToken.getExpirationTime());
            idTokenDuration = Duration.between(now, idTokenExpiration);

            log.infof("Info Token Duration is %d days, %d hours, %d minutes, and %d seconds.\n",
                    idTokenDuration.toDays(),
                    idTokenDuration.toHoursPart(),
                    idTokenDuration.toMinutesPart(),
                    idTokenDuration.toSecondsPart());
        }


        if (session != null && session.getIdToken() != null) {
            log.infof("Session information for tenant [%s] with username [%s] expires at: [%s] and is valid for [%s] - Groups: %s Claims: %s",
                    session.getTenantId(), session.getIdToken().getName(),
                    session.expiresAt(), session.validFor(),
                    session.getIdToken().getGroups(), session.getIdToken().getClaimNames());
        }
    }

    @Path("/api/tokeninfo")
    @GET
    @RolesAllowed("web-license-admin")
    @Produces(MediaType.TEXT_PLAIN)
    public Response doNothing() {
        printTokenInfo();
        return Response.ok().build();
    }
}```


### Expected behavior

_No response_

### Actual behavior

_No response_

### How to Reproduce?

_No response_

### Output of `uname -a` or `ver`

_No response_

### Output of `java -version`

_No response_

### GraalVM version (if different from Java)

_No response_

### Quarkus version or git rev

3.3.2

### Build tool (ie. output of `mvnw --version` or `gradlew --version`)

_No response_

### Additional information

_No response_
@tmulle tmulle added the kind/bug Something isn't working label Sep 15, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Sep 15, 2023

/cc @pedroigor (oidc), @sberyozkin (oidc)

@sberyozkin
Copy link
Member

Hey @tmulle, I think we can fix NPE there but trying to call objects representing the ID token (directly with @IdToken JsonWebToken or indirectly OidcSession) when the Bearer access token is coming in is not going to give you anything but nulls. These are request context objects so you don't have to compare the objects themselves for null

@sberyozkin
Copy link
Member

You need to access the injected JsonWebToken in scope of the REST API call, without @IdToken

@sberyozkin
Copy link
Member

@tmulle Unfortunately there is nothing we can do to prevent NPE, it is typed to return long: https://github.com/eclipse/microprofile-jwt-auth/blob/main/api/src/main/java/org/eclipse/microprofile/jwt/JsonWebToken.java#L97, can't return null.

I think the only correct option is to not use the common code which tries to access ID token/session with either access or code flow calls. Please update the code accordingly.

We simply can't give ID token content when it is not available. But what we can try to do is return NullJsonWebToken when ID token is requested but SecurityIdentity is backed up by the access token. It won't prevent this NPE but should return nulls for other JWT methods

@sberyozkin sberyozkin changed the title OIDC: Exception when accessing IdToken with Multitenant calls from REST OIDC: NPE when accessing IdToken with only access token available Sep 15, 2023
@sberyozkin sberyozkin changed the title OIDC: NPE when accessing IdToken with only access token available OIDC: NPE when accessing IdToken when Bearer access token is sent Sep 15, 2023
@sberyozkin
Copy link
Member

I've tweaked the subject a bit to reflect the problem better, hope you are OK with it

@sberyozkin
Copy link
Member

@tmulle

But what we can try to do is return NullJsonWebToken when ID token is requested but SecurityIdentity is backed up by the access token

It is already done here:

https://github.com/quarkusio/quarkus/blob/main/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcJsonWebTokenProducer.java#L83

But since this is effectively a server error, I'll change that log message from trace to warn before closing this issue

@sberyozkin
Copy link
Member

sberyozkin commented Sep 16, 2023

@tmulle In general, if you'd like to have the same code managing both code flows and bearer tokens, then you need to have @SecurityIdentity injected only, and if both ID and access tokens are in JWT format and you need some claims data then you'd cast securityIdentity.getPrincipal() to JsonWebToken. It won't always work for all providers though as quite a few of them issue binary access tokens - in such cases the alternative is to request UserInfo and use UserInfo only...

