Merge pull request quarkusio#50397 from sberyozkin/oidc_log_and_revoke_request_filter_fix

sberyozkin · web-flow · commit 47962c5e4fdb · 2025-10-03T15:56:08.000+01:00
Fix OIDC TokenRevocation filter binding and improve request logging
diff --git a/extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientImpl.java b/extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientImpl.java
@@ -41,9 +41,19 @@
 public class OidcClientImpl implements OidcClient {
 
     private enum Operation {
-        Get,
-        Refresh,
-        Revoke
+        GET("Get"),
+        REFRESH("Refresh"),
+        REVOKE("Revoke");
+
+        String op;
+
+        Operation(String op) {
+            this.op = op;
+        }
+
+        String operation() {
+            return op;
+        }
     }
 
     private static final Logger LOG = Logger.getLogger(OidcClientImpl.class);
@@ -101,7 +111,7 @@ public Uni<Tokens> getTokens(Map<String, String> additionalGrantParameters) {
             throw new OidcClientException(
                     "Only 'refresh_token' grant is supported, please call OidcClient#refreshTokens method instead");
         }
-        return getJsonResponse(OidcEndpoint.Type.TOKEN, tokenGrantParams, additionalGrantParameters, Operation.Get);
+        return getJsonResponse(OidcEndpoint.Type.TOKEN, tokenGrantParams, additionalGrantParameters, Operation.GET);
     }
 
     @Override
@@ -112,7 +122,7 @@ public Uni<Tokens> refreshTokens(String refreshToken, Map<String, String> additi
         }
         MultiMap refreshGrantParams = copyMultiMap(commonRefreshGrantParams);
         refreshGrantParams.add(OidcConstants.REFRESH_TOKEN_VALUE, refreshToken);
-        return getJsonResponse(OidcEndpoint.Type.TOKEN, refreshGrantParams, additionalGrantParameters, Operation.Refresh);
+        return getJsonResponse(OidcEndpoint.Type.TOKEN, refreshGrantParams, additionalGrantParameters, Operation.REFRESH);
     }
 
     @Override
@@ -128,7 +138,7 @@ public Uni<Boolean> revokeAccessToken(String accessToken, Map<String, String> ad
             tokenRevokeParams.set(OidcConstants.REVOCATION_TOKEN, accessToken);
             return postRequest(requestProps, OidcEndpoint.Type.TOKEN_REVOCATION, client.postAbs(tokenRevokeUri),
                     tokenRevokeParams,
-                    additionalParameters, Operation.Revoke)
+                    additionalParameters, Operation.REVOKE)
                     .transform(resp -> toRevokeResponse(requestProps, resp));
         } else {
             LOG.debugf("%s OidcClient can not revoke the access token because the revocation endpoint URL is not set");
@@ -247,7 +257,7 @@ private UniOnItem<HttpResponse<Buffer>> postRequest(
             }
         }
         if (LOG.isDebugEnabled()) {
-            LOG.debugf("%s token: url : %s, headers: %s, request params: %s", op.name(), request.uri(), request.headers(),
+            LOG.debugf("%s token: url : %s, headers: %s, request params: %s", op.operation(), request.uri(), request.headers(),
                     body);
         }
         // Retry up to three times with a one-second delay between the retries if the connection is closed
@@ -381,6 +391,6 @@ OidcClientConfig getConfig() {
     }
 
     static boolean isRefresh(Operation op) {
-        return op == Operation.Refresh;
+        return op == Operation.REFRESH;
     }
 }
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProviderClientImpl.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProviderClientImpl.java
@@ -42,6 +42,24 @@
 import io.vertx.mutiny.ext.web.client.WebClient;
 
 public class OidcProviderClientImpl implements OidcProviderClient, Closeable {
+
+    private enum TokenOperation {
+        GET("Get"),
+        REFRESH("Refresh"),
+        INTROSPECT("Introspect"),
+        REVOKE("Revoke");
+
+        String op;
+
+        TokenOperation(String op) {
+            this.op = op;
+        }
+
+        String operation() {
+            return op;
+        }
+    }
+
     private static final Logger LOG = Logger.getLogger(OidcProviderClientImpl.class);
 
