Merge pull request #51064 from sberyozkin/recreate_id_token

Generate ID token if issued ID token was not refreshed

Author: sberyozkin

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java

@@ -1375,16 +1375,19 @@ public AuthorizationCodeTokens apply(AuthorizationCodeTokens tokens) {
                         }
 
                         if (tokens.getIdToken() == null) {
-                            if (isIdTokenRequired(configContext) || !isInternalIdToken(currentIdToken, configContext)) {
-                                if (!autoRefresh) {
+                            if (autoRefresh) {
+                                // Auto-refresh is triggered while current ID token is still valid, continue using it.
+                                tokens.setIdToken(currentIdToken);
+                            } else if (isIdTokenRequired(configContext)) {
+                                LOG.debugf(
+                                        "Required ID token is not returned in the refresh token grant response, re-authentication is required");
+                                throw new AuthenticationFailedException(tokenMap(currentIdToken));
+                            } else {
+                                if (!isInternalIdToken(currentIdToken, configContext)) {
                                     LOG.debugf(
-                                            "ID token is not returned in the refresh token grant response, re-authentication is required");
-                                    throw new AuthenticationFailedException(tokenMap(currentIdToken));
-                                } else {
-                                    // Auto-refresh is triggered while current ID token is still valid, continue using it.
-                                    tokens.setIdToken(currentIdToken);
+                                            "OIDC provider issued an ID token after the authorization code flow completion but did not refresh it,"
+                                                    + " an internal ID token will be generated");
                                 }
-                            } else {
                                 tokens.setIdToken(generateInternalIdToken(configContext, null, currentIdToken,
                                         tokens.getAccessTokenExpiresIn()));
                             }

integration-tests/oidc-tenancy/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java

@@ -6,6 +6,7 @@
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
@@ -202,7 +203,7 @@ private void testTenantWebApp2(String webApp2SubPath, String expectedResult) thr
     }
 
     @Test
-    public void testCodeFlowRefreshTokens() throws IOException, InterruptedException {
+    public void testCodeFlowRefreshTokensWhenIdTokenIsExpired() throws Exception {
         try (final WebClient webClient = createWebClient()) {
             HtmlPage page = webClient.getPage("http://localhost:8081/tenant-refresh/tenant-web-app-refresh/api/user");
             assertEquals("Sign in to quarkus-webapp", page.getTitleText());
@@ -213,6 +214,8 @@ public void testCodeFlowRefreshTokens() throws IOException, InterruptedException
 
             Cookie sessionCookie = getSessionCookie(page.getWebClient(), "tenant-web-app-refresh");
             assertNotNull(sessionCookie);
+            JsonObject jwtHeaders = getIdTokenHeaders(sessionCookie.getValue());
+            assertFalse(jwtHeaders.getBoolean("internal", false));
 
             Set<Cookie> atSessionCookies = getSessionAtCookie(page.getWebClient(), "tenant-web-app-refresh");
             assertEquals(3, atSessionCookies.size());
@@ -225,10 +228,66 @@ public void testCodeFlowRefreshTokens() throws IOException, InterruptedException
                     + ", refreshToken: true",
                     page.getBody().asNormalizedText());
 