@quarkus-bot quarkus-bot bot added this to the 3.5 - main milestone Sep 18, 2023
@gsmet gsmet modified the milestones: 3.5 - main, 3.4.1 Sep 19, 2023
benkard pushed a commit to benkard/quarkus-googlecloud-jsonlogging that referenced this issue Sep 24, 2023
…oud-jsonlogging!18)

This MR contains the following updates:

| Package | Type | Update | Change |
|---------|------|--------|--------|
| [io.quarkus:quarkus-extension-processor](https://github.com/quarkusio/quarkus) |  | minor | `3.3.2` -\> `3.4.1` |
| [io.quarkus:quarkus-extension-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.3.2` -\> `3.4.1` |
| [io.quarkus:quarkus-bom](https://github.com/quarkusio/quarkus) | import | minor | `3.3.2` -\> `3.4.1` |
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.3.2` -\> `3.4.1` |
| [org.eclipse.parsson:parsson](https://github.com/eclipse-ee4j/parsson) | compile | patch | `1.1.2` -\> `1.1.4` |
| [io.smallrye.common:smallrye-common-constraint](http://smallrye.io) ([source](https://github.com/smallrye/smallrye-common)) | compile | patch | `2.1.0` -\> `2.1.2` |

---

### Release Notes

<details>
<summary>quarkusio/quarkus</summary>

### [`v3.4.1`](https://github.com/quarkusio/quarkus/releases/tag/3.4.1)

[Compare Source](quarkusio/quarkus@3.4.0...3.4.1)

##### Major changes

- [\#​35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway

##### Complete changelog

- [\#​36000](quarkusio/quarkus#36000) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /docs
- [\#​35999](quarkusio/quarkus#35999) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /bom/application
- [\#​35990](quarkusio/quarkus#35990) - Don't ignore empty SSE events in client
- [\#​35987](quarkusio/quarkus#35987) - Improve the way HTTP authorizer logs exceptions
- [\#​35981](quarkusio/quarkus#35981) - Fix link to AWS Lambda SnapStart in documentation
- [\#​35979](quarkusio/quarkus#35979) - Add `@ConfigDocEnumValue` & `@ConfigDocDefault` to writing-extensions guide
- [\#​35977](quarkusio/quarkus#35977) - Recompute cached value when the Redis connection fails
- [\#​35975](quarkusio/quarkus#35975) - OIDC: AuthenticationRedirectionException after successful login
- [\#​35968](quarkusio/quarkus#35968) - Warn when wrong token proxy is accessed
- [\#​35966](quarkusio/quarkus#35966) - SSE: Reactive SseEventSource client doesn't consume empty events
- [\#​35964](quarkusio/quarkus#35964) - OIDC: NPE when accessing IdToken when Bearer access token is sent
- [\#​35959](quarkusio/quarkus#35959) - Log invalid CORS origin and method
- [\#​35958](quarkusio/quarkus#35958) - \[GraalVM 24.0\] Hibernate ORM elasticsearch native integration tests fail with return type mismatch
- [\#​35956](quarkusio/quarkus#35956) - Fix return type of hibernate-search substitution
- [\#​35949](quarkusio/quarkus#35949) - Properly initialize reactive Pool beans
- [\#​35938](quarkusio/quarkus#35938) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /bom/application
- [\#​35937](quarkusio/quarkus#35937) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /independent-projects/tools
- [\#​35926](quarkusio/quarkus#35926) - Fix use of multiple `@ClientXXX` annotations in REST Client Reactive
- [\#​35925](quarkusio/quarkus#35925) - Add a property to bypass cache mechanism in case of Redis failure
- [\#​35919](quarkusio/quarkus#35919) - Honor OIDC logout requests when ID token has expired
- [\#​35914](quarkusio/quarkus#35914) - Prevent recording configuration coming from Gradle
- [\#​35900](quarkusio/quarkus#35900) - Fix RESTEasy CDI dependency issue
- [\#​35899](quarkusio/quarkus#35899) - Add note about unsupported `@Lock` in Spring Data JPA
- [\#​35895](quarkusio/quarkus#35895) - Update liquibase to 4.23.2, liquibase-mongodb to 4.23.1
- [\#​35889](quarkusio/quarkus#35889) - UriInfo can not be injected in presence of quarkus-rest-client dependency
- [\#​35886](quarkusio/quarkus#35886) - OTel Scope.close() warning improvement
- [\#​35885](quarkusio/quarkus#35885) - Applying the QE feedback for the Logging guide
- [\#​35884](quarkusio/quarkus#35884) - Application fails to start when eactive restclient uses both ClientExceptionMapper and ClientObjectMapper
- [\#​35883](quarkusio/quarkus#35883) - Bring back the HTTP console commands
- [\#​35879](quarkusio/quarkus#35879) - Quarkus 3.4.0.CR1 does not have HTTP commands in dev mode
- [\#​35858](quarkusio/quarkus#35858) - NullPointerException when entity primary key has the type `byte[]`
- [\#​35777](quarkusio/quarkus#35777) - Add a note about HR not being a replacement for ORM
- [\#​35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway
- [\#​35728](quarkusio/quarkus#35728) - OIDC logout not working for virtual callback paths, if id_token is expired but session cookie is present
- [\#​35690](quarkusio/quarkus#35690) - Upgrade to Hibernate ORM 6.2.9.Final and HR 2.0.5.Final
- [\#​35655](quarkusio/quarkus#35655) - Flyway does not work without default datasource 3.3
- [\#​35528](quarkusio/quarkus#35528) - flyway with one supported and one unsupported Db throws exception at startup

