Merge pull request #50548 from michalvavrik/feature/fix-extended-oidc-client-request-filter

OIDC Clients: allow to mix `@OidcClientFilter` annotation with extended builtin filters intended for `@RegisterProvider` annotation

Author: sberyozkin

extensions/oidc-client-filter/deployment/src/main/java/io/quarkus/oidc/client/filter/deployment/OidcClientFilterBuildStep.java

@@ -1,5 +1,6 @@
 package io.quarkus.oidc.client.filter.deployment;
 
+import static io.quarkus.oidc.client.deployment.OidcClientFilterDeploymentHelper.DEFAULT_OIDC_REQUEST_FILTER_NAME;
 import static io.quarkus.oidc.client.deployment.OidcClientFilterDeploymentHelper.detectCustomFiltersThatRequireResponseFilter;
 
 import java.util.Collection;
@@ -26,7 +27,6 @@
 import io.quarkus.oidc.client.filter.runtime.AbstractOidcClientRequestFilter;
 import io.quarkus.oidc.client.filter.runtime.DetectUnauthorizedClientResponseFilter;
 import io.quarkus.oidc.client.filter.runtime.OidcClientFilterConfig;
-import io.quarkus.restclient.deployment.RestClientAnnotationProviderBuildItem;
 import io.quarkus.restclient.deployment.RestClientPredicateProviderBuildItem;
 import io.quarkus.resteasy.common.spi.ResteasyJaxrsProviderBuildItem;
 
@@ -42,17 +42,16 @@ void registerProvider(BuildProducer<AdditionalBeanBuildItem> additionalBeans,
             BuildProducer<ReflectiveClassBuildItem> reflectiveClass,
             NamedOidcClientFilterBuildItem namedOidcClientFilterBuildItem,
             BuildProducer<ResteasyJaxrsProviderBuildItem> jaxrsProviders,
-            BuildProducer<RestClientPredicateProviderBuildItem> restPredicateProvider,
-            BuildProducer<RestClientAnnotationProviderBuildItem> restAnnotationProvider) {
+            BuildProducer<RestClientPredicateProviderBuildItem> restPredicateProvider) {
 
         additionalBeans.produce(AdditionalBeanBuildItem.unremovableOf(OidcClientRequestFilter.class));
         reflectiveClass.produce(ReflectiveClassBuildItem.builder(OidcClientRequestFilter.class)
                 .reason(getClass().getName())
                 .methods().fields().build());
-        final Set<String> namedFilterClientClasses = namedOidcClientFilterBuildItem.namedFilterClientClasses;
 
         // register default request filter provider against the rest of the clients (client != namedFilterClientClasses)
         if (config.registerFilter()) {
+            final Set<String> namedFilterClientClasses = namedOidcClientFilterBuildItem.namedFilterClientClasses;
             if (namedFilterClientClasses.isEmpty()) {
                 // register default request filter as global rest client provider
                 jaxrsProviders.produce(new ResteasyJaxrsProviderBuildItem(OidcClientRequestFilter.class.getName()));
@@ -69,7 +68,7 @@ public boolean test(ClassInfo restClientClassInfo) {
                         return !namedFilterClientClasses.contains(restClientClassInfo.name().toString());
                     }
                 };
-                // register all clients without @OidcClientFilter("clientName")
+                // register all clients without @OidcClientFilter
                 restPredicateProvider
                         .produce(new RestClientPredicateProviderBuildItem(OidcClientRequestFilter.class.getName(),
                                 isNotNamedFilterClient));
@@ -78,33 +77,6 @@ public boolean test(ClassInfo restClientClassInfo) {
                             DetectUnauthorizedClientResponseFilter.class.getName(), isNotNamedFilterClient));
                 }
             }
-        } else {
-            if (namedFilterClientClasses.isEmpty()) {
-                // register default request filter against all the Rest clients annotated with @OidcClientFilter
-                restAnnotationProvider.produce(new RestClientAnnotationProviderBuildItem(OIDC_CLIENT_FILTER,
-                        OidcClientRequestFilter.class));
-                if (config.refreshOnUnauthorized()) {
-                    restAnnotationProvider.produce(new RestClientAnnotationProviderBuildItem(OIDC_CLIENT_FILTER,
-                            DetectUnauthorizedClientResponseFilter.class));
-                }
-            } else {
-                // register default request filter against Rest client annotated with @OidcClientFilter without named ones
-                var isNotNamedFilterClient = new Predicate<ClassInfo>() {
-                    // test whether the provider should be added restClientClassInfo
-                    @Override
-                    public boolean test(ClassInfo restClientClassInfo) {
-                        // do not register default request filter as provider against Rest client with named filter
-                        return restClientClassInfo.hasAnnotation(OIDC_CLIENT_FILTER)
-                                && !namedFilterClientClasses.contains(restClientClassInfo.name().toString());
-                    }
-                };
-                restPredicateProvider.produce(new RestClientPredicateProviderBuildItem(OidcClientRequestFilter.class.getName(),
-                        isNotNamedFilterClient));
-                if (config.refreshOnUnauthorized()) {
-                    restPredicateProvider.produce(new RestClientPredicateProviderBuildItem(
-                            DetectUnauthorizedClientResponseFilter.class.getName(), isNotNamedFilterClient));
-                }
-            }
         }
     }
 
