Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Client repeatedly adds client-id when no secret is specified #26619

Closed
darraghc345 opened this issue Jul 8, 2022 · 2 comments · Fixed by #26637
Closed

OIDC Client repeatedly adds client-id when no secret is specified #26619

darraghc345 opened this issue Jul 8, 2022 · 2 comments · Fixed by #26637
Labels
area/oidc kind/bug Something isn't working
Milestone
2.10.3.Final

Comments

@darraghc345
Copy link

darraghc345 commented Jul 8, 2022
edited

Describe the bug

When configuring an OIDC client, if only the client-id is used for the request, then the client id will be concatenated to every request until an new instance of the client is created.

Issue comes from how the formBody is created.

OidcClientImpl.getJsonResponse(...) line 111

else if (!OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) {
    body.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
}

We are using Quarkus version 2.7.5.Final.

Expected behavior

client-id should only be added to the request once.

As a workaround you can add a dummy client-secret to the oidc client configutration.

quarkus.oidc-client.credentials.client-secret.value=xxx
quarkus.oidc-client.credentials.client-secret.method=post

Actual behavior

client-id is concatenated to every request.

public class OidcClass {

  @Inject
  @NamedOidcClient("test")
  OidcClient oidcClient;

  public Uni<String>getToken() {
    return oidcClient.getTokens().map(tokens -> BEARER_KEYWORD + tokens.getAccessToken())
  }
}

Calling getToken() multiple times results in the following form bodies for the http requests:

------------------- 1st request -----------------------

grant_type=password
username=xxx
password=xxx
client_id=public

-------------------- 2nd request -------------------

grant_type=password
username=xxx
password=xxx
client_id=public
client_id=public

------------------- 3rd request ---------------

grant_type=password
username=xxx
password=xxx
client_id=public
client_id=public
client_id=public

How to Reproduce?

Configure an OidcClient with the following settings

quarkus.oidc-client.auth-server-url=xxx
quarkus.oidc-client.discovery-enabled=false
quarkus.oidc-client.token-path=/protocol/openid-connect/token
quarkus.oidc-client.client-id=public
quarkus.oidc-client.grant.type=password
quarkus.oidc-client.grant-options.password.username=xxx
quarkus.oidc-client.grant-options.password.password=xxx
@darraghc345 darraghc345 added the kind/bug Something isn't working label Jul 8, 2022
@quarkus-bot quarkus-bot bot added the area/oidc label Jul 8, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Jul 8, 2022

/cc @pedroigor, @sberyozkin

@sberyozkin
Copy link
Member

sberyozkin commented Jul 8, 2022
edited

Sure, the situation where a password grant is used with a public client has never been considered, I'm assuming it is a test case scenario as opposed to the production case. But we'll need to fix it anyway

@sberyozkin sberyozkin mentioned this issue Jul 10, 2022
Merged
@quarkus-bot quarkus-bot bot added this to the 2.11 - main milestone Jul 11, 2022
@gsmet gsmet modified the milestones: 2.11.0.CR1, 2.10.3.Final Jul 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Milestone
2.10.3.Final
Development

Successfully merging a pull request may close this issue.

Fix OidcClient duplicating the client_id for the public client sberyozkin/quarkus
3 participants
@sberyozkin @gsmet @darraghc345