### [`v3.4.0`](https://github.com/quarkusio/quarkus/releases/tag/3.4.0)

[Compare Source](quarkusio/quarkus@3.3.3...3.4.0)

##### Complete changelog

- [\#​35888](quarkusio/quarkus#35888) - Restore missing parameters in OIDC Dev UI client cred and password SwaggerUI/GraphQL handlers
- [\#​35870](quarkusio/quarkus#35870) - Use default Vert.x client settings in OTel exporters
- [\#​35866](quarkusio/quarkus#35866) - Automatic TLS support in new Vert.x based open telemetry implementation
- [\#​35862](quarkusio/quarkus#35862) - Only remove OTLP trace services when otlp is not configured
- [\#​35846](quarkusio/quarkus#35846) - Fixes aggregation of configurations with two different executions ids
- [\#​35844](quarkusio/quarkus#35844) - Improve description of the duration format in configuration documentation
- [\#​35840](quarkusio/quarkus#35840) - Updates Infinispan to 14.0.17.Final
- [\#​35831](quarkusio/quarkus#35831) - Quarkus aggregate configurations from different executions that share the same goal
- [\#​35822](quarkusio/quarkus#35822) - Check that embedded property types are marked as `@Embeddable`
- [\#​35817](quarkusio/quarkus#35817) - Improve Qute + Cache integration
- [\#​35804](quarkusio/quarkus#35804) - HTTP fix response compression support
- [\#​35792](quarkusio/quarkus#35792) - Do not include in the list of property names Kubernetes config fallbacks
- [\#​35789](quarkusio/quarkus#35789) - Improve OTel Sampler docs
- [\#​35786](quarkusio/quarkus#35786) - OpenTelemetry exporter (otlp) startup dependency error when running as a Docker container image
- [\#​35784](quarkusio/quarkus#35784) - Document the ability to automatically compress rotated log files
- [\#​35778](quarkusio/quarkus#35778) - Fix generic handling of ParamConverter
- [\#​35774](quarkusio/quarkus#35774) - RESTEasy Reactive fails to handle collections of parameterized types as parameter
- [\#​35764](quarkusio/quarkus#35764) - Do not include revision and host-specific info in MANIFEST.MF
- [\#​35762](quarkusio/quarkus#35762) - Delete temporary openshift files
- [\#​35759](quarkusio/quarkus#35759) - Upgrade Smallrye OpenAPI to 3.5.2
- [\#​35757](quarkusio/quarkus#35757) - Update liquibase from 4.20.0 to 4.23.1, liquibase-mongodb to 4.23.0
- [\#​35747](quarkusio/quarkus#35747) - Large files remain in /tmp after OpenShift deployments
- [\#​35726](quarkusio/quarkus#35726) - Improve matching of config properties to a root
- [\#​35722](quarkusio/quarkus#35722) - Since quarkus 3.3.0 a WARN message unrecognized configuration key "quarkus.kubernetes.route.expose" is logged
- [\#​35718](quarkusio/quarkus#35718) - Packs libraries alongside executable in function.zip
- [\#​35713](quarkusio/quarkus#35713) - AWS Lambda extension does not pack necessary .so files when AWT is used
- [\#​35710](quarkusio/quarkus#35710) - Fix potential NPE in HTTP proxying
- [\#​35706](quarkusio/quarkus#35706) - Azure-Functions crash when X-Forwarded headers are enabled java.lang.NullPointerException
- [\#​35599](quarkusio/quarkus#35599) - Keycloak/Quarkus Issues: Dev and Prod
- [\#​35598](quarkusio/quarkus#35598) - Improve Error-Message for missing Embedabbles
- [\#​35558](quarkusio/quarkus#35558) - Widen conditions under RESTEasy Reactive Server and RESTEasy Classic Client can work together
- [\#​12260](quarkusio/quarkus#12260) - Quarkus logging with compress option