-            // Wait till the session expires - which should cause the first and also last token refresh request,
-            // id and access tokens should have new values, refresh token value should remain the same.
-            // No new sign-in process is required.
-            //await().atLeast(6, TimeUnit.SECONDS);
+            Thread.sleep(6 * 1000);
+
+            webClient.getOptions().setRedirectEnabled(false);
+            WebResponse webResponse = webClient
+                    .loadWebResponse(new WebRequest(
+                            URI.create("http://localhost:8081/tenant-refresh/tenant-web-app-refresh/api/user")
+                                    .toURL()));
+
+            Cookie sessionCookie2 = getSessionCookie(webClient, "tenant-web-app-refresh");
+            assertNotNull(sessionCookie2);
+            assertNotEquals(sessionCookie2.getValue(), sessionCookie.getValue());
+            JsonObject jwtHeaders2 = getIdTokenHeaders(sessionCookie2.getValue());
+            assertTrue(jwtHeaders2.getBoolean("internal"));
+
+            atSessionCookies = getSessionAtCookie(page.getWebClient(), "tenant-web-app-refresh");
+            assertEquals(3, atSessionCookies.size());
+            Cookie rtCookie2 = getSessionRtCookie(webClient, "tenant-web-app-refresh");
+            assertNotNull(rtCookie2);
+            assertEquals(rtCookie2.getValue(), rtCookie.getValue());
+
+            assertEquals("userName: alice, idToken: true, accessToken: true, accessTokenLongStringClaim: "
+                    + getAccessTokenLongStringClaim(atSessionCookies)
+                    + ", refreshToken: true",
+                    webResponse.getContentAsString());
+
+            webClient.getCookieManager().clearCookies();
+        }
+    }
+
+    private static JsonObject getIdTokenHeaders(String value) throws Exception {
+        return OidcUtils.decodeJwtHeaders(value);
+    }
+
+    @Test
+    public void testCodeFlowRefreshTokensWhileIdTokenIsValid() throws Exception {
+        try (final WebClient webClient = createWebClient()) {
+            HtmlPage page = webClient.getPage("http://localhost:8081/tenant-refresh/tenant-web-app-refresh/api/user");
+            assertEquals("Sign in to quarkus-webapp", page.getTitleText());
+            HtmlForm loginForm = page.getForms().get(0);
+            loginForm.getInputByName("username").setValueAttribute("alice");
+            loginForm.getInputByName("password").setValueAttribute("alice");
+            page = loginForm.getButtonByName("login").click();
+
+            Cookie sessionCookie = getSessionCookie(page.getWebClient(), "tenant-web-app-refresh");
+            assertNotNull(sessionCookie);
+            JsonObject jwtHeaders = getIdTokenHeaders(sessionCookie.getValue());
+            assertFalse(jwtHeaders.getBoolean("internal", false));
+
+            Set<Cookie> atSessionCookies = getSessionAtCookie(page.getWebClient(), "tenant-web-app-refresh");
+            assertEquals(3, atSessionCookies.size());
+
+            Cookie rtCookie = getSessionRtCookie(page.getWebClient(), "tenant-web-app-refresh");
+            assertNotNull(rtCookie);
+
+            assertEquals("userName: alice, idToken: true, accessToken: true, accessTokenLongStringClaim: "
+                    + getAccessTokenLongStringClaim(atSessionCookies)
+                    + ", refreshToken: true",
+                    page.getBody().asNormalizedText());
+
+            // Wait till a valid ID token is within the refresh token skew
             Thread.sleep(2 * 1000);
 
             webClient.getOptions().setRedirectEnabled(false);
@@ -240,6 +299,10 @@ public void testCodeFlowRefreshTokens() throws IOException, InterruptedException
             Cookie sessionCookie2 = getSessionCookie(webClient, "tenant-web-app-refresh");
             assertNotNull(sessionCookie2);
             assertEquals(sessionCookie2.getValue(), sessionCookie.getValue());
+
+            JsonObject jwtHeaders2 = getIdTokenHeaders(sessionCookie2.getValue());
+            assertFalse(jwtHeaders2.getBoolean("internal", false));
+
             atSessionCookies = getSessionAtCookie(page.getWebClient(), "tenant-web-app-refresh");
             assertEquals(3, atSessionCookies.size());
             Cookie rtCookie2 = getSessionRtCookie(webClient, "tenant-web-app-refresh");

integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/CodeFlowAuthorizationTest.java

@@ -405,6 +405,8 @@ public void testCodeFlowUserInfoCachedInIdToken() throws Exception {
             // be returned to Quarkus, analyzed and refreshed
             assertTrue(date.toInstant().getEpochSecond() - issuedAt <= 299 + 300 + 3);
 
+            assertEquals(299, decryptAccessTokenExpiryTime(webClient, "code-flow-user-info-github-cached-in-idtoken"));
+
             // This is the initial call to  the token endpoint where the code was exchanged for tokens
             wireMockServer.verify(1,
                     postRequestedFor(urlPathMatching("/auth/realms/quarkus/access_token_refreshed")));
@@ -421,12 +423,14 @@ public void testCodeFlowUserInfoCachedInIdToken() throws Exception {
 
             issuedAt = idTokenClaims.getLong("iat");
             expiresAt = idTokenClaims.getLong("exp");
-            assertEquals(305, expiresAt - issuedAt);
+            assertEquals(299, expiresAt - issuedAt);
 
             sessionCookie = getSessionCookie(webClient, "code-flow-user-info-github-cached-in-idtoken");
             date = sessionCookie.getExpires();
-            assertTrue(date.toInstant().getEpochSecond() - issuedAt >= 305 + 300);
-            assertTrue(date.toInstant().getEpochSecond() - issuedAt <= 305 + 300 + 3);
+            assertTrue(date.toInstant().getEpochSecond() - issuedAt >= 299 + 300);
+            assertTrue(date.toInstant().getEpochSecond() - issuedAt <= 299 + 300 + 3);
+
+            assertEquals(305, decryptAccessTokenExpiryTime(webClient, "code-flow-user-info-github-cached-in-idtoken"));
 
