Merge pull request #47575 from michalvavrik/feature/oidc-only-access-fields-using-accessors

OIDC refactoring: use accessors instead of deprecated fields marked for removal

Author: sberyozkin

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/devservices/AbstractDevUIProcessor.java

@@ -13,7 +13,7 @@
 import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.devui.spi.page.CardPageBuildItem;
 import io.quarkus.devui.spi.page.Page;
-import io.quarkus.oidc.OidcTenantConfig;
+import io.quarkus.oidc.runtime.OidcTenantConfig;
 import io.quarkus.oidc.runtime.devui.OidcDevUiRecorder;
 import io.quarkus.oidc.runtime.devui.OidcDevUiRpcSvcPropertiesBean;
 import io.quarkus.runtime.RuntimeValue;

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/devservices/OidcDevUIProcessor.java

@@ -17,9 +17,9 @@
 import io.quarkus.devservices.oidc.OidcDevServicesConfigBuildItem;
 import io.quarkus.devui.spi.JsonRPCProvidersBuildItem;
 import io.quarkus.devui.spi.page.CardPageBuildItem;
-import io.quarkus.oidc.OidcTenantConfig;
-import io.quarkus.oidc.OidcTenantConfig.Provider;
 import io.quarkus.oidc.deployment.OidcBuildTimeConfig;
+import io.quarkus.oidc.runtime.OidcTenantConfig;
+import io.quarkus.oidc.runtime.OidcTenantConfig.Provider;
 import io.quarkus.oidc.runtime.devui.OidcDevJsonRpcService;
 import io.quarkus.oidc.runtime.devui.OidcDevUiRecorder;
 import io.quarkus.oidc.runtime.providers.KnownOidcProviders;

extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/OpaqueTokenVerificationWithUserInfoValidationTest.java

@@ -34,7 +34,8 @@ public class OpaqueTokenVerificationWithUserInfoValidationTest {
                 // assert UserInfo is required
                 assertTrue(
                         te.getMessage()
-                                .contains("UserInfo is not required but 'verifyAccessTokenWithUserInfo' is enabled"),
+                                .contains(
+                                        "UserInfo is not required but 'quarkus.oidc.token.verify-access-token-with-user-info' is enabled"),
                         te.getMessage());
             });
 

extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/UserInfoRequiredDetectionTest.java

@@ -107,7 +107,7 @@ public static class UserInfoResource {
         @Path("default-tenant-random")
         @GET
         public String getDefaultTenantName() {
-            if (!tenantConfigBean.getDefaultTenant().oidcConfig().authentication.userInfoRequired.orElse(false)) {
+            if (!tenantConfigBean.getDefaultTenant().oidcConfig().authentication().userInfoRequired().orElse(false)) {
                 throw new IllegalStateException("Default tenant user info should be required");
             }
             String tenantId = routingContext.get(OidcUtils.TENANT_ID_ATTRIBUTE);
@@ -126,7 +126,7 @@ public String getDefaultTenantName() {
         @Path("named-tenant-random")
         @GET
         public String getNamedTenantName() {
-            if (!getNamedTenantConfig("named").authentication.userInfoRequired.orElse(false)) {
+            if (!getNamedTenantConfig("named").authentication().userInfoRequired().orElse(false)) {
                 throw new IllegalStateException("Named tenant user info should be required");
             }
             String tenantId = routingContext.get(OidcUtils.TENANT_ID_ATTRIBUTE);
@@ -142,14 +142,14 @@ public String getNamedTenantName() {
         @Path("named-tenant-2")
         @GET
         public boolean getNamed2TenantUserInfoRequired() {
-            return getNamedTenantConfig("named-2").authentication.userInfoRequired.orElse(false);
+            return getNamedTenantConfig("named-2").authentication().userInfoRequired().orElse(false);
         }
 
         @PermissionsAllowed("openid")
         @Path("named-tenant-3")
         @GET
         public boolean getNamed3TenantUserInfoRequired() {
-            return getNamedTenantConfig("named-3").authentication.userInfoRequired.orElse(false);
+            return getNamedTenantConfig("named-3").authentication().userInfoRequired().orElse(false);
         }
 
         private OidcTenantConfig getNamedTenantConfig(String configName) {

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java

@@ -1040,10 +1040,10 @@ private String generateInternalIdToken(TenantConfigContext context, UserInfo use
         } else if (accessTokenExpiresInSecs != null) {
             builder.expiresIn(accessTokenExpiresInSecs);
         }
-        builder.audience(context.oidcConfig().getClientId().get());
+        builder.audience(context.oidcConfig().clientId().get());
 