@@ -114,46 +86,44 @@ NamedOidcClientFilterBuildItem registerNamedProviders(BuildProducer<ReflectiveCl
             BuildProducer<RestClientPredicateProviderBuildItem> restPredicateProvider,
             BuildProducer<GeneratedBeanBuildItem> generatedBean) {
 
-        // create and register named request filter for each @OidcClientFilter("clientName")
+        // create and register request filter for each @OidcClientFilter annotation instance
         final var helper = new OidcClientFilterDeploymentHelper<>(AbstractOidcClientRequestFilter.class, generatedBean,
                 config.refreshOnUnauthorized());
         Collection<AnnotationInstance> instances = indexBuildItem.getIndex().getAnnotations(OIDC_CLIENT_FILTER);
         final Set<String> namedFilterClientClasses = new HashSet<>();
         for (AnnotationInstance instance : instances) {
-            // get client name from annotation @OidcClientFilter("clientName")
-            final String clientName = OidcClientFilterDeploymentHelper.getClientName(instance);
-            // do not create & register named filter for the OidcClient registered through configuration property
-            // as default request filter got it covered
-            if (clientName != null && !clientName.equals(config.clientName().orElse(null))) {
-
-                // create named filter class for named OidcClient
-                // we generate exactly one custom filter for each named client specified through annotation
-                final var generatedProvider = helper.getOrCreateNamedTokensProducerFor(clientName);
-                final var targetRestClient = instance.target().asClass().name().toString();
-                namedFilterClientClasses.add(targetRestClient);
-
-                // register for reflection
-                reflectiveClass.produce(ReflectiveClassBuildItem.builder(generatedProvider).methods()
-                        .reason(getClass().getName())
-                        .fields().serialization(true).build());
-
-                var isAnnotatedRestClient = new Predicate<ClassInfo>() {
-                    // test whether the provider should be added restClientClassInfo
-                    @Override
-                    public boolean test(ClassInfo restClientClassInfo) {
-                        return targetRestClient.equals(restClientClassInfo.name().toString());
-                    }
-                };
-
-                // register named request filter provider against Rest client
-                restPredicateProvider.produce(new RestClientPredicateProviderBuildItem(generatedProvider,
-                        isAnnotatedRestClient));
+            // get client name from annotation @OidcClientFilter
+            String clientName = OidcClientFilterDeploymentHelper.getClientName(instance);
+            if (clientName == null) {
+                clientName = config.clientName().orElse(DEFAULT_OIDC_REQUEST_FILTER_NAME);
+            }
 
