Closed cflee closed 2 months ago
/cc @geoand (kotlin), @pedroigor (oidc), @sberyozkin (oidc,security)
I guess this is related to the TEST_SECURITY
credential type and now the OIDC mechanism which can clear out the cookie is skipped, but is found if the test security mechanism credential type is null. @michalvavrik, I wonder if it is possible to workaround it somehow...
I guess this is related to the
TEST_SECURITY
credential type and now the OIDC mechanism which can clear out the cookie is skipped, but is found if the test security mechanism credential type is null. @michalvavrik, I wonder if it is possible to workaround it somehow...
the issue has very nice reproducer and analysis, thanks @cflee , I'll have a look tomorrow
just to clarify actual behavior note is not spot on
The HTTP response from the local logout endpoint test does not clear the q_session and related cookies.
there are no q_session
cookie or others now, while previously with 3.10.2 response cookies were like
response cookies {q_auth_49a1d34d-ab0b-4e36-82d5-54fab57e19d8=49a1d34d-ab0b-4e36-82d5-54fab57e19d8, q_session=, q_session_at=, q_session_rt=}
I am not all that sure how they are useful if you are mocking security, but I'll try to fix it as it probably goes down to the mechanism priority; I'll get back to you when I know more or have a fix.
Actually, I know how to fix it as I considered this when I was writing #40059, but I need to do little research to what is proper behavior and write tests to make sure assumptions are correct.
Describe the bug
Behaviour of local logout in the Quarkus OIDC extension under
@TestSecurity
annotation conditions has changed. The test accessing an endpoint that performs a local logout no longer clears theq_session
and related cookies, while in practice when the endpoint is invoked externally in dev mode the response does still clear the cookies as expected.I have confirmed that this is still present against a snapshot build of the current
main
branch (git rev below). It does not occur with version 3.10.2. I have bisected this change to the commit fcdebde4e131fad3c6ef56503ea78bcb6e175dc4, the merge of PR #40059. Looking at the PR, I don't see any obvious reason why this test should start failing, so I am reporting this as a bug.Expected behavior
The HTTP response from the local logout endpoint test will clear the
q_session
and related cookies.Actual behavior
The HTTP response from the local logout endpoint test does not clear the
q_session
and related cookies.How to Reproduce?
Reproducer:
./mvnw test
, it should failquarkus.platform.version
property inpom.xml
to be 3.10.2./mvnw test
, it should now passThe test failure message with 3.11.1:
Output of
uname -a
orver
Darwin cf-lee-tp92p 23.5.0 Darwin Kernel Version 23.5.0: Wed May 1 20:14:38 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T6020 arm64
Output of
java -version
Quarkus version or git rev
c29652139610785174dd712bbb410d31a8765ba4
Build tool (ie. output of
mvnw --version
orgradlew --version
)Additional information
No response