Use CredentialProvider in OAUTH2 provider

Signed-off-by: gabriel-farache <[email protected]>

Author: gabriel-farache

client/deployment/src/main/java/io/quarkiverse/openapi/generator/deployment/GeneratorProcessor.java

@@ -162,6 +162,7 @@ void produceOauthAuthentication(CombinedIndexBuildItem beanArchiveBuildItem,
                     .annotation(OpenApiSpec.class)
                     .addValue("openApiSpecId", openApiSpecId)
                     .done()
+                    .addInjectionPoint(ClassType.create(DotName.createSimple(CredentialsProvider.class)))
                     .addInjectionPoint(ClassType.create(OAuth2AuthenticationProvider.OidcClientRequestFilterDelegate.class),
                             AnnotationInstance.builder(OidcClient.class).add("name", sanitizeAuthName(name)).build())
                     .createWith(oidcRecorder.recordOauthAuthProvider(sanitizeAuthName(name), openApiSpecId, operations))

client/oidc/src/main/java/io/quarkiverse/openapi/generator/oidc/ClassicOidcClientRequestFilterDelegate.java

@@ -7,6 +7,7 @@
 import jakarta.ws.rs.Priorities;
 import jakarta.ws.rs.client.ClientRequestContext;
 import jakarta.ws.rs.client.ClientRequestFilter;
+import jakarta.ws.rs.core.HttpHeaders;
 
 import org.jboss.logging.Logger;
 
@@ -41,7 +42,7 @@ protected java.util.Optional<String> clientId() {
     public void filter(ClientRequestContext requestContext) throws IOException {
         try {
             String accessToken = this.getAccessToken();
-            requestContext.getHeaders().add("Authorization", "Bearer " + accessToken);
+            requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, "Bearer " + accessToken);
         } catch (DisabledOidcClientException ex) {
             LOG.debug("Client is disabled, acquiring and propagating the token is not necessary");
         } catch (RuntimeException ex) {

client/oidc/src/main/java/io/quarkiverse/openapi/generator/oidc/OidcAuthenticationRecorder.java

@@ -6,6 +6,7 @@
 import io.quarkiverse.openapi.generator.OidcClient;
 import io.quarkiverse.openapi.generator.oidc.providers.OAuth2AuthenticationProvider;
 import io.quarkiverse.openapi.generator.providers.AuthProvider;
+import io.quarkiverse.openapi.generator.providers.CredentialsProvider;
 import io.quarkiverse.openapi.generator.providers.OperationAuthInfo;
 import io.quarkus.arc.SyntheticCreationalContext;
 import io.quarkus.runtime.annotations.Recorder;
@@ -20,6 +21,6 @@ public Function<SyntheticCreationalContext<AuthProvider>, AuthProvider> recordOa
         return context -> new OAuth2AuthenticationProvider(name, openApiSpecId,
                 context.getInjectedReference(OAuth2AuthenticationProvider.OidcClientRequestFilterDelegate.class,
                         new OidcClient.Literal(name)),
-                operations);
+                operations, context.getInjectedReference(CredentialsProvider.class));
     }
 }

client/oidc/src/main/java/io/quarkiverse/openapi/generator/oidc/providers/OAuth2AuthenticationProvider.java

@@ -12,9 +12,10 @@
 import org.slf4j.LoggerFactory;
 
 import io.quarkiverse.openapi.generator.providers.AbstractAuthProvider;
+import io.quarkiverse.openapi.generator.providers.AuthUtils;
 import io.quarkiverse.openapi.generator.providers.ConfigCredentialsProvider;
+import io.quarkiverse.openapi.generator.providers.CredentialsProvider;
 import io.quarkiverse.openapi.generator.providers.OperationAuthInfo;
-import io.quarkus.oidc.common.runtime.OidcConstants;
 
 public class OAuth2AuthenticationProvider extends AbstractAuthProvider {
 
@@ -24,19 +25,32 @@ public class OAuth2AuthenticationProvider extends AbstractAuthProvider {
 
     public OAuth2AuthenticationProvider(String name,
             String openApiSpecId, OidcClientRequestFilterDelegate delegate, List<OperationAuthInfo> operations) {
-        super(name, openApiSpecId, operations, new ConfigCredentialsProvider());
+        this(name, openApiSpecId, delegate, operations, new ConfigCredentialsProvider());
+    }
+
+    public OAuth2AuthenticationProvider(String name,
+            String openApiSpecId, OidcClientRequestFilterDelegate delegate, List<OperationAuthInfo> operations,
+            CredentialsProvider credentialsProvider) {
+        super(name, openApiSpecId, operations, credentialsProvider);
         this.delegate = delegate;
         validateConfig();
     }
 