     private static final String AUTHORIZATION_HEADER = String.valueOf(HttpHeaders.AUTHORIZATION);
@@ -214,7 +232,8 @@ public Uni<TokenIntrospection> introspectAccessToken(final String token) {
         introspectionParams.add(OidcConstants.INTROSPECTION_TOKEN, token);
         introspectionParams.add(OidcConstants.INTROSPECTION_TOKEN_TYPE_HINT, OidcConstants.ACCESS_TOKEN_VALUE);
         final OidcRequestContextProperties requestProps = getRequestProps(null, null);
-        return getHttpResponse(requestProps, metadata.getIntrospectionUri(), introspectionParams, true)
+        return getHttpResponse(requestProps, metadata.getIntrospectionUri(), introspectionParams, TokenOperation.INTROSPECT,
+                OidcEndpoint.Type.INTROSPECTION)
                 .transform(resp -> getTokenIntrospection(requestProps, resp));
     }
 
@@ -234,7 +253,8 @@ Uni<AuthorizationCodeTokens> getAuthorizationCodeTokens(String code, String redi
             codeGrantParams.addAll(oidcConfig.codeGrant().extraParams());
         }
         final OidcRequestContextProperties requestProps = getRequestProps(OidcConstants.AUTHORIZATION_CODE);
-        return getHttpResponse(requestProps, metadata.getTokenUri(), codeGrantParams, false)
+        return getHttpResponse(requestProps, metadata.getTokenUri(), codeGrantParams, TokenOperation.GET,
+                OidcEndpoint.Type.TOKEN)
                 .transform(resp -> getAuthorizationCodeTokens(requestProps, resp));
     }
 
@@ -243,7 +263,8 @@ Uni<AuthorizationCodeTokens> refreshAuthorizationCodeTokens(String refreshToken)
         refreshGrantParams.add(OidcConstants.GRANT_TYPE, OidcConstants.REFRESH_TOKEN_GRANT);
         refreshGrantParams.add(OidcConstants.REFRESH_TOKEN_VALUE, refreshToken);
         final OidcRequestContextProperties requestProps = getRequestProps(OidcConstants.REFRESH_TOKEN_GRANT);
-        return getHttpResponse(requestProps, metadata.getTokenUri(), refreshGrantParams, false)
+        return getHttpResponse(requestProps, metadata.getTokenUri(), refreshGrantParams, TokenOperation.REFRESH,
+                OidcEndpoint.Type.TOKEN)
                 .transform(resp -> getAuthorizationCodeTokens(requestProps, resp));
     }
 
@@ -263,7 +284,8 @@ private Uni<Boolean> revokeToken(String token, String tokenTypeHint) {
             tokenRevokeParams.set(OidcConstants.REVOCATION_TOKEN, token);
             tokenRevokeParams.set(OidcConstants.REVOCATION_TOKEN_TYPE_HINT, tokenTypeHint);
 
-            return getHttpResponse(requestProps, metadata.getRevocationUri(), tokenRevokeParams, false)
+            return getHttpResponse(requestProps, metadata.getRevocationUri(), tokenRevokeParams, TokenOperation.REVOKE,
+                    OidcEndpoint.Type.TOKEN_REVOCATION)
                     .transform(resp -> toRevokeResponse(requestProps, resp));
         } else {
             LOG.debugf("The %s token can not be revoked because the revocation endpoint URL is not set", tokenTypeHint);
@@ -282,7 +304,7 @@ private Boolean toRevokeResponse(OidcRequestContextProperties requestProps, Http
     }
 
     private UniOnItem<HttpResponse<Buffer>> getHttpResponse(OidcRequestContextProperties requestProps, String uri,
-            MultiMap formBody, boolean introspect) {
+            MultiMap formBody, TokenOperation op, OidcEndpoint.Type endpointType) {
         HttpRequest<Buffer> request = client.postAbs(uri);
 
