OAuth2 providers such as Github do not issue ID token and in such cases Quarkus generates an internal ID token to be used for the session cookie. When this internal ID token has to be verified, its signature is verified using the secret which was used to sign in, for example, the client secret.
Trying to verify such an internal ID token against Github or similar OAuth2 providers makes no sense.
The only token which must and can be verified against Github is the access token that is returned by Github. The Quarkus github provider is configured to verify by accessing a Github UserInfo endpoint.
However, and it can happen really mainly due to a user error, a Github access token verification can be triggered by the user adding @Inject JsonWebToken jwt; to the endpoint - which, by default, enforces the code flow access token verification.
As it happens, the OidcIdentityProvider code branch, which completes the initial code flow access token verification, and proceeds to completing the ID token verification, misses the fact that the ID token can be an internal, and attempts to verify it against Github which causes a confusing error. It does not happen on the main code branch where the internal ID token is correctly verified as a local self-signed token.
See #43545 for more context.
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Output of uname -a or ver
No response
Output of java -version
No response
Quarkus version or git rev
No response
Build tool (ie. output of mvnw --version or gradlew --version)
quarkus-bot[bot]
commented
1 month ago
Describe the bug
OAuth2 providers such as Github do not issue
ID tokenand in such cases Quarkus generates aninternal ID tokento be used for the session cookie. When thisinternal IDtoken has to be verified, its signature is verified using the secret which was used to sign in, for example, the client secret.Trying to verify such an
internal ID tokenagainst Github or similar OAuth2 providers makes no sense. The only token which must and can be verified against Github is theaccess tokenthat is returned by Github. The Quarkusgithubprovider is configured to verify by accessing a Github UserInfo endpoint.However, and it can happen really mainly due to a user error, a Github access token verification can be triggered by the user adding
@Inject JsonWebToken jwt;to the endpoint - which, by default, enforces the code flow access token verification.As it happens, the
OidcIdentityProvidercode branch, which completes the initial code flow access token verification, and proceeds to completing the ID token verification, misses the fact that the ID token can be an internal, and attempts to verify it against Github which causes a confusing error. It does not happen on the main code branch where the internal ID token is correctly verified as a local self-signed token.See #43545 for more context.
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Output of
uname -aorverNo response
Output of
java -versionNo response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --versionorgradlew --version)No response
Additional information
No response