search

quarkiverse / quarkus-renarde

Server-side Web Framework with Qute templating, magic/easier controllers, auth, reverse-routing
Apache License 2.0
73 stars 16 forks source link

Bugfix/43 Apple revoke use-case #205

Open RasDeaks opened 3 months ago

RasDeaks commented 3 months ago

Hello! I've tried to implements the revocation use-case, it contains :

See https://github.com/FroMage/quarkus-renarde-todo/pull/7 for usage.

Let me know if this helps, I'd be glad to contribute. I'm open for reveiw, I can update my work if needed.

sberyozkin commented 2 months ago

@RasDeaks It is a nicely done PR, but indeed, hopefully we can get Quarkus do it for Renarde, as @FroMage also suggests.

At the moment, the option which will work is to configure OIDC client, for example:

quarkus.oidc-client.apple.auth-server-url=${quarkus.oidc.apple.auth-server-url}
#etc for other properties which are injected in this PR in the revocation controller

and then in the controller:

@NamedOidcClient("apple")
@Inject
OidcClient appleClient;

@Inject AccessTokenCredential at;

// and then
appleClient.revokeAccessToken(at.getToken());

The above should handle it, the revocation endpoint is expected to be discovered because Apple supports it and therefore it should be included in the discovery doc.

But I was thinking that may be quarkus-oidc could help it as well, without having to bring quarkus-oidc-client. quarkus-oidc already allows to inject OidcSession, which one can use to do the local logout and clear the session cookie:

@Inject OidcSession session;

@GET
void logout() {
    session.logout();
}

So may be we can have something like:

@Inject OidcSession session;

@GET
void revokeAccessAndLogout() {
   // revoke the access token and then clear the local session cookie
    session.revokeAccessAndLogout();
}

How about that ? That would be the simplest option for sure.

Or if you prefer to handle the revocation and the local session cookie deletion separately, we can do:

@Inject OidcSession session;

@GET
void revokeAccessAndLogout() {
    session.revokeAccess();
    session.logout();
}
RasDeaks commented 2 months ago

Thanks for your help @sberyozkin , If I understand correctly, you're making a proposal to add this revoke call implementation in a future version of quarkus, right ? It would be great, I think I prefer your second proposal. Let me know if I can help to implement this call on quarkus-oidc side. At least I'll follow the progress.

sberyozkin commented 2 months ago

Thanks @RasDeaks for the feedback on Zulip. Indeed, having a standalone OidcSession.revokeAccess() seems best as one may want to treat the logout in a separate action. It should be of general help not only to Apple users.

If it can be of interest, then please open a Quarkus enhancement request and work on the PR (OidcSessionImpl has a resolver injected which you can use to get the current OIDC tenant context and get to OidcProvider which uses OidcProviderClient - both should have methods to support the revocation, I guess they will return Uni<Void>, and OidcConfigurationMetadata should be updated to keep the revocation endpoint address which one can get from the discovered metadata)

sberyozkin commented 2 months ago

@RasDeaks I was just typing my response and noticed your comment. It would be great if you could look at the Quarkus enhancement, it should be an interesting PR to look at, we can help you with Steph along the way