Fix OidcClient duplicating the client_id for the public client #26637
Conversation
| @@ -109,7 +109,7 @@ public Uni<Tokens> get() { | |||
| body.add(OidcConstants.CLIENT_ASSERTION, jwt); | |||
| } | |||
| } else if (!OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) { | |||
| body.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get()); | |||
| body = copyMultiMap(body).add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get()); | |||
There was a problem hiding this comment.
Isn't changing to set enough here?
There was a problem hiding this comment.
@gastaldi Sorry, forgot to add a comment relating to set, since OidcClient will be reused by multiple threads, I decided to avoid set
There was a problem hiding this comment.
Copying the MultiMap is fine, my question was more that if you call add again you will end up with more than one ClientID in the Map?
There was a problem hiding this comment.
Hey @gastaldi, sorry for asking to review on Sunday :-).
I see, so, in the original map client id is not present, this copy is created per every request and I guess, either set or add will do. I've added a test, as you can see in the original issue the duplication starts from a 2nd request (double add), so the test does 2 requests, I could confirm without the fix the 2nd request was failing.
if you'd like I can replace add with set, would not be a problem at all
There was a problem hiding this comment.
No biggie, just curious really ;)
There was a problem hiding this comment.
Hi George, just pushed a minor update, it is quiet today, so an extra CI run will not be a problem, set reads better for setting a single value property :-), thanks for the time
sberyozkin
force-pushed
the
oidc_client_duplicate_client_id
branch
from
7e704e6
to
8a00cfe
Compare
gastaldi
added
the
triage/waiting-for-ci
quarkus-bot
bot
removed
the
triage/waiting-for-ci
Fixes #26619.
OidcClienthas a cachedMultiMapwhich keeps some properties which are reused across multiple token requests (ex, it has a client id and secret set if the client post authentication is required, and scopes) - but if the public client is used to request a token then the same client id is added to the sameMultiMap.So this PR does a minor update, copies the map to have a request specific map if the client is public (as it does in other cases) and it fixes the problem, the test has been added.