Merge pull request #48296 from michalvavrik/feature/oidc-client-refresh-timer

OIDC Client: Add periodic asynchronous tokens refresh for performance critical applications

Author: sberyozkin

docs/src/main/asciidoc/security-openid-connect-client-reference.adoc

@@ -713,6 +713,16 @@ You can also inject named `Tokens`, see <<named-oidc-clients,Inject named OidcCl
 `OidcClientRequestReactiveFilter`, `OidcClientRequestFilter` and `Tokens` producers will refresh the current expired access token if the refresh token is available.
 Additionally, the `quarkus.oidc-client.refresh-token-time-skew` property can be used for a preemptive access token refreshment to avoid sending nearly expired access tokens that might cause HTTP 401 errors. For example, if this property is set to `3S` and the access token will expire in less than 3 seconds, then this token will be auto-refreshed.
 
+
+By default, OIDC client refreshes the token during the current request, when it detects that it has expired, or nearly expired if the [refresh token time skew](https://quarkus.io/guides/security-openid-connect-client-reference#quarkus-oidc-client_quarkus-oidc-client-refresh-token-time-skew) is configured.
+Performance critical applications may want to avoid having to wait for a possible token refresh during the incoming requests and configure an asynchronous token refresh instead, for example:
+
+[source,properties]
+----
+quarkus.oidc-client.refresh-interval=1m <1>
+----
+<1> Check every minute if the current access token is expired and must be refreshed.
+
 If the access token needs to be refreshed, but no refresh token is available, then an attempt is made to acquire a new token by using a configured grant, such as `client_credentials`.
 
 Some OpenID Connect Providers will not return a refresh token in a `client_credentials` grant response. For example, starting from Keycloak 12, a refresh token will not be returned by default for `client_credentials`. The providers might also restrict the number of times a refresh token can be used.

extensions/oidc-client/deployment/src/main/java/io/quarkus/oidc/client/deployment/OidcClientBuildStep.java

@@ -12,6 +12,7 @@
 import jakarta.enterprise.context.RequestScoped;
 import jakarta.inject.Singleton;
 
+import org.jboss.jandex.ClassType;
 import org.jboss.jandex.DotName;
 
 import io.quarkus.arc.BeanDestroyer;
@@ -46,12 +47,10 @@
 import io.quarkus.oidc.client.runtime.OidcClientBuildTimeConfig;
 import io.quarkus.oidc.client.runtime.OidcClientDefaultIdConfigBuilder;
 import io.quarkus.oidc.client.runtime.OidcClientRecorder;
-import io.quarkus.oidc.client.runtime.OidcClientsConfig;
+import io.quarkus.oidc.client.runtime.OidcClientsImpl;
 import io.quarkus.oidc.client.runtime.TokenProviderProducer;
 import io.quarkus.oidc.client.runtime.TokensHelper;
 import io.quarkus.oidc.client.runtime.TokensProducer;
-import io.quarkus.tls.deployment.spi.TlsRegistryBuildItem;
-import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
 
 @BuildSteps(onlyIf = OidcClientBuildStep.IsEnabled.class)
 public class OidcClientBuildStep {
@@ -98,46 +97,25 @@ void initOidcClients(OidcClientRecorder recorder) {
         recorder.initOidcClients();
     }
 
