Merge pull request quarkusio#47830 from sberyozkin/oidc_healthcheck

Add OIDC Health Check

Author: geoand

docs/src/main/asciidoc/security-oidc-expanded-configuration.adoc

@@ -1067,6 +1067,20 @@ You can observe an https://quarkus.io/guides/security-openid-connect-multitenanc
 
 You can register xref:security-openid-connect-multitenancy.adoc#tenant-config-resolver[TenantConfigResolver] and build the configuration dynamically, using `OicTenantConfig` builder API, using the request properties such as request path and headers for additional hints or retrieve the matching configuration from the external sources.
 
+.OIDC Health Check
+[options="header"]
+|====
+|Property name |Default |Description
+
+|quarkus.oidc.health.enabled |false|If the OIDC Health Readiness Check must be registered.
+|====
+
+This build-time property can be used to register an `OIDC Provider Health Readiness Check` when the `quarkus-smallrye-health` dependency is included. When the health check is registered, it uses HTTP HEAD to ping the well-known OIDC provider configuration endpoint for every configured OIDC tenant.
+
+Individual OIDC tenant statuses are `OK`, `Not Ready`, `Disabled`, `Unknown` and `Error`.
+
+The OIDC Health check status is `UP` if at least one of the OIDC tenants has an `OK` status and `DOWN` otherwise.
+
 [[typical-property-combinations]]
 == Typical property combinations
 

extensions/oidc/deployment/pom.xml

@@ -45,6 +45,15 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-jsonp-deployment</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-health-spi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-health-deployment</artifactId>
+            <optional>true</optional>
+        </dependency>
         <dependency>
             <groupId>org.eclipse.angus</groupId>
             <artifactId>angus-activation</artifactId>

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java

@@ -99,13 +99,15 @@
 import io.quarkus.oidc.runtime.OidcTokenCredentialProducer;
 import io.quarkus.oidc.runtime.OidcUtils;
 import io.quarkus.oidc.runtime.TenantConfigBean;
+import io.quarkus.oidc.runtime.health.OidcTenantHealthCheck;
 import io.quarkus.oidc.runtime.providers.AzureAccessTokenCustomizer;
 import io.quarkus.runtime.configuration.ConfigurationException;
 import io.quarkus.security.Authenticated;
 import io.quarkus.security.runtime.SecurityConfig;
 import io.quarkus.security.spi.AdditionalSecuredMethodsBuildItem;
 import io.quarkus.security.spi.ClassSecurityAnnotationBuildItem;
 import io.quarkus.security.spi.RegisterClassSecurityCheckBuildItem;
+import io.quarkus.smallrye.health.deployment.spi.HealthBuildItem;
 import io.quarkus.tls.deployment.spi.TlsRegistryBuildItem;
 import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
 import io.quarkus.vertx.http.deployment.EagerSecurityInterceptorBindingBuildItem;
@@ -472,6 +474,14 @@ public void registerAuthenticationContextInterceptor(Capabilities capabilities,
                                 .builder(Authenticated.class).buildWithTarget(c))));
     }
 
+    @BuildStep
+    public void registerHealthCheck(OidcBuildTimeConfig config, BuildProducer<HealthBuildItem> healthBuildItems,
+            Capabilities capabilities) {
+        if (config.healthEnabled() && capabilities.isPresent(Capability.SMALLRYE_HEALTH)) {
+            healthBuildItems.produce(new HealthBuildItem(OidcTenantHealthCheck.class.getName(), true));
+        }
+    }
+
     private static boolean areEagerSecInterceptorsSupported(Capabilities capabilities,
             VertxHttpBuildTimeConfig httpBuildTimeConfig) {
         if (httpBuildTimeConfig.auth().proactive()) {

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildTimeConfig.java

@@ -5,6 +5,7 @@
 import io.quarkus.runtime.annotations.ConfigRoot;
 import io.smallrye.config.ConfigMapping;
 import io.smallrye.config.WithDefault;
+import io.smallrye.config.WithName;
 