-                if (config.refreshOnUnauthorized()) {
-                    restPredicateProvider
-                            .produce(new RestClientPredicateProviderBuildItem(
-                                    DetectUnauthorizedClientResponseFilter.class.getName(), isAnnotatedRestClient));
+            // we generate exactly one custom filter for each @OidcClientFilter client specified through annotation
+            final var generatedProvider = helper.getOrCreateNamedTokensProducerFor(clientName);
+            final var targetRestClient = instance.target().asClass().name().toString();
+            namedFilterClientClasses.add(targetRestClient);
+
+            // register for reflection
+            reflectiveClass.produce(ReflectiveClassBuildItem.builder(generatedProvider).methods()
+                    .reason(getClass().getName())
+                    .fields().serialization(true).build());
+
+            var isAnnotatedRestClient = new Predicate<ClassInfo>() {
+                // test whether the provider should be added restClientClassInfo
+                @Override
+                public boolean test(ClassInfo restClientClassInfo) {
+                    return targetRestClient.equals(restClientClassInfo.name().toString());
                 }
+            };
+
+            // register named request filter provider against Rest client
+            restPredicateProvider.produce(new RestClientPredicateProviderBuildItem(generatedProvider,
+                    isAnnotatedRestClient));
+
+            if (config.refreshOnUnauthorized()) {
+                restPredicateProvider
+                        .produce(new RestClientPredicateProviderBuildItem(
+                                DetectUnauthorizedClientResponseFilter.class.getName(), isAnnotatedRestClient));
             }
         }
         return new NamedOidcClientFilterBuildItem(namedFilterClientClasses);

extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/ExtendedOidcClientRequestFilter.java

@@ -0,0 +1,8 @@
+package io.quarkus.oidc.client.filter;
+
+import jakarta.annotation.Priority;
+import jakarta.ws.rs.Priorities;
+
+@Priority(Priorities.AUTHENTICATION)
+public class ExtendedOidcClientRequestFilter extends OidcClientRequestFilter {
+}

extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/ExtendedOidcClientRequestFilterDevModeTest.java

@@ -0,0 +1,55 @@
+package io.quarkus.oidc.client.filter;
+
+import static org.hamcrest.Matchers.equalTo;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusDevModeTest;
+import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.test.keycloak.server.KeycloakTestResourceLifecycleManager;
+import io.restassured.RestAssured;
+
+@QuarkusTestResource(KeycloakTestResourceLifecycleManager.class)
+public class ExtendedOidcClientRequestFilterDevModeTest {
+
+    private static final Class<?>[] testClasses = {
+            ProtectedResource.class,
+            ProtectedResourceServiceNamedOidcClient.class,
+            ProtectedResourceServiceConfigPropertyOidcClient.class,
+            ProtectedResourceServiceExtendedOidcClientRequestFilter.class,
+            NamedOidcClientResource.class,
+            ExtendedOidcClientRequestFilter.class,
+            ExtendedOidcClientRequestFilterResource.class
+    };
+
+    @RegisterExtension
+    static final QuarkusDevModeTest test = new QuarkusDevModeTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(testClasses)
+                    .addAsResource("application-extended-oidc-client-request-filter.properties", "application.properties"));
+
+    @Test
+    public void testGerUserConfigPropertyAndAnnotation() {
+        // OidcClient selected via @OidcClient("clientName")
+        RestAssured.when().get("/named-oidc-client/user-name")
+                .then()
+                .statusCode(200)
+                .body(equalTo("jdoe"));
+
+        // @OidcClientFilter: OidcClient selected via `quarkus.oidc-client-filter.client-name=config-property`
+        RestAssured.when().get("/config-property-oidc-client/annotation/user-name")
+                .then()
+                .statusCode(200)
+                .body(equalTo("alice"));
+
+        // @RegisterProvider(ExtendedOidcClientRequestFilter.class)
+        // OidcClient selected via `quarkus.oidc-client-filter.client-name=config-property`
+        // ExtendedOidcClientRequestFilter extends OidcClientRequestFilter
+        RestAssured.when().get("/config-property-oidc-client/extended-provider/user-name")
+                .then()
+                .statusCode(200)
+                .body(equalTo("alice"));
+    }
+
+}

extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/ExtendedOidcClientRequestFilterResource.java