-    @Record(ExecutionTime.RUNTIME_INIT)
     @BuildStep
-    public void setup(
-            OidcClientsConfig oidcConfig,
-            OidcClientRecorder recorder,
-            CoreVertxBuildItem vertxBuildItem,
-            OidcClientNamesBuildItem oidcClientNames,
-            TlsRegistryBuildItem tlsRegistry,
-            BuildProducer<SyntheticBeanBuildItem> syntheticBean) {
-
-        syntheticBean.produce(SyntheticBeanBuildItem.configure(OidcClients.class).unremovable()
-                .types(OidcClients.class)
-                .supplier(recorder.createOidcClientsBean(oidcConfig, vertxBuildItem.getVertx(), tlsRegistry.registry()))
-                .scope(Singleton.class)
-                .setRuntimeInit()
-                .destroyer(BeanDestroyer.CloseableDestroyer.class)
-                .done());
-
-        syntheticBean.produce(SyntheticBeanBuildItem.configure(OidcClient.class).unremovable()
-                .types(OidcClient.class)
-                .supplier(recorder.createOidcClientBean())
-                .scope(Singleton.class)
-                .setRuntimeInit()
-                .destroyer(BeanDestroyer.CloseableDestroyer.class)
-                .done());
-
-        produceNamedOidcClientBeans(syntheticBean, oidcClientNames.oidcClientNames(), recorder);
+    AdditionalBeanBuildItem createOidcClientsBean() {
+        return AdditionalBeanBuildItem.unremovableOf(OidcClientsImpl.class);
     }
 
-    private void produceNamedOidcClientBeans(BuildProducer<SyntheticBeanBuildItem> syntheticBean,
-            Set<String> injectedOidcClientNames, OidcClientRecorder recorder) {
-        injectedOidcClientNames.stream()
+    @Record(ExecutionTime.RUNTIME_INIT)
+    @BuildStep
+    void produceNamedOidcClientBeans(OidcClientRecorder recorder, OidcClientNamesBuildItem oidcClientNames,
+            BuildProducer<SyntheticBeanBuildItem> syntheticBean) {
+        oidcClientNames.oidcClientNames().stream()
                 .map(clientName -> syntheticNamedOidcClientBeanFor(clientName, recorder))
                 .forEach(syntheticBean::produce);
     }
 
-    private SyntheticBeanBuildItem syntheticNamedOidcClientBeanFor(String clientName, OidcClientRecorder recorder) {
+    private static SyntheticBeanBuildItem syntheticNamedOidcClientBeanFor(String clientName, OidcClientRecorder recorder) {
         return SyntheticBeanBuildItem.configure(OidcClient.class).unremovable()
                 .types(OidcClient.class)
-                .supplier(recorder.createOidcClientBean(clientName))
+                .addInjectionPoint(ClassType.create(OidcClients.class))
+                .createWith(recorder.createOidcClientBean(clientName))
                 .scope(Singleton.class)
                 .addQualifier().annotation(NamedOidcClient.class).addValue("value", clientName).done()
                 .setRuntimeInit()

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/OidcClientConfig.java

@@ -16,7 +16,7 @@
 public class OidcClientConfig extends OidcClientCommonConfig implements io.quarkus.oidc.client.runtime.OidcClientConfig {
 
     public OidcClientConfig() {
-
+        this.refreshInterval = Optional.empty();
     }
 
     public OidcClientConfig(io.quarkus.oidc.client.runtime.OidcClientConfig mapping) {
@@ -32,6 +32,7 @@ public OidcClientConfig(io.quarkus.oidc.client.runtime.OidcClientConfig mapping)
         grantOptions = mapping.grantOptions();
         earlyTokensAcquisition = mapping.earlyTokensAcquisition();
         headers = mapping.headers();
+        refreshInterval = mapping.refreshInterval();
     }
 
     /**
@@ -78,6 +79,8 @@ public OidcClientConfig(io.quarkus.oidc.client.runtime.OidcClientConfig mapping)
 
     public Grant grant = new Grant();
 
+    private final Optional<Duration> refreshInterval;
+
     @Override
     public Optional<String> id() {
         return id;
@@ -133,6 +136,11 @@ public Map<String, String> headers() {
         return headers;
     }
 
+    @Override
+    public Optional<Duration> refreshInterval() {
+        return refreshInterval;
+    }
+
     public static class Grant implements io.quarkus.oidc.client.runtime.OidcClientConfig.Grant {
 
         @Override

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/OidcClientConfigBuilder.java

