OAuth2AuthProviderImpl loses Access Token after introspect call

chrispatmore commented 1 year ago

Version

Version: 4.3.8 +

Context

Whilst investigating 654, I discovered there is an issue when the AT does not validate as a JWT. In these cases (either its an invalid JWT as the code is concerned e.g. 654. or it is just an opaque token) the code then attempts a token introspect here if this passes we know the token is valid and the User is created here. However at this point the access_token is lost, the user placed into the context has no access_token so when I then try to make a userInfo call or some other request to the provider, I get rejected as I supplied an invalid token (no token, for example here). I have also noticed that since the version I am testing on a userInfo introspect has been added if there is no introspect endpoint here and this adds the token back to the user here

In short, the OAuth2AuthProviderImpl should be setting the access_token back into the User object when the token is valid, like happens when the token is validated using the userInfo endpoint. So that the token can then be used for future actions

Edit: This also then sets the subject in the user wrong in some cases, for example in the keycloak case, the json returned back from the introspect endpoint contains username which is then used to set the subject instead of the sub field in the response

Do you have a reproducer?

No

Steps to reproduce

configure an app with OIDC with a provider that gives "invalid JWTs e.g. keycloak with current code" or plain tokens
have the app perform a userInfo request with the AT
log in and get an access token
make an API call to the app with the access token
request will fail because the user info call will fail

vietj commented 11 months ago

@pmlopes do you mind having a look ?

chrispatmore commented 10 months ago

Closing as PR merged

eclipse-vertx / vertx-auth