Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Accept signed OIDC UserInfo #42519

Merged
merged 1 commit into from
Aug 13, 2024
Merged

Conversation

sberyozkin
Copy link
Member

@sberyozkin sberyozkin commented Aug 13, 2024

Fixes #42341.

Quarkus OIDC may request UserInfo from the OIDC provider, in addition to a signed ID token in the JWT format.
Typically, UserInfo is returned as a plain JSON.

However, the OIDC spec also allows returning signed UserInfo, i.e, as a JWT token:

https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

To handle signed UserInfo, Quarkus needs to verify it like any other JWT token, and then get the UserInfo JSON out of this token.

So this PR does a simple enough fix to do it to meet this spec requirement:

  • If a UserInfo response media type is application/jwt then a signed UserInfo JWT is expected and it goes through the same verification process that a regular JWT token such as IdToken is goes through. The only reason there is a bit of a copy and paste there is that with regular JWT tokens some requirements like enforcing the audience verification may be optional, while with the signed UserInfo it is required, while things like nonce and sub claims are not required.
  • Once the JWT is verified, UserInfo is initialized with the secured JSON
  • Updated one of the OIDC wiremock tests to return a signed UserInfo and to check the log to confirm that indeed it was the case, the signed UserInfo form only exists during the response from the OIDC server to Quarkus OIDC, so it is tricky to confirm it otherwise

@quarkus-bot
Copy link

quarkus-bot bot commented Aug 13, 2024

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit c358c25.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

@sberyozkin
Copy link
Member Author

Thanks @gastaldi, let me merge, @pedroigor, please ping me if you have any questions, it is indeed only about detecting if UserInfo is wrapped in the JWT container and if yes, then extract it from it after verifying the JWT signature.

@sberyozkin sberyozkin merged commit 64f0196 into quarkusio:main Aug 13, 2024
23 checks passed
@quarkus-bot quarkus-bot bot added the kind/enhancement New feature or request label Aug 13, 2024
@sberyozkin sberyozkin deleted the signed_user_info branch August 13, 2024 17:05
@quarkus-bot quarkus-bot bot added this to the 3.14 - main milestone Aug 13, 2024
@airone-x1
Copy link

airone-x1 commented Aug 29, 2024

Hello,

My tests on version 3.14.0.CR1 are not conclusives, same error. The jwt response is not handled as such but as simple json.

The userinfo endpoint returns a content-type "application/jwt; charset=utf-8".
I see in changes a strict test on "application/jwt" (OIDCProvider.java), may be the reason.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OIDC - Unable to read signed / jwt UserInfo response
3 participants