fix(oidc): invalid session cookie without encryption

Author: michalvavrik

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java

@@ -81,7 +81,8 @@ public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantCon
                         .append(CodeAuthenticationMechanism.COOKIE_DELIM)
                         .append(tokens.getAccessTokenExpiresIn() != null ? tokens.getAccessTokenExpiresIn() : "")
                         .append(CodeAuthenticationMechanism.COOKIE_DELIM)
-                        .append(tokens.getAccessTokenScope() != null ? tokens.getAccessTokenScope() : "");
+                        .append(tokens.getAccessTokenScope() != null ? encodeScopes(oidcConfig, tokens.getAccessTokenScope())
+                                : "");
 
                 // Encrypt access token and create a `q_session_at` cookie.
                 CodeAuthenticationMechanism.createCookie(routingContext,

integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/CodeFlowTokenIntrospectionNoEncryptionResource.java

@@ -0,0 +1,31 @@
+package io.quarkus.it.keycloak;
+
+import jakarta.inject.Inject;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+import org.eclipse.microprofile.jwt.JsonWebToken;
+
+import io.quarkus.oidc.TokenIntrospection;
+import io.quarkus.security.PermissionsAllowed;
+import io.quarkus.security.identity.SecurityIdentity;
+
+@Path("/code-flow-token-introspection-no-encryption")
+@PermissionsAllowed(value = { "email", "openid", "profile" }, inclusive = true)
+public class CodeFlowTokenIntrospectionNoEncryptionResource {
+
+    @Inject
+    SecurityIdentity identity;
+
+    @Inject
+    TokenIntrospection tokenIntrospection;
+
+    @GET
+    public String access() {
+        if (identity.getPrincipal() instanceof JsonWebToken) {
+            return identity.getPrincipal().getName();
+        } else {
+            return identity.getPrincipal().getName() + ":" + tokenIntrospection.getUsername();
+        }
+    }
+}

integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/CustomSecurityIdentityAugmentor.java

@@ -45,6 +45,7 @@ public Uni<SecurityIdentity> augment(SecurityIdentity identity, AuthenticationRe
                 (routingContext.normalizedPath().endsWith("code-flow-user-info-only")
                         || routingContext.normalizedPath().endsWith("code-flow-user-info-dynamic-github")
                         || routingContext.normalizedPath().endsWith("code-flow-token-introspection")
+                        || routingContext.normalizedPath().endsWith("code-flow-token-introspection-no-encryption")
                         || routingContext.normalizedPath().endsWith("code-flow-user-info-github-cached-in-idtoken")
                         || routingContext.normalizedPath().endsWith("code-flow-user-info-github-cache-disabled"))) {
             QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder(identity);

integration-tests/oidc-wiremock/src/main/resources/application.properties

@@ -173,6 +173,20 @@ quarkus.oidc.code-flow-token-introspection.client-id=quarkus-web-app
 quarkus.oidc.code-flow-token-introspection.credentials.secret=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow
 quarkus.oidc.code-flow-token-introspection.code-grant.headers.X-Custom=XTokenIntrospection
 
+quarkus.oidc.code-flow-token-introspection-no-encryption.provider=github
+quarkus.oidc.code-flow-token-introspection-no-encryption.token.verify-access-token-with-user-info=false
+quarkus.oidc.code-flow-token-introspection-no-encryption.auth-server-url=${keycloak.url:replaced-by-test-resource}/realms/quarkus/
+quarkus.oidc.code-flow-token-introspection-no-encryption.authorization-path=/
+quarkus.oidc.code-flow-token-introspection-no-encryption.user-info-path=protocol/openid-connect/userinfo
+quarkus.oidc.code-flow-token-introspection-no-encryption.introspection-path=protocol/openid-connect/token/introspect
+quarkus.oidc.code-flow-token-introspection-no-encryption.token.refresh-token-time-skew=298
+quarkus.oidc.code-flow-token-introspection-no-encryption.roles.source=accesstoken
+quarkus.oidc.code-flow-token-introspection-no-encryption.client-id=quarkus-web-app
+quarkus.oidc.code-flow-token-introspection-no-encryption.credentials.secret=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow
+quarkus.oidc.code-flow-token-introspection-no-encryption.code-grant.headers.X-Custom=XTokenIntrospection
+quarkus.oidc.code-flow-token-introspection-no-encryption.token-state-manager.split-tokens=true
+quarkus.oidc.code-flow-token-introspection-no-encryption.token-state-manager.encryption-required=false
+
 quarkus.oidc.code-flow-token-introspection-expires-in.auth-server-url=${keycloak.url:replaced-by-test-resource}/realms/quarkus/
 quarkus.oidc.code-flow-token-introspection-expires-in.application-type=web-app
 quarkus.oidc.code-flow-token-introspection-expires-in.authentication.user-info-required=false

integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/CodeFlowAuthorizationTest.java

@@ -545,6 +545,44 @@ public void testCodeFlowTokenIntrospectionActiveRefresh() throws Exception {
         clearCache();
     }
 
+    @Test
+    public void testCodeFlowTokenIntrospectionActiveRefresh_noEncryption() throws Exception {
+        // exactly as testCodeFlowTokenIntrospectionActiveRefresh but with
+        // quarkus.oidc.token-state-manager.split-tokens=true
+        // quarkus.oidc.token-state-manager.encryption-required=false
+        // to assure that cookie is valid when there are multiple scopes
+
+        // This stub does not return an access token expires_in property
+        defineCodeFlowTokenIntrospectionStub();
+        try (final WebClient webClient = createWebClient()) {
+            webClient.getOptions().setRedirectEnabled(true);
+            HtmlPage page = webClient.getPage("http://localhost:8081/code-flow-token-introspection-no-encryption");
+
+            HtmlForm form = page.getFormByName("form");
+            form.getInputByName("username").type("alice");
+            form.getInputByName("password").type("alice");
+
+            TextPage textPage = form.getInputByValue("login").click();
+
+            assertEquals("alice:alice", textPage.getContent());
+
+            textPage = webClient.getPage("http://localhost:8081/code-flow-token-introspection-no-encryption");
+            assertEquals("alice:alice", textPage.getContent());
+
+            // Refresh
+            // The internal ID token lifespan is 5 mins
+            // Configured refresh token skew is 298 secs = 5 mins - 2 secs
+            // Therefore, after waiting for 3 secs, an active refresh is happening
+            Thread.sleep(3000);
+            textPage = webClient.getPage("http://localhost:8081/code-flow-token-introspection-no-encryption");
+            assertEquals("admin:admin", textPage.getContent());
+
+            webClient.getCookieManager().clearCookies();
+        }
+
+        clearCache();
+    }
+
     @Test
     public void testCodeFlowTokenIntrospectionExpiresInRefresh() throws Exception {
         // This stub does return an access token expires_in property
@@ -844,7 +882,7 @@ private void defineCodeFlowTokenIntrospectionStub() {
                                 .withHeader("Content-Type", "application/json")
                                 .withBody("{\n" +
                                         "  \"access_token\": \"alice\","
-                                        + "  \"scope\": \"email\","
+                                        + "  \"scope\": \"openid profile email\","
                                         + "  \"refresh_token\": \"refresh5678\""
                                         + "}")));
 
@@ -855,7 +893,7 @@ private void defineCodeFlowTokenIntrospectionStub() {
                                 .withHeader("Content-Type", "application/json")
                                 .withBody("{\n" +
                                         "  \"access_token\": \"admin\","
-                                        + "  \"scope\": \"email\""
+                                        + "  \"scope\": \"openid profile email\""
                                         + "}")));
     }