issue-1182: Token propagation throws java.lang.UnsupportedOperationException when adding the token to the request header parameters

Author: wmedvede

client/integration-tests/security/src/main/java/io/quarkiverse/openapi/generator/it/security/TokenPropagationResource.java

@@ -2,6 +2,7 @@
 
 import jakarta.ws.rs.POST;
 import jakarta.ws.rs.Path;
+import jakarta.ws.rs.core.Response;
 
 import org.eclipse.microprofile.rest.client.inject.RestClient;
 
@@ -25,36 +26,31 @@ public class TokenPropagationResource {
 
     @POST
     @Path("service1")
-    public String service1() {
-        defaultApi1.executeQuery1();
-        return "hello";
+    public Response service1() {
+        return defaultApi1.executeQuery1();
     }
 
     @POST
     @Path("service2")
-    public String service2() {
-        defaultApi2.executeQuery2();
-        return "hello";
+    public Response service2() {
+        return defaultApi2.executeQuery2();
     }
 
     @POST
     @Path("service3")
-    public String service3() {
-        defaultApi3.executeQuery3();
-        return "hello";
+    public Response service3() {
+        return defaultApi3.executeQuery3();
     }
 
     @POST
     @Path("service4")
-    public String service4() {
-        defaultApi4.executeQuery4();
-        return "hello";
+    public Response service4() {
+        return defaultApi4.executeQuery4();
     }
 
     @POST
     @Path("service5")
-    public String service5() {
-        defaultApi5.executeQuery5();
-        return "hello";
+    public Response service5() {
+        return defaultApi5.executeQuery5();
     }
 }

client/integration-tests/security/src/test/java/io/quarkiverse/openapi/generator/it/security/TokenPropagationExternalServicesMock.java

@@ -23,7 +23,8 @@
 
 public class TokenPropagationExternalServicesMock implements QuarkusTestResourceLifecycleManager {
 
-    public static final String AUTHORIZATION_TOKEN = "AUTHORIZATION_TOKEN";
+    public static final String SERVICE1_AUTHORIZATION_TOKEN = "SERVICE1_AUTHORIZATION_TOKEN";
+    public static final String SERVICE2_AUTHORIZATION_TOKEN = "SERVICE2_AUTHORIZATION_TOKEN";
     public static final String SERVICE3_HEADER_TO_PROPAGATE = "SERVICE3_HEADER_TO_PROPAGATE";
     public static final String SERVICE3_AUTHORIZATION_TOKEN = "SERVICE3_AUTHORIZATION_TOKEN";
     public static final String SERVICE4_HEADER_TO_PROPAGATE = "SERVICE4_HEADER_TO_PROPAGATE";
@@ -49,10 +50,10 @@ public Map<String, String> start() {
         LOGGER.info("Mocked Server started at {}", wireMockServer.baseUrl());
 
         // stub the token-propagation-external-service1 invocation with the expected token
-        stubForExternalService("/token-propagation-external-service1/executeQuery1", AUTHORIZATION_TOKEN);
+        stubForExternalService("/token-propagation-external-service1/executeQuery1", SERVICE1_AUTHORIZATION_TOKEN);
 
         // stub the token-propagation-external-service2 invocation with the expected token
-        stubForExternalService("/token-propagation-external-service2/executeQuery2", AUTHORIZATION_TOKEN);
+        stubForExternalService("/token-propagation-external-service2/executeQuery2", SERVICE2_AUTHORIZATION_TOKEN);
 
         // stub the token-propagation-external-service3 invocation with the expected token
         stubForExternalService("/token-propagation-external-service3/executeQuery3", SERVICE3_AUTHORIZATION_TOKEN);

client/integration-tests/security/src/test/java/io/quarkiverse/openapi/generator/it/security/TokenPropagationTest.java

@@ -1,20 +1,25 @@
 package io.quarkiverse.openapi.generator.it.security;
 
