OIDC Token Propagation with Google

[faermanj]

Hello,

I'm building a simple example API and Application, with a "WhoAmIResource" (API) returning only the user basic info (isAnonymous, name, ...) and a "WhoAmIClient" (APP) on the client side consuming that.

Using only google as the identity provider.

From the API side, using bearer token, everything seem to authenticate and work fine.

From the APP side (Vaadin), the rest client gest inject but does not work properly. The invocation is made without the authentication header and no method on the injected accessToken responds.
No error on the browser or terminal.

Here is the code in question...

@Dependent
public class AuthClientHeader implements ClientHeadersFactory {
    @Inject
    JsonWebToken accessToken;

    @Override
    public MultivaluedMap<String, String> update(
        MultivaluedMap<String, String> inHeaders, 
        MultivaluedMap<String, String> outHeaders) {
        if (accessToken != null){
            //EXECUTION GETS HERE
            var token = "Bearer " + accessToken.getRawToken();
            //BUT NOT HERE
            return new MultivaluedHashMap<String, String>(){{
                add("Authorization", token);
            }};
        } else {
            System.out.println("No accessToken found");
        }
        return new MultivaluedHashMap<String, String>(){};
    }

In the UI:

@Route("/user/whoami")
public class WhoAmIView extends VerticalLayout {
    @Inject @RestClient
    WhoAmIClient whoami;
....
Button button = new Button("WHOAMI", e -> {
            var result = "?";
            
            add(new Paragraph("TESTE 1"));
            // EXECUTION GETS HERE
            var ud = whoami.getUserDetails();
            // BUT NEVER HERE, API RECEIVES WITHOUT HEADERS
            add(new Paragraph("TESTE 2"));
        });

In the rest client

@RegisterRestClient(configKey = "whoami")
@RegisterProvider(AccessTokenRequestReactiveFilter.class)
@RegisterClientHeaders(AuthClientHeader.class)
public interface WhoAmIClient {
    @GET
    public UserDetails getUserDetails();
}

Is there any tutorial, example or content around this, other than the official docs?
Totally lost here, thanks in advance for any help.

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

Hi @faermanj

https://quarkus.io/guides/security-openid-connect-client-reference#token-propagation-reactive shows how to do it:

@RegisterRestClient(configKey = "whoami")
// This is simpler than registering the filter directly
@AccessToken
public interface WhoAmIClient {
    @GET
    public UserDetails getUserDetails();
}

No need to have the custom client header factory, it is probably interfering.
Can you re-try please ? We have recently demoed the token propagation in a similar fashion for Google calendar

[sberyozkin]

I will try to prioritize on #33053 and add the propagation note. It will be linked to from https://quarkus.io/guides/security-openid-connect-providers#google as well

[sberyozkin]

@faermanj By the way, you mentioned the bearer token is verified, can I ask you how you configured Quarkus to make it happening ? The problem with Google bearer tokens they are binary tokens and Google offers no introspection endpoint so it has to be verified via the user info acquisition - quarkus.oidc.provider=google takes care of all the required config but quarkus.oidc.application-type has to be either service or hybrid.

[sberyozkin]

Can you also please create a simple reproducer ? I'm surprised that you have JsonWebToken accessToken; injection not failing as the Google bearer tokens are binary/opaque. Upload a zip or create a Github project and I'll have a look

[faermanj]

Thanks a lot @sberyozkin i'll look into the references you posted
Also, to build this example for anyone else trying, I'll put up in new repo with disposable keys and share here soon

[faermanj]

Here's a PR with only this OIDC "who am I" demo with API and APP projects, using google for auth.
It is a simple "pizza app" I'm using to demo quarkus in Portuguese on youtube (quarkus.pizza):

codeshow/qpizza#5

One thing I'm not quite sure is how to declare that "/user/" is for authenticated users (any role) and / is public.
Here is my attempt:

quarkus.http.auth.permission.permit1.paths=*                           
quarkus.http.auth.permission.permit1.policy=permit

quarkus.http.auth.permission.roles1.paths=/user/*
quarkus.http.auth.permission.roles1.policy=any1
quarkus.http.auth.policy.any1.roles-allowed=**

https://github.com/codeshow/qpizza/pull/5/files#diff-0ccacb93fb97b1249b114af6108ef5ba6c6427a1c9e557b257f4f825b7db757bR11

Current status:
API seems to work OK
APP does not redirect to google, goes straight to 401 (forbidden).