         JwtSignatureBuilder sigBuilder = builder.jws().header(INTERNAL_IDTOKEN_HEADER, true);
-        String clientOrJwtSecret = OidcCommonUtils.getClientOrJwtSecret(context.oidcConfig().credentials);
+        String clientOrJwtSecret = OidcCommonUtils.getClientOrJwtSecret(context.oidcConfig().credentials());
         if (clientOrJwtSecret != null) {
             LOG.debug("Signing internal ID token with a configured client secret");
             return sigBuilder.sign(KeyUtils.createSecretKeyFromSecret(clientOrJwtSecret));

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java

@@ -261,7 +261,7 @@ private Uni<TenantConfigContext> getDynamicTenantContext(RoutingContext context)
             @Override
             public Uni<? extends TenantConfigContext> apply(OidcTenantConfig tenantConfig) {
                 if (tenantConfig != null) {
-                    var tenantId = tenantConfig.getTenantId()
+                    var tenantId = tenantConfig.tenantId()
                             .orElseThrow(() -> new OIDCException("Tenant configuration must have tenant id"));
                     var tenantContext = tenantConfigBean.getDynamicTenant(tenantId);
                     if (tenantContext == null) {

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcConfigPropertySupplier.java

@@ -9,10 +9,9 @@
 import org.eclipse.microprofile.config.Config;
 import org.eclipse.microprofile.config.ConfigProvider;
 
-import io.quarkus.oidc.OidcTenantConfig;
-import io.quarkus.oidc.OidcTenantConfig.Provider;
 import io.quarkus.oidc.common.runtime.OidcCommonUtils;
 import io.quarkus.oidc.common.runtime.OidcConstants;
+import io.quarkus.oidc.runtime.OidcTenantConfig.Provider;
 import io.quarkus.oidc.runtime.providers.KnownOidcProviders;
 import io.smallrye.config.SmallRyeConfig;
 
@@ -99,7 +98,7 @@ public String get(Config config) {
                 if (END_SESSION_PATH_CONFIG_KEY.equals(oidcConfigProperty)) {
                     value = providerConfig.endSessionPath();
                 } else if (TOKEN_PATH_CONFIG_KEY.equals(oidcConfigProperty)) {
-                    value = providerConfig.tokenPath;
+                    value = providerConfig.tokenPath();
                 } else if (AUTH_PATH_CONFIG_KEY.equals(oidcConfigProperty)) {
                     value = providerConfig.authorizationPath();
                 }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcImpl.java

@@ -13,7 +13,7 @@
 
 final class OidcImpl implements Oidc {
 
-    private Map<String, OidcTenantConfig> staticTenantConfigs;
+    private final Map<String, OidcTenantConfig> staticTenantConfigs;
     private OidcTenantConfig defaultTenantConfig;
 
     OidcImpl(OidcConfig config) {

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcUtils.java

@@ -574,7 +574,7 @@ static OidcTenantConfig mergeTenantConfig(OidcTenantConfig tenant, OidcTenantCon
     static OidcTenantConfig resolveProviderConfig(OidcTenantConfig oidcTenantConfig) {
         if (oidcTenantConfig != null && oidcTenantConfig.provider().isPresent()) {
             return OidcUtils.mergeTenantConfig(oidcTenantConfig,
-                    KnownOidcProviders.provider(oidcTenantConfig.provider.get()));
+                    KnownOidcProviders.provider(oidcTenantConfig.provider().get()));
         } else {
             return oidcTenantConfig;
         }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantContextFactory.java

@@ -220,8 +220,8 @@ private Uni<TenantConfigContext> createTenantContext(OidcTenantConfig oidcTenant
         }
         if (oidcConfig.token().verifyAccessTokenWithUserInfo().orElse(false) && !OidcUtils.isWebApp(oidcConfig)
                 && !enableUserInfo(oidcConfig)) {
-            throw new ConfigurationException(
-                    "UserInfo is not required but 'verifyAccessTokenWithUserInfo' is enabled");
+            String propertyName = getConfigPropertyForTenant(tenantId, "token.verify-access-token-with-user-info");
+            throw new ConfigurationException("UserInfo is not required but '%s' is enabled".formatted(propertyName));
         }
         if (!oidcConfig.authentication().idTokenRequired().orElse(true) && OidcUtils.isWebApp(oidcConfig)
                 && StepUpAuthenticationPolicy.isEnabled()) {
@@ -234,7 +234,8 @@ private Uni<TenantConfigContext> createTenantContext(OidcTenantConfig oidcTenant
         }
         if (!oidcConfig.authentication().idTokenRequired().orElse(true) && !enableUserInfo(oidcConfig)) {
             throw new ConfigurationException(
-                    "UserInfo is not required but it will be needed to verify a code flow access token");
+                    "UserInfo is not required for OIDC tenant '%s' but it will be needed to verify a code flow access token"
+                            .formatted(tenantId));
         }
 
         if (!oidcConfig.discoveryEnabled().orElse(true)) {