@@ -0,0 +1,31 @@
+package io.quarkus.oidc.client.filter;
+
+import jakarta.inject.Inject;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+import org.eclipse.microprofile.rest.client.inject.RestClient;
+
+@Path("/config-property-oidc-client")
+public class ExtendedOidcClientRequestFilterResource {
+
+    @Inject
+    @RestClient
+    ProtectedResourceServiceConfigPropertyOidcClient protectedResourceServiceConfigPropertyOidcClient;
+
+    @Inject
+    @RestClient
+    ProtectedResourceServiceExtendedOidcClientRequestFilter protectedResourceServiceExtendedOidcClientRequestFilter;
+
+    @GET
+    @Path("/annotation/user-name")
+    public String userName() {
+        return protectedResourceServiceConfigPropertyOidcClient.getUserName();
+    }
+
+    @GET
+    @Path("/extended-provider/user-name")
+    public String extendedOidcClientRequestFilterUserName() {
+        return protectedResourceServiceExtendedOidcClientRequestFilter.getUserName();
+    }
+}

extensions/oidc-client-filter/deployment/src/test/java/io/quarkus/oidc/client/filter/ProtectedResourceServiceExtendedOidcClientRequestFilter.java

@@ -0,0 +1,16 @@
+package io.quarkus.oidc.client.filter;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+
+import org.eclipse.microprofile.rest.client.annotation.RegisterProvider;
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+@RegisterProvider(ExtendedOidcClientRequestFilter.class)
+@RegisterRestClient
+@Path("/")
+public interface ProtectedResourceServiceExtendedOidcClientRequestFilter {
+
+    @GET
+    String getUserName();
+}

extensions/oidc-client-filter/deployment/src/test/resources/application-extended-oidc-client-request-filter.properties

@@ -0,0 +1,24 @@
+quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus/
+quarkus.oidc.client-id=quarkus-service-app
+quarkus.oidc.credentials.secret=secret
+
+quarkus.resteasy-client-oidc-filter.client-name=config-property
+quarkus.oidc-client.config-property.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc-client.config-property.client-id=${quarkus.oidc.client-id}
+quarkus.oidc-client.config-property.credentials.client-secret.value=${quarkus.oidc.credentials.secret}
+quarkus.oidc-client.config-property.credentials.client-secret.method=POST
+quarkus.oidc-client.config-property.grant.type=password
+quarkus.oidc-client.config-property.grant-options.password.username=alice
+quarkus.oidc-client.config-property.grant-options.password.password=alice
+
+quarkus.oidc-client.named.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc-client.named.client-id=${quarkus.oidc.client-id}
+quarkus.oidc-client.named.credentials.client-secret.value=${quarkus.oidc.credentials.secret}
+quarkus.oidc-client.named.credentials.client-secret.method=POST
+quarkus.oidc-client.named.grant.type=password
+quarkus.oidc-client.named.grant-options.password.username=jdoe
+quarkus.oidc-client.named.grant-options.password.password=jdoe
+
+io.quarkus.oidc.client.filter.ProtectedResourceServiceNamedOidcClient/mp-rest/url=http://localhost:8080/protected
+io.quarkus.oidc.client.filter.ProtectedResourceServiceConfigPropertyOidcClient/mp-rest/url=http://localhost:8080/protected
+io.quarkus.oidc.client.filter.ProtectedResourceServiceExtendedOidcClientRequestFilter/mp-rest/url=http://localhost:8080/protected

extensions/oidc-client-filter/runtime/src/main/java/io/quarkus/oidc/client/filter/OidcClientRequestFilter.java

@@ -17,7 +17,7 @@
 public class OidcClientRequestFilter extends AbstractOidcClientRequestFilter {
 
     @Inject
-    OidcClientFilterConfig oidcClientFilterConfig;
+    public OidcClientFilterConfig oidcClientFilterConfig;
 
     protected Optional<String> clientId() {
         return oidcClientFilterConfig.clientName();

extensions/oidc-client-filter/runtime/src/main/java/io/quarkus/oidc/client/filter/runtime/AbstractOidcClientRequestFilter.java