         Buffer buffer = null;
@@ -291,7 +313,7 @@ private UniOnItem<HttpResponse<Buffer>> getHttpResponse(OidcRequestContextProper
             request.putHeader(CONTENT_TYPE_HEADER, APPLICATION_X_WWW_FORM_URLENCODED);
             request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
 
-            if (introspect && introspectionBasicAuthScheme != null) {
+            if (isIntrospection(op) && introspectionBasicAuthScheme != null) {
                 request.putHeader(AUTHORIZATION_HEADER, introspectionBasicAuthScheme);
                 if (oidcConfig.clientId().isPresent() && oidcConfig.introspectionCredentials().includeClientId()) {
                     formBody.set(OidcConstants.CLIENT_ID, oidcConfig.clientId().get());
@@ -339,14 +361,12 @@ private UniOnItem<HttpResponse<Buffer>> getHttpResponse(OidcRequestContextProper
             }
         }
         if (LOG.isDebugEnabled()) {
-            LOG.debugf("%s token: %s params: %s headers: %s", (introspect ? "Introspect" : "Get"), metadata.getTokenUri(),
-                    formBody,
-                    request.headers());
+            LOG.debugf("%s token: url : %s, headers: %s, request params: %s", op.operation(), request.uri(), request.headers(),
+                    formBody);
         }
         // Retry up to three times with a one-second delay between the retries if the connection is closed.
 
-        OidcEndpoint.Type endpoint = introspect ? OidcEndpoint.Type.INTROSPECTION : OidcEndpoint.Type.TOKEN;
-        Uni<HttpResponse<Buffer>> response = filterHttpRequest(requestProps, endpoint, request, buffer)
+        Uni<HttpResponse<Buffer>> response = filterHttpRequest(requestProps, endpointType, request, buffer)
                 .sendBuffer(OidcCommonUtils.getRequestBuffer(requestProps, buffer))
                 .onFailure(SocketException.class)
                 .retry()
@@ -475,4 +495,7 @@ public WebClient getWebClient() {
     record UserInfoResponse(String contentType, String data) {
     }
 
+    static boolean isIntrospection(TokenOperation op) {
+        return op == TokenOperation.INTROSPECT;
+    }
 }
diff --git a/integration-tests/oidc-wiremock-logout/src/main/java/io/quarkus/it/keycloak/OidcTokenRevocationRequestFilter.java b/integration-tests/oidc-wiremock-logout/src/main/java/io/quarkus/it/keycloak/OidcTokenRevocationRequestFilter.java
@@ -0,0 +1,25 @@
+package io.quarkus.it.keycloak;
+
+import jakarta.enterprise.context.ApplicationScoped;
+
+import io.quarkus.arc.Unremovable;
+import io.quarkus.oidc.common.OidcEndpoint;
+import io.quarkus.oidc.common.OidcEndpoint.Type;
+import io.quarkus.oidc.common.OidcRequestFilter;
+
+@ApplicationScoped
+@Unremovable
+@OidcEndpoint(value = { Type.TOKEN_REVOCATION })
+public class OidcTokenRevocationRequestFilter implements OidcRequestFilter {
+
+    @Override
+    public void filter(OidcRequestContext rc) {
+        String body = rc.requestBody().toString();
+        if (body.contains("token_type_hint=access_token")) {
+            rc.request().putHeader("token-revocation-filter", "access-token");
+        } else if (body.contains("token_type_hint=refresh_token")) {
+            rc.request().putHeader("token-revocation-filter", "refresh-token");
+        }
+
+    }
+}
diff --git a/integration-tests/oidc-wiremock-logout/src/test/java/io/quarkus/it/keycloak/CodeFlowAuthorizationTest.java b/integration-tests/oidc-wiremock-logout/src/test/java/io/quarkus/it/keycloak/CodeFlowAuthorizationTest.java
@@ -1,19 +1,14 @@
 package io.quarkus.it.keycloak;
 
