[ELY-2362] Add support for the bearer-only option when using the OIDC HTTP mechanism #1735
Conversation
…y parameter can be processed appropriately
…ials obtained from Basic auth
| log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", principal.getName(), facade.getRequest().getURI(), deployment.getResourceName()); | ||
| } | ||
|
|
||
| protected boolean isAutodetectedBearerOnly(OidcHttpFacade.Request request) { |
There was a problem hiding this comment.
@fjuma Just a minor, the request is unused. The below calls to facade.getRequest() can be substituted for the request passed to the method
There was a problem hiding this comment.
Good catch! I've updated the method to remove the parameter since it's not needed.
| throw log.noMessageEntity(); | ||
| } | ||
| InputStream is = entity.getContent(); | ||
| try { |
There was a problem hiding this comment.
Just a minor, this could be chaged to try with resources:
try (InputStream is = entity.getContent()) {
tokenResponse = JsonSerialization.readValue(is, AccessAndIDTokenResponse.class);
}
| public static final String ERROR = "error"; | ||
| public static final String ERROR_DESCRIPTION = "error_description"; | ||
| public static final String INVALID_TOKEN = "invalid_token"; | ||
| public static final String STALE_TOKEN = "Stale token"; |
There was a problem hiding this comment.
Is it the specs / prior implementation that gives this one a different format?
There was a problem hiding this comment.
This is the format used by the prior adapter. STALE_TOKEN is different because it's a description of the error. As an example,
this would look something like:
"error=invalid_token,error_description=Stale token"
| /** | ||
| * Bearer token pattern. | ||
| */ | ||
| public static final Pattern BEARER_TOKEN_PATTERN = Pattern.compile("^Bearer *([^ ]+) *$", Pattern.CASE_INSENSITIVE); |
There was a problem hiding this comment.
I know it is only a fairly simple pattern but could be useful to add to the comment the intent for the pattern so anyone debugging issues later can cross check.
This is private API but none of these classes are needed outside the package anyway so have updated them so they are no longer public. Thanks! |
|
@fjuma thanks for the update, sounds like this can merge once CI completes. |
https://issues.redhat.com/browse/ELY-2362
This PR adds support for the bearer-only option when using OIDC. This includes the following:
Authorizationheaderaccess_tokenquery parameterHTTP BASICauth that will be used to obtain the bearer tokenNote that this matches the functionality that was present when using the OIDC mechanism provided by the Keycloak OIDC adapter.