     @Override
     public void filter(ClientRequestContext requestContext) throws IOException {
-        if (isTokenPropagation()) {
-            String bearerToken = getTokenForPropagation(requestContext.getHeaders());
-            bearerToken = sanitizeBearerToken(bearerToken);
-            requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, OidcConstants.BEARER_SCHEME + " " + bearerToken);
+        String bearerToken;
+
+        if (this.isTokenPropagation()) {
+            bearerToken = this.getTokenForPropagation(requestContext.getHeaders());
         } else {
             delegate.filter(requestContext);
+            bearerToken = this.getCredentialsProvider().getOauth2BearerToken(requestContext);
+        }
+
+        if (bearerToken != null && !bearerToken.isBlank()) {
+            requestContext.getHeaders().remove(HttpHeaders.AUTHORIZATION);
+            requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION,
+                    AuthUtils.authTokenOrBearer("Bearer", AbstractAuthProvider.sanitizeBearerToken(bearerToken)));
         }
     }
 

client/oidc/src/test/java/io/quarkiverse/openapi/generator/oidc/OAuth2AuthenticationProviderTest.java

@@ -8,6 +8,11 @@
 import java.util.Optional;
 import java.util.stream.Stream;
 
+import jakarta.ws.rs.client.ClientRequestContext;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.MultivaluedHashMap;
+import jakarta.ws.rs.core.MultivaluedMap;
+
 import org.assertj.core.api.Assertions;
 import org.eclipse.microprofile.config.Config;
 import org.eclipse.microprofile.config.ConfigProvider;
@@ -26,11 +31,6 @@
 import io.quarkiverse.openapi.generator.oidc.providers.OAuth2AuthenticationProvider;
 import io.quarkus.oidc.client.Tokens;
 
-import jakarta.ws.rs.client.ClientRequestContext;
-import jakarta.ws.rs.core.HttpHeaders;
-import jakarta.ws.rs.core.MultivaluedHashMap;
-import jakarta.ws.rs.core.MultivaluedMap;
-
 @ExtendWith(MockitoExtension.class)
 public class OAuth2AuthenticationProviderTest {
     private static final String OPEN_API_FILE_SPEC_ID = "open_api_file_spec_id_json";

client/oidc/src/test/java/io/quarkiverse/openapi/generator/oidc/ReactiveOAuth2AuthenticationProviderTest.java

@@ -8,6 +8,11 @@
 import java.util.Optional;
 import java.util.stream.Stream;
 
+import jakarta.ws.rs.client.ClientRequestContext;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.MultivaluedHashMap;
+import jakarta.ws.rs.core.MultivaluedMap;
+
 import org.assertj.core.api.Assertions;
 import org.eclipse.microprofile.config.Config;
 import org.eclipse.microprofile.config.ConfigProvider;
@@ -28,11 +33,6 @@
 import io.quarkus.oidc.client.Tokens;
 import io.smallrye.mutiny.Uni;
 
-import jakarta.ws.rs.client.ClientRequestContext;
-import jakarta.ws.rs.core.HttpHeaders;
-import jakarta.ws.rs.core.MultivaluedHashMap;
-import jakarta.ws.rs.core.MultivaluedMap;
-
 @ExtendWith(MockitoExtension.class)
 public class ReactiveOAuth2AuthenticationProviderTest {
     private static final String OPEN_API_FILE_SPEC_ID = "open_api_file_spec_id_json";

client/runtime/src/main/java/io/quarkiverse/openapi/generator/providers/AbstractAuthProvider.java