-import static com.github.tomakehurst.wiremock.client.WireMock.containing;
+import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
 import static com.github.tomakehurst.wiremock.client.WireMock.postRequestedFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlPathMatching;
-import static org.awaitility.Awaitility.await;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-import java.io.IOException;
 import java.net.URI;
-import java.time.Duration;
-import java.util.concurrent.Callable;
-import java.util.concurrent.TimeUnit;
 
 import org.htmlunit.SilentCssErrorHandler;
 import org.htmlunit.TextPage;
@@ -26,7 +21,6 @@
 import org.junit.jupiter.api.Test;
 
 import com.github.tomakehurst.wiremock.WireMockServer;
-import com.github.tomakehurst.wiremock.client.WireMock;
 
 import io.quarkus.test.common.QuarkusTestResource;
 import io.quarkus.test.junit.QuarkusTest;
@@ -48,13 +42,12 @@ public void testCodeFlowFormPostAndBackChannelLogout() throws Exception {
     }
 
     @Test
-    public void testBackChannelLogoutForDynamicTenants() throws IOException {
+    public void testBackChannelLogoutForDynamicTenants() throws Exception {
         testCodeFlowFormPostAndBackChannelLogout("dynamic-tenant-one", "back-channel-logout/dynamic-tenant-one");
         testCodeFlowFormPostAndBackChannelLogout("dynamic-tenant-two", "back-channel-logout/dynamic-tenant-two");
     }
 
-    private void testCodeFlowFormPostAndBackChannelLogout(String tenantId, String backChannelPath) throws IOException {
-        defineRevokeTokenStubs();
+    private void testCodeFlowFormPostAndBackChannelLogout(String tenantId, String backChannelPath) throws Exception {
         try (final WebClient webClient = createWebClient()) {
             webClient.getOptions().setRedirectEnabled(true);
             HtmlPage page = webClient.getPage("http://localhost:8081/service/" + tenantId);
@@ -111,44 +104,21 @@ private void testCodeFlowFormPostAndBackChannelLogout(String tenantId, String ba
 
             assertNull(getSessionCookie(webClient, tenantId));
 
-            await().atMost(10, TimeUnit.SECONDS)
-                    .pollInterval(Duration.ofSeconds(3))
-                    .until(new Callable<Boolean>() {
-                        @Override
-                        public Boolean call() throws Exception {
-                            try {
-                                wireMockServer.verify(2,
-                                        postRequestedFor(urlPathMatching("/auth/realms/quarkus/revoke")));
-                                return true;
-                            } catch (Throwable t) {
-                                return false;
-                            }
-                        }
-                    });
-
-            wireMockServer.verify(2,
-                    postRequestedFor(urlPathMatching("/auth/realms/quarkus/revoke")));
+            Thread.sleep(3000);
+
+            wireMockServer.verify(1,
+                    postRequestedFor(urlPathMatching("/auth/realms/quarkus/revoke"))
+                            .withHeader("token-revocation-filter", equalTo("access-token")));
+            wireMockServer.verify(1,
+                    postRequestedFor(urlPathMatching("/auth/realms/quarkus/revoke"))
+                            .withHeader("token-revocation-filter", equalTo("refresh-token")));
+
             wireMockServer.resetRequests();
 
             webClient.getCookieManager().clearCookies();
         }
     }
 
-    private void defineRevokeTokenStubs() {
-        wireMockServer
-                .stubFor(WireMock.post("/auth/realms/quarkus/revoke")
-                        .withRequestBody(containing("token"))
-                        .withRequestBody(containing("token_type_hint=access_token"))
-                        .willReturn(WireMock.aResponse()
-                                .withStatus(200)));
-        wireMockServer
-                .stubFor(WireMock.post("/auth/realms/quarkus/revoke")
-                        .withRequestBody(containing("token"))
-                        .withRequestBody(containing("token_type_hint=refresh_token"))
-                        .willReturn(WireMock.aResponse()
-                                .withStatus(200)));
-    }
-
     private WebClient createWebClient() {
         WebClient webClient = new WebClient();
         webClient.setCssErrorHandler(new SilentCssErrorHandler());