@@ -33,6 +33,7 @@ private static class OidcClientConfigImpl extends OidcClientCommonConfigImpl imp
         private final Optional<List<String>> scopes;
         private final boolean clientEnabled;
         private final Optional<String> id;
+        private final Optional<Duration> refreshInterval;;
 
         private OidcClientConfigImpl(OidcClientConfigBuilder builder) {
             super(builder);
@@ -47,6 +48,7 @@ private OidcClientConfigImpl(OidcClientConfigBuilder builder) {
             this.scopes = builder.scopes.isEmpty() ? Optional.empty() : Optional.of(List.copyOf(builder.scopes));
             this.clientEnabled = builder.clientEnabled;
             this.id = builder.id;
+            this.refreshInterval = builder.refreshInterval;
         }
 
         @Override
@@ -103,6 +105,11 @@ public boolean earlyTokensAcquisition() {
         public Map<String, String> headers() {
             return headers;
         }
+
+        @Override
+        public Optional<Duration> refreshInterval() {
+            return refreshInterval;
+        }
     }
 
     /**
@@ -123,6 +130,7 @@ public Map<String, String> headers() {
     private Optional<Duration> refreshTokenTimeSkew;
     private boolean clientEnabled;
     private Optional<String> id;
+    private Optional<Duration> refreshInterval;
 
     /**
      * Creates {@link OidcClientConfigBuilder} builder populated with documented default values.
@@ -146,6 +154,7 @@ public OidcClientConfigBuilder(OidcClientConfig config) {
         this.refreshTokenTimeSkew = config.refreshTokenTimeSkew();
         this.clientEnabled = config.clientEnabled();
         this.id = config.id();
+        this.refreshInterval = config.refreshInterval();
         if (config.scopes().isPresent()) {
             this.scopes.addAll(config.scopes().get());
         }
@@ -330,6 +339,11 @@ public GrantBuilder grant() {
         return new GrantBuilder(this);
     }
 
+    public OidcClientConfigBuilder refreshInterval(Duration refreshInterval) {
+        this.refreshInterval = Optional.ofNullable(refreshInterval);
+        return this;
+    }
+
     /**
      * @return OidcClientConfig
      */

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/AbstractTokensProducer.java

@@ -3,15 +3,15 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.function.Supplier;
 
 import jakarta.annotation.PostConstruct;
+import jakarta.enterprise.inject.Instance;
 import jakarta.inject.Inject;
 
 import org.jboss.logging.Logger;
 
-import io.quarkus.arc.Arc;
 import io.quarkus.oidc.client.OidcClient;
-import io.quarkus.oidc.client.OidcClients;
 import io.quarkus.oidc.client.Tokens;
 import io.smallrye.mutiny.Uni;
 
@@ -26,6 +26,8 @@ public abstract class AbstractTokensProducer {
     public OidcClientsConfig oidcClientsConfig;
     @Inject
     public OidcClientBuildTimeConfig oidcClientBuildTimeConfig;
+    @Inject
+    public Instance<OidcClientsImpl> oidcClientsInstance;
 
     final TokensHelper tokensHelper = new TokensHelper();
 
@@ -36,10 +38,10 @@ public void init() {
                     + " skipping the token producer initialization");
             return;
         }
+        final OidcClientsImpl oidcClients = oidcClientsInstance.get();
         Optional<OidcClient> initializedClient = client();
         if (initializedClient.isEmpty()) {
             Optional<String> clientId = Objects.requireNonNull(clientId(), "clientId must not be null");
-            OidcClients oidcClients = Arc.container().instance(OidcClients.class).get();
             if (clientId.isPresent()) {
                 // static named OidcClient
                 oidcClient = Objects.requireNonNull(oidcClients.getClient(clientId.get()), "Unknown client");
@@ -54,6 +56,14 @@ public void init() {
         }
 
         initTokens();
+        if (!isForceNewTokens()) {
+            oidcClients.registerTokenRefresh(oidcClient, new Supplier<Uni<Tokens>>() {
+                @Override
+                public Uni<Tokens> get() {
+                    return getTokens();
+                }
+            });
+        }
     }
 
     protected boolean isClientFeatureDisabled() {

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientConfig.java

@@ -5,6 +5,7 @@
 import java.util.Map;
 import java.util.Optional;
 