@@ -12,7 +12,7 @@
 import io.quarkus.oidc.client.runtime.DisabledOidcClientException;
 import io.quarkus.oidc.common.runtime.OidcConstants;
 
-public class AbstractOidcClientRequestFilter extends AbstractTokensProducer implements ClientRequestFilter {
+public abstract class AbstractOidcClientRequestFilter extends AbstractTokensProducer implements ClientRequestFilter {
     private static final Logger LOG = Logger.getLogger(AbstractOidcClientRequestFilter.class);
     private static final String BEARER_SCHEME_WITH_SPACE = OidcConstants.BEARER_SCHEME + " ";
     static final String REQUEST_FILTER_KEY = "io.quarkus.oidc.client.filter.runtime.AbstractOidcClientRequestFilter#this";

extensions/oidc-client-reactive-filter/deployment/src/main/java/io/quarkus/oidc/client/reactive/filter/deployment/OidcClientReactiveFilterBuildStep.java

@@ -1,5 +1,6 @@
 package io.quarkus.oidc.client.reactive.filter.deployment;
 
+import static io.quarkus.oidc.client.deployment.OidcClientFilterDeploymentHelper.DEFAULT_OIDC_REQUEST_FILTER_NAME;
 import static io.quarkus.oidc.client.deployment.OidcClientFilterDeploymentHelper.detectCustomFiltersThatRequireResponseFilter;
 
 import java.util.Collection;
@@ -35,13 +36,10 @@
 public class OidcClientReactiveFilterBuildStep {
 
     private static final DotName OIDC_CLIENT_FILTER = DotName.createSimple(OidcClientFilter.class.getName());
-    private static final DotName OIDC_CLIENT_REQUEST_REACTIVE_FILTER = DotName
-            .createSimple(OidcClientRequestReactiveFilter.class.getName());
     OidcClientReactiveFilterConfig oidcClientReactiveFilterConfig;
     private static final DotName DETECT_401_RESPONSE_FILTER = DotName
             .createSimple(DetectUnauthorizedClientResponseFilter.class.getName());
 
-    // we simply pretend that @OidcClientFilter means @RegisterProvider(OidcClientRequestReactiveFilter.class)
     @BuildStep
     void oidcClientFilterSupport(CombinedIndexBuildItem indexBuildItem, BuildProducer<GeneratedBeanBuildItem> generatedBean,
             BuildProducer<RegisterProviderAnnotationInstanceBuildItem> producer) {
@@ -52,17 +50,14 @@ void oidcClientFilterSupport(CombinedIndexBuildItem indexBuildItem, BuildProduce
         for (AnnotationInstance instance : instances) {
 
             // get client name from annotation @OidcClientFilter("clientName")
-            final String clientName = OidcClientFilterDeploymentHelper.getClientName(instance);
-            final AnnotationValue valueAttr;
-            if (clientName != null && !clientName.equals(oidcClientReactiveFilterConfig.clientName().orElse(null))) {
-                // create and use custom filter for named OidcClient
-                // we generate exactly one custom filter for each named client specified through annotation
-                valueAttr = createClassValue(helper.getOrCreateFilter(clientName));
-            } else {
-                // use default filter for either default OidcClient or the client configured with config properties
-                valueAttr = createClassValue(OIDC_CLIENT_REQUEST_REACTIVE_FILTER);
+            String clientName = OidcClientFilterDeploymentHelper.getClientName(instance);
+            if (clientName == null) {
+                clientName = oidcClientReactiveFilterConfig.clientName().orElse(DEFAULT_OIDC_REQUEST_FILTER_NAME);
             }
 
+            // we generate exactly one custom filter for each named client specified through annotation
+            final AnnotationValue valueAttr = createClassValue(helper.getOrCreateFilter(clientName));
+
             final AnnotationValue priorityAttr = AnnotationValue.createIntegerValue("priority", Priorities.AUTHENTICATION);
             String targetClass = instance.target().asClass().name().toString();
             producer.produce(new RegisterProviderAnnotationInstanceBuildItem(targetClass, AnnotationInstance.create(