 /**
  * Build time configuration for OIDC.
@@ -31,4 +32,12 @@ public interface OidcBuildTimeConfig {
      */
     @WithDefault("true")
     boolean defaultTokenCacheEnabled();
+
+    /**
+     * Whether the OIDC extension should automatically register a health check for OIDC tenants
+     * when a Health Check capability is present.
+     */
+    @WithName("health.enabled")
+    @WithDefault("false")
+    boolean healthEnabled();
 }

extensions/oidc/runtime/pom.xml

@@ -45,6 +45,11 @@
             <groupId>jakarta.annotation</groupId>
             <artifactId>jakarta.annotation-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-health</artifactId>
+            <optional>true</optional>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-junit5-internal</artifactId>

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/health/OidcTenantHealthCheck.java

@@ -0,0 +1,106 @@
+package io.quarkus.oidc.runtime.health;
+
+import java.util.Map.Entry;
+
+import jakarta.inject.Inject;
+
+import org.eclipse.microprofile.health.HealthCheck;
+import org.eclipse.microprofile.health.HealthCheckResponse;
+import org.eclipse.microprofile.health.HealthCheckResponseBuilder;
+import org.eclipse.microprofile.health.Readiness;
+
+import io.quarkus.oidc.runtime.OidcProviderClientImpl;
+import io.quarkus.oidc.runtime.OidcUtils;
+import io.quarkus.oidc.runtime.TenantConfigBean;
+import io.quarkus.oidc.runtime.TenantConfigContext;
+import io.smallrye.mutiny.Uni;
+import io.vertx.mutiny.core.buffer.Buffer;
+import io.vertx.mutiny.ext.web.client.HttpRequest;
+
+@Readiness
+public class OidcTenantHealthCheck implements HealthCheck {
+    private static final String HEALTH_CHECK_NAME = "OIDC Provider Health Check";
+
+    private static final String OK_STATUS = "OK";
+    private static final String ERROR_STATUS = "Error";
+    private static final String DISABLED_STATUS = "Disabled";
+    private static final String UNKNOWN_STATUS = "Unknown";
+    private static final String NOT_READY_STATUS = "Not Ready";
+
+    @Inject
+    TenantConfigBean tenantConfigBean;
+
+    @Override
+    public HealthCheckResponse call() {
+        HealthCheckResponseBuilder builder = HealthCheckResponse.builder()
+                .name(HEALTH_CHECK_NAME)
+                .up();
+
+        String status = checkTenant(builder, OidcUtils.DEFAULT_TENANT_ID, tenantConfigBean.getDefaultTenant());
+        boolean atLeastOneTenantIsReady = OK_STATUS.equals(status);
+
+        for (Entry<String, TenantConfigContext> entry : tenantConfigBean.getStaticTenantsConfig().entrySet()) {
+            status = checkTenant(builder, entry.getKey(), entry.getValue());
+            if (!atLeastOneTenantIsReady) {
+                atLeastOneTenantIsReady = OK_STATUS.equals(status);
+            }
+        }
+
+        if (!atLeastOneTenantIsReady) {
+            builder.down();
+        }
+        return builder.build();
+    }
+
+    private static String checkTenant(HealthCheckResponseBuilder builder, String tenantId,
+            TenantConfigContext tenantConfigContext) {
+
+        if (tenantConfigContext.oidcConfig() == null) {
+            return null;
+        }
+        String name = tenantConfigContext.oidcConfig().clientName().orElse(tenantId);
+
+        String status = null;
+        if (tenantConfigContext.getOidcProviderClient() == null) {
+            if (!tenantConfigContext.oidcConfig().tenantEnabled()) {
+                status = DISABLED_STATUS;
+            } else if (!tenantConfigContext.ready()) {
+                status = NOT_READY_STATUS;
+            }
+        } else if (tenantConfigContext.getOidcMetadata().getDiscoveryUri() == null) {
+            // We may introduce a metadata health property
+            status = UNKNOWN_STATUS;
+        } else {
+            try {
+                status = checkHealth(tenantConfigContext.getOidcProviderClient(),
+                        tenantConfigContext.getOidcMetadata().getDiscoveryUri()).await().indefinitely();
+            } catch (Exception e) {
+                status = ERROR_STATUS + ": " + e.getMessage();
+            }
+        }
+        if (status != null) {
+            builder.withData(name, status);
+        }
+        return status;
+    }
+
+    private static Uni<String> checkHealth(OidcProviderClientImpl oidcClient, String healthUri) {
+
+        HttpRequest<Buffer> request = oidcClient.getWebClient().headAbs(healthUri);
+        return request.send().onItem().transform(resp -> {
+            Buffer buffer = resp.body();
+            if (resp.statusCode() == 200) {
+                return OK_STATUS;
+            } else {
+                String errorMessage = buffer != null ? buffer.toString() : null;
+                if (errorMessage != null && !errorMessage.isEmpty()) {
+                    return ERROR_STATUS + ": " + errorMessage;
+                } else {
+                    return ERROR_STATUS;
+                }
+
+            }
+        });
+
+    }
+}