### [`v3.3.3`](https://github.com/quarkusio/quarkus/releases/tag/3.3.3)

[Compare Source](quarkusio/quarkus@3.3.2...3.3.3)

##### Complete changelog

- Fixes CVE-2023-4853
- [\#​35490](quarkusio/quarkus#35490) - Build cache - Improve cachability of service binding tests

</details>

<details>
<summary>eclipse-ee4j/parsson</summary>

### [`v1.1.4`](eclipse-ee4j/parsson@1.1.3...1.1.4)

[Compare Source](eclipse-ee4j/parsson@1.1.3...1.1.4)

### [`v1.1.3`](https://github.com/eclipse-ee4j/parsson/releases/tag/1.1.3): Parsson 1.1.3

[Compare Source](eclipse-ee4j/parsson@1.1.2...1.1.3)

#### What's Changed

- 1\.1.2 release by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#89
- [\#​91](eclipse-ee4j/parsson#91): Stack overflow error caused by jakarta.json parsing of untrusted JSON String by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#92
- update build plugins by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#93
- improve compatibility with OSGi mediator by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#96
- [\#​77](eclipse-ee4j/parsson#77): JsonTokenizer.close() recycles its buffer for each call to close() by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#97
- [\#​90](eclipse-ee4j/parsson#90): MapUtil.handle does not support Array objects by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#98

**Full Changelog**: eclipse-ee4j/parsson@1.1.2...1.1.3

</details>

<details>
<summary>smallrye/smallrye-common</summary>

### [`v2.1.2`](https://github.com/smallrye/smallrye-common/releases/tag/2.1.2)

[Compare Source](smallrye/smallrye-common@2.1.1...2.1.2)

- [\#​243](smallrye/smallrye-common#243) Release 2.1.2
- [\#​242](smallrye/smallrye-common#242) Fix substitutions for Windows OS
- [\#​241](smallrye/smallrye-common#241) GraalVM substitution problem on Windows
- [\#​240](smallrye/smallrye-common#240) Bump version.vertx from 4.4.4 to 4.4.5

### [`v2.1.1`](https://github.com/smallrye/smallrye-common/releases/tag/2.1.1)

[Compare Source](smallrye/smallrye-common@2.1.0...2.1.1)

