Merge pull request #50333 from michalvavrik/feature/fix-oidc-redis-token-man-native

Fix OIDC Redis Token State Manager serialization in native mode

Author: sberyozkin

extensions/oidc-redis-token-state-manager/deployment/src/main/java/io/quarkus/oidc/redis/token/state/manager/deployment/OidcRedisTokenStateManagerProcessor.java

@@ -12,7 +12,9 @@
 import io.quarkus.deployment.annotations.BuildSteps;
 import io.quarkus.deployment.annotations.ExecutionTime;
 import io.quarkus.deployment.annotations.Record;
+import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
 import io.quarkus.oidc.TokenStateManager;
+import io.quarkus.oidc.redis.token.state.manager.runtime.AuthorizationCodeTokensRecord;
 import io.quarkus.oidc.redis.token.state.manager.runtime.OidcRedisTokenStateManagerRecorder;
 import io.quarkus.redis.client.RedisClientName;
 import io.quarkus.redis.datasource.ReactiveRedisDataSource;
@@ -27,6 +29,12 @@ RequestedRedisClientBuildItem requestRedisClient(OidcRedisTokenStateManagerBuild
         return new RequestedRedisClientBuildItem(buildConfig.redisClientName());
     }
 
+    @BuildStep
+    ReflectiveClassBuildItem registerTokenStateRecordForReflection() {
+        return ReflectiveClassBuildItem.builder(AuthorizationCodeTokensRecord.class)
+                .serialization().fields().methods().constructors().build();
+    }
+
     @Record(ExecutionTime.STATIC_INIT)
     @BuildStep
     SyntheticBeanBuildItem createTokenStateManager(OidcRedisTokenStateManagerRecorder recorder,

extensions/oidc-redis-token-state-manager/runtime/src/main/java/io/quarkus/oidc/redis/token/state/manager/runtime/AuthorizationCodeTokensRecord.java

@@ -0,0 +1,16 @@
+package io.quarkus.oidc.redis.token.state.manager.runtime;
+
+import io.quarkus.oidc.AuthorizationCodeTokens;
+
+public record AuthorizationCodeTokensRecord(String idToken, String accessToken, String refreshToken, Long accessTokenExpiresIn,
+        String accessTokenScope) {
+
+    static AuthorizationCodeTokensRecord of(AuthorizationCodeTokens tokens) {
+        return new AuthorizationCodeTokensRecord(tokens.getIdToken(), tokens.getAccessToken(), tokens.getRefreshToken(),
+                tokens.getAccessTokenExpiresIn(), tokens.getAccessTokenScope());
+    }
+
+    AuthorizationCodeTokens toTokens() {
+        return new AuthorizationCodeTokens(idToken, accessToken, refreshToken, accessTokenExpiresIn, accessTokenScope);
+    }
+}

extensions/oidc-redis-token-state-manager/runtime/src/main/java/io/quarkus/oidc/redis/token/state/manager/runtime/OidcRedisTokenStateManager.java

@@ -80,17 +80,4 @@ private static SetArgs newSetArgs(RoutingContext event) {
     private static Instant expiresAt(RoutingContext event) {
         return Instant.now().plusSeconds(event.<Long> get(SESSION_MAX_AGE_PARAM));
     }
-
-    record AuthorizationCodeTokensRecord(String idToken, String accessToken, String refreshToken, Long accessTokenExpiresIn,
-            String accessTokenScope) {
-
-        private static AuthorizationCodeTokensRecord of(AuthorizationCodeTokens tokens) {
-            return new AuthorizationCodeTokensRecord(tokens.getIdToken(), tokens.getAccessToken(), tokens.getRefreshToken(),
-                    tokens.getAccessTokenExpiresIn(), tokens.getAccessTokenScope());
-        }
-
-        private AuthorizationCodeTokens toTokens() {
-            return new AuthorizationCodeTokens(idToken, accessToken, refreshToken, accessTokenExpiresIn, accessTokenScope);
-        }
-    }
 }

integration-tests/keycloak-authorization/pom.xml

@@ -30,6 +30,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-oidc</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc-redis-token-state-manager</artifactId>
+        </dependency>
 
         <!-- test dependencies -->
         <dependency>
@@ -101,6 +105,19 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc-redis-token-state-manager-deployment</artifactId>
+            <version>${project.version}</version>
+            <type>pom</type>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>org.awaitility</groupId>
             <artifactId>awaitility</artifactId>

integration-tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/PublicResource.java

@@ -1,11 +1,23 @@
 package io.quarkus.it.keycloak;
 
+import jakarta.inject.Inject;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 
+import io.quarkus.redis.datasource.ReactiveRedisDataSource;
+
 @Path("/api")
 public class PublicResource {
 
+    @Inject
+    ReactiveRedisDataSource redisDataSource;
+
+    @Path("/token-state-count")
+    @GET
+    public int tokenStateCount() {
+        return redisDataSource.execute("DBSIZE").await().indefinitely().toInteger();
+    }
+
     @GET
     @Path("public")
     public void serve() {

integration-tests/keycloak-authorization/src/test/java/io/quarkus/it/keycloak/AbstractPolicyEnforcerTest.java

@@ -8,6 +8,8 @@
 import java.net.URL;
 import java.time.Duration;
 
+import org.awaitility.Awaitility;
+import org.hamcrest.Matchers;
 import org.htmlunit.FailingHttpStatusCodeException;
 import org.htmlunit.SilentCssErrorHandler;
 import org.htmlunit.WebResponse;
@@ -19,6 +21,7 @@
 
 import io.quarkus.test.common.http.TestHTTPResource;
 import io.quarkus.test.keycloak.client.KeycloakTestClient;
+import io.restassured.RestAssured;
 import io.vertx.core.Vertx;
 import io.vertx.core.json.JsonObject;
 import io.vertx.ext.web.client.WebClient;
@@ -69,6 +72,7 @@ public void testUserHasSuperUserRoleWebTenant() throws Exception {
     }
 
     private void testWebAppTenantAllowed(String user) throws Exception {
+        Awaitility.await().atMost(REQUEST_TIMEOUT).untilAsserted(() -> assertTokenStateCount(0));
         try (final org.htmlunit.WebClient webClient = createWebClient()) {
             HtmlPage page = webClient.getPage("http://localhost:8081/api-permission-webapp");
 
@@ -88,6 +92,7 @@ private void testWebAppTenantAllowed(String user) throws Exception {
             assureGetPathWithCookie("//api-permission-webapp", cookie, 200, null, "Permission Resource WebApp");
 
             webClient.getCookieManager().clearCookies();
+            Awaitility.await().atMost(REQUEST_TIMEOUT).untilAsserted(() -> assertTokenStateCount(1));
         }
     }
 
@@ -279,4 +284,11 @@ private void assurePostPath(String path, String requestBody, int expectedStatusC
         }
     }
 
+    private static void assertTokenStateCount(Integer expectedNumOfTokens) {
+        RestAssured
+                .get("/api/token-state-count")
+                .then()
+                .statusCode(200)
+                .body(Matchers.is(expectedNumOfTokens.toString()));
+    }
 }