@@ -60,22 +60,33 @@ public String getName() {
     }
 
     public boolean isTokenPropagation() {
-        return ConfigProvider.getConfig()
-                .getOptionalValue(getCanonicalAuthConfigPropertyName(AuthConfig.TOKEN_PROPAGATION), Boolean.class)
-                .orElse(false);
+        return isTokenPropagation(getOpenApiSpecId(), getName());
     }
 
-    public String getTokenForPropagation(MultivaluedMap<String, Object> httpHeaders) {
-        String headerName = getHeaderName() != null ? getHeaderName() : HttpHeaders.AUTHORIZATION;
-        String propagatedHeaderName = propagationHeaderName(getOpenApiSpecId(), getName(), headerName);
+    public static String getTokenForPropagation(MultivaluedMap<String, Object> httpHeaders, String openApiSpecId,
+            String authName) {
+        String headerName = getHeaderName(openApiSpecId, authName) != null ? getHeaderName(openApiSpecId, authName)
+                : HttpHeaders.AUTHORIZATION;
+        String propagatedHeaderName = propagationHeaderName(openApiSpecId, authName, headerName);
         return Objects.toString(httpHeaders.getFirst(propagatedHeaderName));
     }
 
+    public String getTokenForPropagation(MultivaluedMap<String, Object> httpHeaders) {
+        return getTokenForPropagation(httpHeaders, getOpenApiSpecId(), getName());
+    }
+
     public String getHeaderName() {
         return ConfigProvider.getConfig()
                 .getOptionalValue(getCanonicalAuthConfigPropertyName(AuthConfig.HEADER_NAME), String.class).orElse(null);
     }
 
+    public static String getHeaderName(String openApiSpecId, String authName) {
+        return ConfigProvider.getConfig()
+                .getOptionalValue(getCanonicalAuthConfigPropertyName(AuthConfig.HEADER_NAME, openApiSpecId, authName),
+                        String.class)
+                .orElse(null);
+    }
+
     @Override
     public List<OperationAuthInfo> operationsToFilter() {
         return applyToOperations;
@@ -88,4 +99,15 @@ public final String getCanonicalAuthConfigPropertyName(String authPropertyName)
     public static String getCanonicalAuthConfigPropertyName(String authPropertyName, String openApiSpecId, String authName) {
         return String.format(CANONICAL_AUTH_CONFIG_PROPERTY_NAME, openApiSpecId, authName, authPropertyName);
     }
+
+    public static boolean isTokenPropagation(String openApiSpecId, String authName) {
+        return ConfigProvider.getConfig()
+                .getOptionalValue(getCanonicalAuthConfigPropertyName(AuthConfig.TOKEN_PROPAGATION, openApiSpecId, authName),
+                        Boolean.class)
+                .orElse(false);
+    }
+
+    public CredentialsProvider getCredentialsProvider() {
+        return credentialsProvider;
+    }
 }

client/runtime/src/main/java/io/quarkiverse/openapi/generator/providers/ConfigCredentialsProvider.java

@@ -4,6 +4,7 @@
 import jakarta.enterprise.context.Dependent;
 import jakarta.enterprise.inject.Alternative;
 import jakarta.ws.rs.client.ClientRequestContext;
+import jakarta.ws.rs.core.HttpHeaders;
 
 import org.eclipse.microprofile.config.ConfigProvider;
 import org.slf4j.Logger;
@@ -63,4 +64,8 @@ public String getBearerToken(ClientRequestContext requestContext, String openApi
                 .orElse("");
     }
 
+    @Override
+    public String getOauth2BearerToken(ClientRequestContext requestContext) {
+        return requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
+    }
 }

client/runtime/src/main/java/io/quarkiverse/openapi/generator/providers/CredentialsProvider.java

@@ -44,4 +44,12 @@ public interface CredentialsProvider {
      * @return the Bearer Token to use when filtering the request
      */
     String getBearerToken(ClientRequestContext requestContext, String openApiSpecId, String authName);
+
+    /**
+     * Gets the OAuth2 Bearer Token given the OpenAPI definition and security schema
+     *
+     * @param requestContext The current request context in which set the authorization header token
+     * @return the Bearer Token to use when filtering the request
+     */
+    String getOauth2BearerToken(ClientRequestContext requestContext);
 }