+import io.quarkus.oidc.client.OidcClient;
 import io.quarkus.oidc.client.OidcClientConfigBuilder;
 import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.quarkus.oidc.common.runtime.config.OidcClientCommonConfig;
@@ -172,6 +173,16 @@ public String getGrantType() {
      */
     Map<String, String> headers();
 
+    /**
+     * Token refresh interval.
+     * By default, OIDC client refreshes the token during the current request, when it detects that it has expired,
+     * or nearly expired if the {@link #refreshTokenTimeSkew()} is configured.
+     * But, when this property is configured, OIDC client can refresh the token asynchronously in the configured interval.
+     * This property is only effective with OIDC client filters and other {@link AbstractTokensProducer} extensions,
+     * but not when you use the {@link OidcClient#getTokens()} API directly.
+     */
+    Optional<Duration> refreshInterval();
+
     /**
      * Creates {@link OidcClientConfigBuilder} builder populated with documented default values.
      *

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientImpl.java

@@ -366,4 +366,8 @@ private HttpRequest<Buffer> filterHttpRequest(
         }
         return request;
     }
+
+    OidcClientConfig getConfig() {
+        return oidcConfig;
+    }
 }

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientRecorder.java

@@ -7,14 +7,14 @@
 import java.util.Set;
 import java.util.function.BiFunction;
 import java.util.function.Function;
-import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
 import jakarta.enterprise.inject.CreationException;
 
 import org.jboss.logging.Logger;
 
 import io.quarkus.arc.Arc;
+import io.quarkus.arc.SyntheticCreationalContext;
 import io.quarkus.oidc.client.OidcClient;
 import io.quarkus.oidc.client.OidcClientException;
 import io.quarkus.oidc.client.OidcClients;
@@ -29,7 +29,6 @@
 import io.quarkus.oidc.common.runtime.OidcTlsSupport;
 import io.quarkus.runtime.annotations.Recorder;
 import io.quarkus.runtime.configuration.ConfigurationException;
-import io.quarkus.tls.TlsConfigurationRegistry;
 import io.smallrye.mutiny.Uni;
 import io.vertx.core.Vertx;
 import io.vertx.ext.web.client.WebClientOptions;
@@ -43,13 +42,10 @@ public class OidcClientRecorder {
     private static final String CLIENT_ID_ATTRIBUTE = "client-id";
     static final String DEFAULT_OIDC_CLIENT_ID = "Default";
 
-    private static OidcClients setup(OidcClientsConfig oidcClientsConfig, Supplier<Vertx> vertx,
-            Supplier<TlsConfigurationRegistry> registrySupplier) {
+    static Map<String, OidcClient> createStaticOidcClients(OidcClientsConfig oidcClientsConfig, Vertx vertx,
+            OidcTlsSupport tlsSupport, OidcClientConfig defaultClientConfig) {
 
-        var tlsSupport = OidcTlsSupport.of(registrySupplier);
-        var defaultClientConfig = OidcClientsConfig.getDefaultClient(oidcClientsConfig);
         String defaultClientId = defaultClientConfig.id().get();
-        OidcClient defaultClient = createOidcClient(defaultClientConfig, defaultClientId, vertx, tlsSupport);
 
         Map<String, OidcClient> staticOidcClients = new HashMap<>();
 
@@ -62,54 +58,26 @@ private static OidcClients setup(OidcClientsConfig oidcClientsConfig, Supplier<V
             }
         }
 
