How to use the OIDC client when endpoint is protected with Basic Auth?

[hakuseki]

I have an endpoint I need to connect to for a REST query but first I need to obtain an access token.
I'd like to use the OIDC client in Quarkus but my endpoint is protected with Basic Auth so I need to send that header.
After retrieving the access_token I can use that without Basic Auth anymore.

Is it possible to use the Quarkus properties for this?
I have tried using the OIDC Client but it always fails, one obstacle is the mandatory client_id.
My endpoint does not require client_id or client_secret, the grant_type is client_credentials.

Maybe this is not possible and the implementation made on the endpoint is an oxymoron? ¯_(ツ)_/¯

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

@hakuseki

If I understand it correctly, the client id and secret are already available in the incoming Authorization Basic scheme value, and it is totally dynamic, so can not be preconfigured, right ?

In that case I think you have to create OidcClient programmatically, see an example in https://quarkus.io/guides/security-openid-connect-client-reference#use-oidc-clients, and then decode the incoming Basic scheme value to get the client id and secret, and set them on this newly created OidcClient, and since the Basic authentication is the default, it will send Authorization: Basic encoded(client_id:secret).

Can you try it please ?

[hakuseki]

There’s no client_id/secret available explicitly. Should I use the credentials for the Basic Auth as those as well do you mean?

[sberyozkin]

@hakuseki You only have to configure OidcClient with the id/secret which you extract from the incoming Basic content, OidcClient will not send them explicitly, but will only recreate an Authorization: Basic ... header using these configured client id and secret.

[hakuseki]

I only have username and password and that I should send a grant_type=client_credentials to the endpoint.
The endpoint is protected using Basic Auth.

How can I configure my OIDC client to handle this?

I can't see any options to provide the username/password header and the client_id MUST be provided otherwise it throws an Exception

[hakuseki]

I worked it out.
Setting client_id/client_secret equal to username/password and also the grant-options to username/password it work out of the box

"%dev":
  quarkus:
    oidc-client:
      grant-options:
        password:
          username: ${my.username}
          password: ${my.password}
      grant:
        type: client
      discovery-enabled: true
      client-id: ${my.username}
      credentials:
        secret: ${my.password}
      token-path: ${my.url}${my.tokenPath}
    

[sberyozkin]

@hakuseki OK, it was not quite clear to me what was needed... FYI, you don't need the grant-options as it sets up in your case what should be done for the password grant, while you need the client grant. Also, the discovery-enabled: true and grant.type=client are default values

[hakuseki]

thx for your input, much appreciated!