integration-tests/oidc-code-flow/pom.xml

@@ -22,6 +22,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-smallrye-jwt-build</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-health</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-resteasy-jackson</artifactId>
@@ -116,6 +120,19 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-health-deployment</artifactId>
+            <version>${project.version}</version>
+            <type>pom</type>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-resteasy-jackson-deployment</artifactId>

integration-tests/oidc-code-flow/src/main/resources/application.properties

@@ -1,7 +1,10 @@
+quarkus.oidc.health.enabled=true
+
 quarkus.keycloak.devservices.create-realm=false
 quarkus.keycloak.devservices.show-logs=true
 # Default tenant configuration
 quarkus.oidc.client-id=quarkus-app
+quarkus.oidc.client-name=Quarkus Keycloak
 quarkus.oidc.credentials.secret=secret
 quarkus.oidc.authentication.scopes=profile,email
 quarkus.oidc.authentication.redirect-path=/web-app

integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java

@@ -42,6 +42,7 @@
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.keycloak.client.KeycloakTestClient;
 import io.restassured.RestAssured;
+import io.restassured.response.Response;
 import io.smallrye.jwt.build.Jwt;
 import io.smallrye.jwt.util.KeyUtils;
 import io.vertx.core.json.JsonObject;
@@ -140,9 +141,24 @@ public void testCodeFlowNoConsent() throws IOException {
                     .then().statusCode(401);
 
             webClient.getCookieManager().clearCookies();
+
+            checkHealth();
         }
     }
 
+    private static void checkHealth() {
+        Response healthReadyResponse = RestAssured.when().get("http://localhost:8081/q/health/ready");
+        JsonObject jsonHealth = new JsonObject(healthReadyResponse.asString());
+        JsonObject oidcCheck = jsonHealth.getJsonArray("checks").getJsonObject(0);
+        assertEquals("UP", oidcCheck.getString("status"));
+        assertEquals("OIDC Provider Health Check", oidcCheck.getString("name"));
+
+        JsonObject data = oidcCheck.getJsonObject("data");
+        assertEquals("OK", data.getString("tenant-nonce"));
+        assertEquals("OK", data.getString("Quarkus Keycloak"));
+
+    }
+
     @Test
     public void testCodeFlowScopeError() throws IOException {
         try (final WebClient webClient = createWebClient()) {

integration-tests/oidc-dpop/pom.xml

@@ -32,6 +32,23 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-health</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-health-deployment</artifactId>
+            <version>${project.version}</version>
+            <type>pom</type>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-rest</artifactId>