How Do I Use WireMock OIDC Server to pass a custom crafted JWT?

[InfoSec812]

I am working on switching to using Quarkus OIDC when we had previously used oauth2-proxy and passed headers/tokens through to the API server. In our existing integration-tests we would just craft JWTs and headers and pass them into the RestAssured calls, but now we would like to use WireMock OIDC Server to achieve a similar goal... In one of my Rest controllers I have a method like:

    @Inject
    @IdToken
    JsonWebToken idToken;

    String authenticateUsername() {
        Optional<String> preferredUsername = idToken.claim("preferred_username");
        if (preferredUsername.isEmpty()) {
            preferredUsername = idToken.getClaim("email");
        }
        return preferredUsername.get().split("@")[0];
    }

And in one of my tests, I am trying to use the following:

@QuarkusTest
@TestHTTPEndpoint(UserprofileApiController.class)
@QuarkusTestResource(OidcWiremockTestResource.class)
class UserprofileApiControllerIT {

    @InjectMock
    EmployeeRepository repository;
    
    String getAccessToken(String username) {
        return Jwt.preferredUserName(username).claim("preferred_username", username)
                   .claim("email", format("%[email protected]", username)).issuer("https://server.example.com")
                   .audience("https://service.example.com").sign();
    }

    @Test
    public void verifyUserIsReturnedWhenAuthenticated() throws Exception {
        String mockUserName = "jqconsultant";
        EmployeeEntity mockEmployee = (EmployeeEntity) new EmployeeEntity().email("[email protected]")
                .id("jqconsultant").role("Senior Consultant").name("John Q. Consultant");

        when(repository.findById(matches(mockUserName))).thenReturn((mockEmployee));

        String requestBody = "{\"name\": \"John Q. Consultant\", \"id\": \"jqconsultant\", \"email\": \"[email protected]\", \"role\": \"Senior Consultant\"}";

        given()
            .body(requestBody)
            .auth().oauth2(getAccessToken("jqconsultant"))
        .when()
            .get()
        .then()
            .statusCode(200)
            .body("email", Matchers.equalTo("[email protected]"))
            .body("id", Matchers.equalTo("jqconsultant"))
            .body("role", Matchers.equalTo("Senior Consultant"))
            .body("name", Matchers.equalTo("John Q. Consultant"));
    }
}

This does NOT appear to work and instead of a 200 OK, I get a 500 response because of a NullPointerException.

Any suggestions on what I might be doing wrong?

[quarkus-bot[bot]]

/cc @pedroigor, @sberyozkin

[sberyozkin]

Hi @InfoSec812

I see, so ID Token is only available in the authorization code flow, where both access and ID tokens are returned, what you are testing is effectively a bearer token authorization (quarkus.oidc.application-type=service which is a default).
If you need to work with bearer tokens then simply remove the @IdToken qualifier.
If you need to test authorization code scenarios then it has to be quarkus.oidc.application-type=web-app and HtmlUnit has to be used to test the endpoints, for example, see https://quarkus.io/guides/security-openid-connect-web-authentication#integration-testing.

Does it help ?

[InfoSec812]

It looks like I found the answer.

1. I created an abstract class which all of my integration tests inherit which looks like

   public abstract class AbstractApiIntegrationTest {
   
    String getAccessToken(String username) {
      return getAccessToken(username, "Pam Manager");
    }
   
    String getAccessToken(String username, String fullName) {
      return Jwt.preferredUserName(username).claim("preferred_username", username)
      		       .claim("name", fullName)
      		       .claim("email", format("%[email protected]", username)).issuer("https://server.example.com")
      		       .audience("https://service.example.com").sign();
    }
   }

2. I annotated each integration test class with @QuarkusTestResource(OidcWiremockTestResource.class)
3. In each RestAssured call I added given().auth().oauth2(getAccessToken(TEST_USER))
4. Finally, I configured the OIDC module in application.yaml

   %test:
       quarkus:
           oidc:
             enabled: true
             auth-server-url: ${keycloak.url}/realms/quarkus/
             client-id: quarkus-service-app
             application-type: service

This appears to be working and I can parameterize the oauth2 token by changing the getAccessToken params/methods.