-        return new OidcClientsImpl(defaultClient, staticOidcClients,
-                new Function<OidcClientConfig, Uni<OidcClient>>() {
-                    @Override
-                    public Uni<OidcClient> apply(OidcClientConfig config) {
-                        return createOidcClientUni(config, config.id().get(), vertx, OidcTlsSupport.of(registrySupplier));
-                    }
-                });
-    }
-
-    public Supplier<OidcClient> createOidcClientBean() {
-        return new Supplier<OidcClient>() {
-
-            @Override
-            public OidcClient get() {
-                return Arc.container().instance(OidcClients.class).get().getClient();
-            }
-        };
-    }
-
-    public Supplier<OidcClient> createOidcClientBean(String clientName) {
-        return new Supplier<OidcClient>() {
-
-            @Override
-            public OidcClient get() {
-                return Arc.container().instance(OidcClients.class).get().getClient(clientName);
-            }
-        };
+        return Map.copyOf(staticOidcClients);
     }
 
-    public Supplier<OidcClients> createOidcClientsBean(OidcClientsConfig oidcClientsConfig, Supplier<Vertx> vertx,
-            Supplier<TlsConfigurationRegistry> registrySupplier) {
-        return new Supplier<OidcClients>() {
-
+    public Function<SyntheticCreationalContext<OidcClient>, OidcClient> createOidcClientBean(String clientName) {
+        return new Function<SyntheticCreationalContext<OidcClient>, OidcClient>() {
             @Override
-            public OidcClients get() {
-                return setup(oidcClientsConfig, vertx, registrySupplier);
+            public OidcClient apply(SyntheticCreationalContext<OidcClient> ctx) {
+                return ctx.getInjectedReference(OidcClients.class).getClient(clientName);
             }
         };
     }
 
-    protected static OidcClient createOidcClient(OidcClientConfig oidcConfig, String oidcClientId, Supplier<Vertx> vertx,
+    protected static OidcClient createOidcClient(OidcClientConfig oidcConfig, String oidcClientId, Vertx vertx,
             OidcTlsSupport tlsSupport) {
         return createOidcClientUni(oidcConfig, oidcClientId, vertx, tlsSupport).await()
                 .atMost(oidcConfig.connectionTimeout());
     }
 
     protected static Uni<OidcClient> createOidcClientUni(OidcClientConfig oidcConfig, String oidcClientId,
-            Supplier<Vertx> vertx, OidcTlsSupport tlsSupport) {
+            Vertx vertx, OidcTlsSupport tlsSupport) {
         if (!oidcConfig.clientEnabled()) {
             String message = String.format("'%s' client configuration is disabled", oidcClientId);
             LOG.debug(message);
@@ -139,7 +107,7 @@ protected static Uni<OidcClient> createOidcClientUni(OidcClientConfig oidcConfig
         options.setFollowRedirects(oidcConfig.followRedirects());
         OidcCommonUtils.setHttpClientOptions(oidcConfig, options, tlsSupport.forConfig(oidcConfig.tls()));
 
-        var mutinyVertx = new io.vertx.mutiny.core.Vertx(vertx.get());
+        var mutinyVertx = new io.vertx.mutiny.core.Vertx(vertx);
         WebClient client = WebClient.create(mutinyVertx, options);
 
         Map<OidcEndpoint.Type, List<OidcRequestFilter>> oidcRequestFilters = OidcCommonUtils.getOidcRequestFilters();
@@ -219,7 +187,7 @@ public OidcClient apply(OidcConfigurationMetadata metadata, Throwable t) {
 
                         return new OidcClientImpl(client, metadata.tokenRequestUri, metadata.tokenRevokeUri, grantType,
                                 tokenGrantParams, commonRefreshGrantParams, oidcConfig, oidcRequestFilters,
-                                oidcResponseFilters, vertx.get());
+                                oidcResponseFilters, vertx);
                     }
 
                 });