-import static io.quarkiverse.openapi.generator.it.security.TokenPropagationExternalServicesMock.AUTHORIZATION_TOKEN;
+import static io.quarkiverse.openapi.generator.it.security.TokenPropagationExternalServicesMock.SERVICE1_AUTHORIZATION_TOKEN;
+import static io.quarkiverse.openapi.generator.it.security.TokenPropagationExternalServicesMock.SERVICE2_AUTHORIZATION_TOKEN;
 import static io.quarkiverse.openapi.generator.it.security.TokenPropagationExternalServicesMock.SERVICE3_AUTHORIZATION_TOKEN;
 import static io.quarkiverse.openapi.generator.it.security.TokenPropagationExternalServicesMock.SERVICE3_HEADER_TO_PROPAGATE;
 import static io.quarkiverse.openapi.generator.it.security.TokenPropagationExternalServicesMock.SERVICE4_AUTHORIZATION_TOKEN;
 import static io.quarkiverse.openapi.generator.it.security.TokenPropagationExternalServicesMock.SERVICE4_HEADER_TO_PROPAGATE;
 import static io.restassured.RestAssured.given;
 
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
+import java.util.stream.Stream;
 
 import jakarta.ws.rs.core.HttpHeaders;
 
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.ValueSource;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
 
 import io.quarkus.test.common.QuarkusTestResource;
 import io.quarkus.test.junit.QuarkusTest;
@@ -26,21 +31,40 @@
 @Tag("resteasy-classic")
 class TokenPropagationTest {
 
-    @ParameterizedTest
-    @ValueSource(strings = { "service1", "service2", "service3", "service4", "service5" })
-    void service1(String service) {
-        Map<String, String> headers = new HashMap<>();
-        // service token-propagation-external-service1 and token-propagation-external-service2 will receive the AUTHORIZATION_TOKEN
-        headers.put(HttpHeaders.AUTHORIZATION, AUTHORIZATION_TOKEN);
-        // service token-propagation-external-service3 will receive the SERVICE3_AUTHORIZATION_TOKEN
-        headers.put(SERVICE3_HEADER_TO_PROPAGATE, SERVICE3_AUTHORIZATION_TOKEN);
-        // service token-propagation-external-service4 will receive the SERVICE4_AUTHORIZATION_TOKEN
-        headers.put(SERVICE4_HEADER_TO_PROPAGATE, SERVICE4_AUTHORIZATION_TOKEN);
+    private static class HeaderArgument {
+        String headerName;
+        String headerValue;
+
+        HeaderArgument(String headerName, String headerValue) {
+            this.headerName = headerName;
+            this.headerValue = headerValue;
+        }
+
+    }
 
+    @ParameterizedTest
+    @MethodSource("serviceInvocationParams")
+    void invokeService(String service, HeaderArgument headerArgument) {
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put(headerArgument.headerName, Collections.singletonList(headerArgument.headerValue));
         given()
                 .headers(headers)
                 .post("/token_propagation/" + service)
                 .then()
                 .statusCode(200);
     }
+
+    private static Stream<Arguments> serviceInvocationParams() {
+        return Stream.of(
+                // service token-propagation-external-service1 will receive the SERVICE1_AUTHORIZATION_TOKEN
+                Arguments.of("service1", new HeaderArgument(HttpHeaders.AUTHORIZATION, SERVICE1_AUTHORIZATION_TOKEN)),
+                // service token-propagation-external-service2 will receive the SERVICE2_AUTHORIZATION_TOKEN
+                Arguments.of("service2", new HeaderArgument(HttpHeaders.AUTHORIZATION, SERVICE2_AUTHORIZATION_TOKEN)),
+                // service token-propagation-external-service3 will receive the SERVICE3_AUTHORIZATION_TOKEN
+                Arguments.of("service3", new HeaderArgument(SERVICE3_HEADER_TO_PROPAGATE, SERVICE3_AUTHORIZATION_TOKEN)),
+                // service token-propagation-external-service4 will receive the SERVICE4_AUTHORIZATION_TOKEN
+                Arguments.of("service4", new HeaderArgument(SERVICE4_HEADER_TO_PROPAGATE, SERVICE4_AUTHORIZATION_TOKEN))
+
+        );
+    }
 }

client/oidc/src/main/java/io/quarkiverse/openapi/generator/oidc/providers/OAuth2AuthenticationProvider.java