- [\#​239](smallrye/smallrye-common#239) Release 2.1.1
- [\#​238](smallrye/smallrye-common#238) Allow reaper threads to be started at run time
- [\#​237](smallrye/smallrye-common#237) Bump io.sundr:sundr-maven-plugin from 0.100.1 to 0.100.3
- [\#​236](smallrye/smallrye-common#236) Bump org.apache.maven:maven-artifact from 3.9.3 to 3.9.4
- [\#​234](smallrye/smallrye-common#234) Bump version.graalvm from 22.3.2 to 23.0.1
- [\#​233](smallrye/smallrye-common#233) Bump module-info from 2.0 to 2.1
- [\#​232](smallrye/smallrye-common#232) Bump sundr-maven-plugin from 0.95.0 to 0.100.1
- [\#​231](smallrye/smallrye-common#231) Bump maven-artifact from 3.9.2 to 3.9.3
- [\#​230](smallrye/smallrye-common#230) Bump version.vertx from 4.4.3 to 4.4.4
- [\#​227](smallrye/smallrye-common#227) Bump smallrye-parent from 39 to 40
- [\#​226](smallrye/smallrye-common#226) Bump version.vertx from 4.4.1 to 4.4.3
- [\#​225](smallrye/smallrye-common#225) Bump sundr-maven-plugin from 0.94.0 to 0.95.0
- [\#​222](smallrye/smallrye-common#222) Bump maven-artifact from 3.9.0 to 3.9.2
- [\#​221](smallrye/smallrye-common#221) Port quiet(...) and cast(...) methods from wildfly-common
- [\#​220](smallrye/smallrye-common#220) Bump version.graalvm from 22.3.1 to 22.3.2
- [\#​218](smallrye/smallrye-common#218) Bump version.vertx from 4.4.0 to 4.4.1
- [\#​217](smallrye/smallrye-common#217) Bump asm from 9.4 to 9.5
- [\#​216](smallrye/smallrye-common#216) Support unsigned parameter range checks
- [\#​214](smallrye/smallrye-common#214) Bump version.vertx from 4.3.8 to 4.4.0

</details>

---

### Configuration

:date: **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

:vertical_traffic_light: **Automerge**: Enabled.

:recycle: **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

:ghost: **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

* [ ] If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
@gsmet gsmet modified the milestones: 3.4.1, 2.16.12.Final Oct 12, 2023
benkard pushed a commit to benkard/mulkcms2 that referenced this issue Nov 12, 2023
This MR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [io.hypersistence:hypersistence-utils-hibernate-62](https://github.com/vladmihalcea/hypersistence-utils) | compile | patch | `3.5.2` -> `3.5.3` |
| [org.hibernate.orm:hibernate-envers](https://hibernate.org/orm) ([source](https://github.com/hibernate/hibernate-orm)) | build | patch | `6.3.0.Final` -> `6.3.1.Final` |
| [org.hibernate.orm:hibernate-core](https://hibernate.org/orm) ([source](https://github.com/hibernate/hibernate-orm)) | build | patch | `6.3.0.Final` -> `6.3.1.Final` |
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.3.3` -> `3.4.1` |
| [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | minor | `3.3.3` -> `3.4.1` |

---

### Release Notes

<details>
<summary>vladmihalcea/hypersistence-utils</summary>

### [`v3.5.3`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-353---September-19-2023)

\================================================================================

Add QueryStackTraceLogger that allows you to locate the source of an SQL query executed by Hibernate [#&#8203;653](vladmihalcea/hypersistence-utils#653)

</details>

<details>
<summary>hibernate/hibernate-orm</summary>

### [`v6.3.1.Final`](https://github.com/hibernate/hibernate-orm/blob/HEAD/changelog.txt#Changes-in-631Final-September-19-2023)