Original file line number	Diff line number	Diff line change
`@@ -41,9 +41,19 @@`
`41`	`41`	`public class OidcClientImpl implements OidcClient {`
`42`	`42`
`43`	`43`	`private enum Operation {`
`44`		`- Get,`
`45`		`- Refresh,`
`46`		`- Revoke`
	`44`	`+ GET("Get"),`
	`45`	`+ REFRESH("Refresh"),`
	`46`	`+ REVOKE("Revoke");`
	`47`	`+`
	`48`	`+ String op;`
	`49`	`+`
	`50`	`+ Operation(String op) {`
	`51`	`+ this.op = op;`
	`52`	`+ }`
	`53`	`+`
	`54`	`+ String operation() {`
	`55`	`+ return op;`
	`56`	`+ }`
`47`	`57`	`}`
`48`	`58`
`49`	`59`	`private static final Logger LOG = Logger.getLogger(OidcClientImpl.class);`
`@@ -101,7 +111,7 @@ public Uni<Tokens> getTokens(Map<String, String> additionalGrantParameters) {`
`101`	`111`	`throw new OidcClientException(`
`102`	`112`	`"Only 'refresh_token' grant is supported, please call OidcClient#refreshTokens method instead");`
`103`	`113`	`}`
`104`		`- return getJsonResponse(OidcEndpoint.Type.TOKEN, tokenGrantParams, additionalGrantParameters, Operation.Get);`
	`114`	`+ return getJsonResponse(OidcEndpoint.Type.TOKEN, tokenGrantParams, additionalGrantParameters, Operation.GET);`
`105`	`115`	`}`
`106`	`116`
`107`	`117`	`@Override`
`@@ -112,7 +122,7 @@ public Uni<Tokens> refreshTokens(String refreshToken, Map<String, String> additi`
`112`	`122`	`}`
`113`	`123`	`MultiMap refreshGrantParams = copyMultiMap(commonRefreshGrantParams);`
`114`	`124`	`refreshGrantParams.add(OidcConstants.REFRESH_TOKEN_VALUE, refreshToken);`
`115`		`- return getJsonResponse(OidcEndpoint.Type.TOKEN, refreshGrantParams, additionalGrantParameters, Operation.Refresh);`
	`125`	`+ return getJsonResponse(OidcEndpoint.Type.TOKEN, refreshGrantParams, additionalGrantParameters, Operation.REFRESH);`
`116`	`126`	`}`
`117`	`127`
`118`	`128`	`@Override`
`@@ -128,7 +138,7 @@ public Uni<Boolean> revokeAccessToken(String accessToken, Map<String, String> ad`
`128`	`138`	`tokenRevokeParams.set(OidcConstants.REVOCATION_TOKEN, accessToken);`
`129`	`139`	`return postRequest(requestProps, OidcEndpoint.Type.TOKEN_REVOCATION, client.postAbs(tokenRevokeUri),`
`130`	`140`	`tokenRevokeParams,`
`131`		`- additionalParameters, Operation.Revoke)`
	`141`	`+ additionalParameters, Operation.REVOKE)`
`132`	`142`	`.transform(resp -> toRevokeResponse(requestProps, resp));`
`133`	`143`	`} else {`
`134`	`144`	`LOG.debugf("%s OidcClient can not revoke the access token because the revocation endpoint URL is not set");`
`@@ -247,7 +257,7 @@ private UniOnItem<HttpResponse<Buffer>> postRequest(`
`247`	`257`	`}`
`248`	`258`	`}`
`249`	`259`	`if (LOG.isDebugEnabled()) {`
`250`		`- LOG.debugf("%s token: url : %s, headers: %s, request params: %s", op.name(), request.uri(), request.headers(),`
	`260`	`+ LOG.debugf("%s token: url : %s, headers: %s, request params: %s", op.operation(), request.uri(), request.headers(),`
`251`	`261`	`body);`
`252`	`262`	`}`
`253`	`263`	`// Retry up to three times with a one-second delay between the retries if the connection is closed`
`@@ -381,6 +391,6 @@ OidcClientConfig getConfig() {`
`381`	`391`	`}`
`382`	`392`
`383`	`393`	`static boolean isRefresh(Operation op) {`
`384`		`- return op == Operation.Refresh;`
	`394`	`+ return op == Operation.REFRESH;`
`385`	`395`	`}`
`386`	`396`	`}`