@@ -3,6 +3,7 @@
 import static io.quarkiverse.openapi.generator.AuthConfig.TOKEN_PROPAGATION;
 
 import java.io.IOException;
+import java.util.Collections;
 import java.util.List;
 
 import jakarta.ws.rs.client.ClientRequestContext;
@@ -32,9 +33,12 @@ public OAuth2AuthenticationProvider(String name,
     @Override
     public void filter(ClientRequestContext requestContext) throws IOException {
         if (isTokenPropagation()) {
-            String bearerToken = getTokenForPropagation(requestContext.getHeaders());
-            bearerToken = sanitizeBearerToken(bearerToken);
-            requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, OidcConstants.BEARER_SCHEME + " " + bearerToken);
+            String bearerToken = sanitizeBearerToken(getTokenForPropagation(requestContext.getHeaders()));
+            if (!isEmptyOrBlank(bearerToken)) {
+                requestContext.getHeaders().remove(HttpHeaders.AUTHORIZATION);
+                requestContext.getHeaders().put(HttpHeaders.AUTHORIZATION,
+                        Collections.singletonList(OidcConstants.BEARER_SCHEME + " " + bearerToken));
+            }
         } else {
             delegate.filter(requestContext);
         }

client/runtime/src/main/java/io/quarkiverse/openapi/generator/providers/AbstractAuthProvider.java

@@ -68,7 +68,7 @@ public boolean isTokenPropagation() {
     public String getTokenForPropagation(MultivaluedMap<String, Object> httpHeaders) {
         String headerName = getHeaderName() != null ? getHeaderName() : HttpHeaders.AUTHORIZATION;
         String propagatedHeaderName = propagationHeaderName(getOpenApiSpecId(), getName(), headerName);
-        return Objects.toString(httpHeaders.getFirst(propagatedHeaderName));
+        return Objects.toString(httpHeaders.getFirst(propagatedHeaderName), null);
     }
 
     public String getHeaderName() {
@@ -88,4 +88,8 @@ public final String getCanonicalAuthConfigPropertyName(String authPropertyName)
     public static String getCanonicalAuthConfigPropertyName(String authPropertyName, String openApiSpecId, String authName) {
         return String.format(CANONICAL_AUTH_CONFIG_PROPERTY_NAME, openApiSpecId, authName, authPropertyName);
     }
+
+    protected static boolean isEmptyOrBlank(String value) {
+        return value == null || value.isBlank();
+    }
 }

client/runtime/src/main/java/io/quarkiverse/openapi/generator/providers/BasicAuthenticationProvider.java

@@ -1,6 +1,7 @@
 package io.quarkiverse.openapi.generator.providers;
 
 import java.io.IOException;
+import java.util.Collections;
 import java.util.List;
 
 import jakarta.ws.rs.client.ClientRequestContext;
@@ -44,9 +45,10 @@ public void filter(ClientRequestContext requestContext) throws IOException {
             basicToken = sanitizeBasicToken(getTokenForPropagation(requestContext.getHeaders()));
         }
 
-        if (!basicToken.isBlank()) {
-            requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION,
-                    AuthUtils.basicAuthAccessToken(basicToken));
+        if (!isEmptyOrBlank(basicToken)) {
+            requestContext.getHeaders().remove(HttpHeaders.AUTHORIZATION);
+            requestContext.getHeaders().put(HttpHeaders.AUTHORIZATION,
+                    Collections.singletonList(AuthUtils.basicAuthAccessToken(basicToken)));
         }
 
     }

client/runtime/src/main/java/io/quarkiverse/openapi/generator/providers/BearerAuthenticationProvider.java

@@ -1,6 +1,7 @@
 package io.quarkiverse.openapi.generator.providers;
 
 import java.io.IOException;
+import java.util.Collections;
 import java.util.List;
 
 import jakarta.ws.rs.client.ClientRequestContext;
@@ -34,8 +35,10 @@ public void filter(ClientRequestContext requestContext) throws IOException {
             bearerToken = sanitizeBearerToken(getTokenForPropagation(requestContext.getHeaders()));
         }
 
-        if (!bearerToken.isBlank()) {
-            requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, AuthUtils.authTokenOrBearer(this.scheme, bearerToken));
+        if (!isEmptyOrBlank(bearerToken)) {
+            requestContext.getHeaders().remove(HttpHeaders.AUTHORIZATION);
+            requestContext.getHeaders().put(HttpHeaders.AUTHORIZATION,
+                    Collections.singletonList(AuthUtils.authTokenOrBearer(this.scheme, bearerToken)));
         }
     }