[Compare Source](hibernate/hibernate-orm@6.3.0...6.3.1)

https://hibernate.atlassian.net/projects/HHH/versions/32188

\*\* Bug
\* \[HHH-17221] - AssertionError initializing a collection with FetchMode.SUBSELECT and IdClass having only one field
\* \[HHH-17203] - ElementCollection doesn't consider [@&#8203;Where](https://github.com/Where) annotation on delete of elements
\* \[HHH-17202] - ArrayStoreException for single field id class entity collection batch loading
\* \[HHH-17201] - Unexpected value type exception for unordered multi id Load with ordered return disable
\* \[HHH-17189] - Audited annotations are ignored on embeddable super types
\* \[HHH-17177] - JDBC type code is ignored in XML mapping for an id attribute
\* \[HHH-17173] - Getting one-to-one association through a referenece to a bytecode enhanced entity fails
\* \[HHH-17168] - Investigate failures on db10\_5 and Cockrachdb of FunctionTests.testCastBinaryWithLength
\* \[HHH-17167] - Unable to locate parameter for RESTRICT - DELETE error when removing entity with RowId
\* \[HHH-17166] - query methods returning primitive types incorrectly inferred to be mutation query methods
\* \[HHH-17165] - short method names in metamodel generator cause SIOBE
\* \[HHH-17163] - persist() should throw JPA's EntityExistsException if passed detached instance
\* \[HHH-17159] - java.lang.StackOverflowError during Update on Entity with Embeddable and JSON
\* \[HHH-17156] - NPE when an Embeddable column is reused in another class related by inheritance
\* \[HHH-17154] - NullPointerException is thrown when constructing EntityManagerFactoryBuilderImpl
\* \[HHH-17135] - CriteriaQuery error passing nullLiteral with entity type class
\* \[HHH-17131] - Regression in entity streams with associated collections resulting in result duplication
\* \[HHH-17105] - SQL clause from [@&#8203;WhereJoinTable](https://github.com/WhereJoinTable) is no longer used for DELETE queries (6.2 regression)
\* \[HHH-17104] - Bug with max() request inside projection
\* \[HHH-17100] - CustomType wrongly calls UserType#disassemble
\* \[HHH-17080] - \[Envers] AuditReader.getRevisionNumberForDate(LocalDateTime) uses Epoch Seconds instead of Epoch Millis
\* \[HHH-17079] - NPE when using CompositeUserType with generic fields in Hibernate 6
\* \[HHH-17049] - Bytecode Enhancement, extra records created for associations created in constructor
\* \[HHH-16945] - CTE query cycle attribute evaluated incorrectly on MSSQL using collation "Latin1\_General_CI_AS"
\* \[HHH-15968] - Sporadic ClassCastException when querying for Set<Enum>.

\*\* Improvement
\* \[HHH-17220] - Avoid runtime lookups of JdbcService from TableGenerator and TableStructure
\* \[HHH-17171] - JPA and multiple query roots
\* \[HHH-16768] - HQL parsed predicates don't validate type comparability

\*\* Task
\* \[HHH-17204] - Relax visibility of some methods for reactive upsert() support
\* \[HHH-17187] - Avoid 0 byte trailing UUID's in tests
\* \[HHH-17160] - Gradle 8.3 upgrade
\* \[HHH-17087] - Update container images to the latest version

</details>

<details>
<summary>quarkusio/quarkus</summary>

### [`v3.4.1`](https://github.com/quarkusio/quarkus/releases/tag/3.4.1)

[Compare Source](quarkusio/quarkus@3.4.0...3.4.1)