             // access token must've been refreshed
             wireMockServer.verify(1,
@@ -699,11 +703,33 @@ private void doTestCodeFlowUserInfoDynamicGithubUpdate() throws Exception {
         }
     }
 
-    private JsonObject decryptIdToken(WebClient webClient, String tenantId) throws Exception {
+    private static JsonObject decryptIdToken(WebClient webClient, String tenantId) throws Exception {
+        Cookie sessionCookie = getSessionCookie(webClient, tenantId);
+        assertNotNull(sessionCookie);
+
+        SecretKey key = getSessionCookieDecryptionKey(webClient, tenantId);
+
+        String decryptedSessionCookie = OidcUtils.decryptString(sessionCookie.getValue(), key);
+
+        String encodedIdToken = decryptedSessionCookie.split("\\|")[0];
+
+        return OidcCommonUtils.decodeJwtContent(encodedIdToken);
+    }
+
+    private static int decryptAccessTokenExpiryTime(WebClient webClient, String tenantId) throws Exception {
         Cookie sessionCookie = getSessionCookie(webClient, tenantId);
         assertNotNull(sessionCookie);
 
-        SecretKey key = null;
+        SecretKey key = getSessionCookieDecryptionKey(webClient, tenantId);
+
+        String decryptedSessionCookie = OidcUtils.decryptString(sessionCookie.getValue(), key);
+
+        // idtoken|accesstoken|accesstoken-exp-in-time|...
+        return Integer.valueOf(decryptedSessionCookie.split("\\|")[2]);
+
+    }
+
+    private static SecretKey getSessionCookieDecryptionKey(WebClient webClient, String tenantId) throws Exception {
         if ("code-flow-user-info-github".equals(tenantId)) {
             PrivateKey privateKey = KeyUtils.tryAsPemSigningPrivateKey(
                     "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyXwKqKL/"
@@ -724,18 +750,12 @@ private JsonObject decryptIdToken(WebClient webClient, String tenantId) throws E
                             + "r/ATkc4sG4kxQKBgBL9neT0TmJtxlYGzjNcjdJXs3Q91+nZt3DRMGT9s0917SuP77+FdJYocDiH1rVa9sGG8rkh1jTdqliAxDXwIm5I"
                             + "GS/0OBnkaN1nnGDk5yTiYxOutC5NSj7ecI5Erud8swW6iGqgz2ioFpGxxIYqRlgTv/6mVt41KALfKrYIkVLw",
                     SignatureAlgorithm.RS256);
-            key = OidcUtils.createSecretKeyFromDigest(privateKey.getEncoded());
+            return OidcUtils.createSecretKeyFromDigest(privateKey.getEncoded());
         } else {
-            key = OidcUtils.createSecretKeyFromDigest(
+            return OidcUtils.createSecretKeyFromDigest(
                     "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"
                             .getBytes(StandardCharsets.UTF_8));
         }
-
-        String decryptedSessionCookie = OidcUtils.decryptString(sessionCookie.getValue(), key);
-
-        String encodedIdToken = decryptedSessionCookie.split("\\|")[0];
-
-        return OidcCommonUtils.decodeJwtContent(encodedIdToken);
     }
 
     private WebClient createWebClient() {
@@ -974,11 +994,11 @@ private void defineCodeFlowLogoutStub() {
                                 .withTransformers("response-template")));
     }
 
-    private Cookie getSessionCookie(WebClient webClient, String tenantId) {
+    private static Cookie getSessionCookie(WebClient webClient, String tenantId) {
         return webClient.getCookieManager().getCookie("q_session" + (tenantId == null ? "" : "_" + tenantId));
     }
 
-    private Cookie getStateCookie(WebClient webClient, String tenantId) {
+    private static Cookie getStateCookie(WebClient webClient, String tenantId) {
         return webClient.getCookieManager().getCookies().stream()
                 .filter(c -> c.getName().startsWith("q_auth" + (tenantId == null ? "" : "_" + tenantId))).findFirst()
                 .orElse(null);