@sberyozkin Added your gmail address to google test users, thanks a lot for helping out

[sberyozkin]

@faermanj Thanks,

As far as qpizza-app is concerned, here are the changes I've done just to narrow down the problem as well as do some minor cleanup:

diff --git a/qpizza-app/pom.xml b/qpizza-app/pom.xml
index be7fe57..66b8ceb 100644
--- a/qpizza-app/pom.xml
+++ b/qpizza-app/pom.xml
@@ -47,15 +47,7 @@
     </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-oidc-client</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-oidc-client-reactive-filter</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-oidc-client-filter</artifactId>
+      <artifactId>quarkus-oidc-token-propagation-reactive</artifactId>
     </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
diff --git a/qpizza-app/src/main/java/qpizza/app/WhoAmIView.java b/qpizza-app/src/main/java/qpizza/app/WhoAmIView.java
index 1dc7103..678fbf9 100644
--- a/qpizza-app/src/main/java/qpizza/app/WhoAmIView.java
+++ b/qpizza-app/src/main/java/qpizza/app/WhoAmIView.java
@@ -21,10 +21,11 @@ public class WhoAmIView extends VerticalLayout {
 
     private void invokeWhoAmI() {
         add(new Paragraph("Let's check..."));
-        var info = client.getWhoAmI();
-        var isAnonymous = info.get("isAnonymous");
-        var name = info.get("name");
-        var msg = "anonymous ? " + isAnonymous + " ";
-        add(new Paragraph(msg));
+        //var info = client.getWhoAmI();
+        //var isAnonymous = info.get("isAnonymous");
+        //var name = info.get("name");
+        //var msg = "anonymous ? " + isAnonymous + " ";
+        //add(new Paragraph(msg));
+        add(new Paragraph("anonymous"));
     }
 }
diff --git a/qpizza-app/src/main/resources/application-dev.properties b/qpizza-app/src/main/resources/application-dev.properties
index 52b2528..301a50c 100644
--- a/qpizza-app/src/main/resources/application-dev.properties
+++ b/qpizza-app/src/main/resources/application-dev.properties
@@ -8,12 +8,9 @@ quarkus.oidc.provider=google
 quarkus.oidc.client-id=454545122196-mkr7m7qf4tgkvgtmpd0tb3m048odipko.apps.googleusercontent.com
 quarkus.oidc.credentials.secret=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
 
-quarkus.http.auth.permission.permit1.paths=*                           
-quarkus.http.auth.permission.permit1.policy=permit
+quarkus.log.category."io.quarkus.oidc.runtime.CodeAuthneticationMechanism".level=TRACE
+quarkus.log.category."io.quarkus.oidc.runtime.CodeAuthneticationMechanism".min-level=TRACE
 
 quarkus.http.auth.permission.roles1.paths=/user/*
-quarkus.http.auth.permission.roles1.policy=any1
-quarkus.http.auth.policy.any1.roles-allowed=**
+quarkus.http.auth.permission.roles1.policy=authenticated
 
-org.eclipse.microprofile.rest.client.propagateHeaders=Authorization,Proxy-Authorization
-quarkus.oidc.authentication.user-info-required=true

First, since you'd like to propagate the tokens, as opposed to produce them, you need quarkus-oidc-token-propagation-reactive.

I've also left only a permission policy requiring that /users/* is authenticated for now, and updated WhoAmIView.java to avoid making a client call for now.

And you don't need org.eclipse.microprofile.rest.client.propagateHeaders=Authorization,Proxy-Authorization, the token propagation feature will take care for correctly propagating the code flow access token - it is not coming from Authorization.
UserInfo is also not needed in this case.

Indeed, if I access localhost:8888/user/whoami I'm getting an error, 400: Google fails with Request details: redirect_uri=http://localhost:8888/user/whoami - can you add this redirect URI to the test application ? Or what is correct redirect url ?
401 was reported earlier - please clean the browser history - you may have state cookies left around

[sberyozkin]

@faermanj It may well be the only problem that you have in this reproducer is that you don't have a quarkus-oidc-token-propagation-reactive - try it, without org.eclipse.microprofile.rest.client.propagateHeaders, with a specific authentication policy only as shown above, and it should work.

[faermanj]

@sberyozkin thank you very much, that did it!

[sberyozkin]

Good news, thanks

[faermanj]

@sberyozkin next up i'll try to implement Amazon Cognito authentication too... let's see how that goes :)

Also, I'll be recording this as an episode of the show, anything you'd suggest people should know/read before implementing OIDC with Quarkus?

[sberyozkin]

Sure, will try to put some summary in the next couple of days here, thanks

[sberyozkin]

Hey @faermanj Thanks for the tweet, I realized I did not get back here with some more info.
Right, so for users working with Quarkus OIDC, the authorization code flow, in particular, we recommend:

• https://quarkus.io/guides/security-oidc-code-flow-authentication-tutorial (to get started with something simple).
• https://quarkus.io/guides/security-oidc-code-flow-authentication-concept (more detailed information)
• check the well-known providers page https://quarkus.io/guides/security-openid-connect-providers (Twitch support is coming shortly, followed, possibly, by LinkedIn)
• OIDC multi-tenancy - very important concept if more than one provider has to be supported, say Google and Twitter: https://quarkus.io/guides/security-openid-connect-multitenancy, so one can configure each provider configuration in application.properties and resolve it with TenantResolver or create it dynamically on demand with TenantConfigResolver. The recent addition is that when the providers are configured in application.properties then no custom TenantResolver is needed if a simple convention is followed where an initial login request identifies the provider (and the tenant id), example, /login/twitter
• Token propagation is essential
• OIDC client doc-ed in the document is useful for applications which need to acquire tokens and submit them to targets

HTH