##### Major changes

-   [#&#8203;35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway

##### Complete changelog

-   [#&#8203;36000](quarkusio/quarkus#36000) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /docs
-   [#&#8203;35999](quarkusio/quarkus#35999) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /bom/application
-   [#&#8203;35990](quarkusio/quarkus#35990) - Don't ignore empty SSE events in client
-   [#&#8203;35987](quarkusio/quarkus#35987) - Improve the way HTTP authorizer logs exceptions
-   [#&#8203;35981](quarkusio/quarkus#35981) - Fix link to AWS Lambda SnapStart in documentation
-   [#&#8203;35979](quarkusio/quarkus#35979) - Add `@ConfigDocEnumValue` & `@ConfigDocDefault` to writing-extensions guide
-   [#&#8203;35977](quarkusio/quarkus#35977) - Recompute cached value when the Redis connection fails
-   [#&#8203;35975](quarkusio/quarkus#35975) - OIDC: AuthenticationRedirectionException after successful login
-   [#&#8203;35968](quarkusio/quarkus#35968) - Warn when wrong token proxy is accessed
-   [#&#8203;35966](quarkusio/quarkus#35966) - SSE: Reactive SseEventSource client doesn't consume empty events
-   [#&#8203;35964](quarkusio/quarkus#35964) - OIDC: NPE when accessing IdToken when Bearer access token is sent
-   [#&#8203;35959](quarkusio/quarkus#35959) - Log invalid CORS origin and method
-   [#&#8203;35958](quarkusio/quarkus#35958) - \[GraalVM 24.0] Hibernate ORM elasticsearch native integration tests fail with return type mismatch
-   [#&#8203;35956](quarkusio/quarkus#35956) - Fix return type of hibernate-search substitution
-   [#&#8203;35949](quarkusio/quarkus#35949) - Properly initialize reactive Pool beans
-   [#&#8203;35938](quarkusio/quarkus#35938) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /bom/application
-   [#&#8203;35937](quarkusio/quarkus#35937) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /independent-projects/tools
-   [#&#8203;35926](quarkusio/quarkus#35926) - Fix use of multiple `@ClientXXX` annotations in REST Client Reactive
-   [#&#8203;35925](quarkusio/quarkus#35925) - Add a property to bypass cache mechanism in case of Redis failure
-   [#&#8203;35919](quarkusio/quarkus#35919) - Honor OIDC logout requests when ID token has expired
-   [#&#8203;35914](quarkusio/quarkus#35914) - Prevent recording configuration coming from Gradle
-   [#&#8203;35900](quarkusio/quarkus#35900) - Fix RESTEasy CDI dependency issue
-   [#&#8203;35899](quarkusio/quarkus#35899) - Add note about unsupported `@Lock` in Spring Data JPA
-   [#&#8203;35895](quarkusio/quarkus#35895) - Update liquibase to 4.23.2, liquibase-mongodb to 4.23.1
-   [#&#8203;35889](quarkusio/quarkus#35889) - UriInfo can not be injected in presence of quarkus-rest-client dependency
-   [#&#8203;35886](quarkusio/quarkus#35886) - OTel Scope.close() warning improvement
-   [#&#8203;35885](quarkusio/quarkus#35885) - Applying the QE feedback for the Logging guide
-   [#&#8203;35884](quarkusio/quarkus#35884) - Application fails to start when eactive restclient uses both ClientExceptionMapper and ClientObjectMapper
-   [#&#8203;35883](quarkusio/quarkus#35883) - Bring back the HTTP console commands
-   [#&#8203;35879](quarkusio/quarkus#35879) - Quarkus 3.4.0.CR1 does not have HTTP commands in dev mode
-   [#&#8203;35858](quarkusio/quarkus#35858) - NullPointerException when entity primary key has the type `byte[]`
-   [#&#8203;35777](quarkusio/quarkus#35777) - Add a note about HR not being a replacement for ORM
-   [#&#8203;35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway
-   [#&#8203;35728](quarkusio/quarkus#35728) - OIDC logout not working for virtual callback paths, if id_token is expired but session cookie is present
-   [#&#8203;35690](quarkusio/quarkus#35690) - Upgrade to Hibernate ORM 6.2.9.Final and HR 2.0.5.Final
-   [#&#8203;35655](quarkusio/quarkus#35655) - Flyway does not work without default datasource 3.3
-   [#&#8203;35528](quarkusio/quarkus#35528) - flyway with one supported and one unsupported Db throws exception at startup

### [`v3.4.0`](https://github.com/quarkusio/quarkus/releases/tag/3.4.0)

[Compare Source](quarkusio/quarkus@3.3.3...3.4.0)

##### Complete changelog

-   [#&#8203;35888](quarkusio/quarkus#35888) - Restore missing parameters in OIDC Dev UI client cred and password SwaggerUI/GraphQL handlers
-   [#&#8203;35870](quarkusio/quarkus#35870) - Use default Vert.x client settings in OTel exporters
-   [#&#8203;35866](quarkusio/quarkus#35866) - Automatic TLS support in new Vert.x based open telemetry implementation
-   [#&#8203;35862](quarkusio/quarkus#35862) - Only remove OTLP trace services when otlp is not configured
-   [#&#8203;35846](quarkusio/quarkus#35846) - Fixes aggregation of configurations with two different executions ids
-   [#&#8203;35844](quarkusio/quarkus#35844) - Improve description of the duration format in configuration documentation
-   [#&#8203;35840](quarkusio/quarkus#35840) - Updates Infinispan to 14.0.17.Final
-   [#&#8203;35831](quarkusio/quarkus#35831) - Quarkus aggregate configurations from different executions that share the same goal
-   [#&#8203;35822](quarkusio/quarkus#35822) - Check that embedded property types are marked as `@Embeddable`
-   [#&#8203;35817](quarkusio/quarkus#35817) - Improve Qute + Cache integration
-   [#&#8203;35804](quarkusio/quarkus#35804) - HTTP fix response compression support
-   [#&#8203;35792](quarkusio/quarkus#35792) - Do not include in the list of property names Kubernetes config fallbacks
-   [#&#8203;35789](quarkusio/quarkus#35789) - Improve OTel Sampler docs
-   [#&#8203;35786](quarkusio/quarkus#35786) - OpenTelemetry exporter (otlp) startup dependency error when running as a Docker container image
-   [#&#8203;35784](quarkusio/quarkus#35784) - Document the ability to automatically compress rotated log files
-   [#&#8203;35778](quarkusio/quarkus#35778) - Fix generic handling of ParamConverter
-   [#&#8203;35774](quarkusio/quarkus#35774) - RESTEasy Reactive fails to handle collections of parameterized types as parameter
-   [#&#8203;35764](quarkusio/quarkus#35764) - Do not include revision and host-specific info in MANIFEST.MF
-   [#&#8203;35762](quarkusio/quarkus#35762) - Delete temporary openshift files
-   [#&#8203;35759](quarkusio/quarkus#35759) - Upgrade Smallrye OpenAPI to 3.5.2
-   [#&#8203;35757](quarkusio/quarkus#35757) - Update liquibase from 4.20.0 to 4.23.1, liquibase-mongodb to 4.23.0
-   [#&#8203;35747](quarkusio/quarkus#35747) - Large files remain in /tmp after OpenShift deployments
-   [#&#8203;35726](quarkusio/quarkus#35726) - Improve matching of config properties to a root
-   [#&#8203;35722](quarkusio/quarkus#35722) - Since quarkus 3.3.0 a WARN message unrecognized configuration key "quarkus.kubernetes.route.expose" is logged
-   [#&#8203;35718](quarkusio/quarkus#35718) - Packs libraries alongside executable in function.zip
-   [#&#8203;35713](quarkusio/quarkus#35713) - AWS Lambda extension does not pack necessary .so files when AWT is used
-   [#&#8203;35710](quarkusio/quarkus#35710) - Fix potential NPE in HTTP proxying
-   [#&#8203;35706](quarkusio/quarkus#35706) - Azure-Functions crash when X-Forwarded headers are enabled java.lang.NullPointerException
-   [#&#8203;35599](quarkusio/quarkus#35599) - Keycloak/Quarkus Issues: Dev and Prod
-   [#&#8203;35598](quarkusio/quarkus#35598) - Improve Error-Message for missing Embedabbles
-   [#&#8203;35558](quarkusio/quarkus#35558) - Widen conditions under RESTEasy Reactive Server and RESTEasy Classic Client can work together
-   [#&#8203;12260](quarkusio/quarkus#12260) - Quarkus logging with compress option

</details>

<details>
<summary>quarkusio/quarkus-platform</summary>

### [`v3.4.1`](quarkusio/quarkus-platform@3.3.3...3.4.1)

[Compare Source](quarkusio/quarkus-platform@3.3.3...3.4.1)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants