quarkusio
Enhance OIDC Client to support the token revocation
Fixes #26867
Keeping this PR as a draft until I figure out how to test it.
I just had to refactor OidcClientImpl a little bit to reuse the code which is used to post a request.
quarkus-oidc may also support it in the next phase (ex, to revoke the failed bearer tokens, on local logouts, etc).
CC @FroMage, FYI, OidcClient can also be configured to talk to Apple OIDC
@pedroigor Have a look please when you get a chance. The main initial use case is for users of Keycloak (and other providers which support the revocation) be able to proactively revoke a given access token without going the whole refresh process, and for some providers it can be the only option if no RT is available.
But this is only the first phase. As far as OIDC client is concerned, we might consider adding another method to revoke both access and refresh tokens which would also require passing a token hint.
I'd also be interested in expanding it to quarkus-oidc (revoke the invalid bearer tokens proactively, or the tokens after the local logout and for some other cases).
I've been thinking for a while what to return, Boolean seems reasonable as 200 is expected from Keycloak if the token has been revoked or already been invalidated, while 503 seems mostly a theoretical case, and I don't really expect OidcClient then keeping retrying it, for example, for another 3 mins, etc, if really really necessary then the revocation can be retried at the application level with some configured reasonable retry period. It is just that kind of operation which does not seem worth retrying a lot, and should be tried as a single, best effort attempt to help OIDC servers to remove the tokens.
:waning_crescent_moon: This workflow status is outdated as a new workflow run has been triggered.
Failing Jobs - Building a6301761df676832365f1f12656bb94808f01f2a
| Status | Name | Step | Failures | Logs | Raw logs |
|---|---|---|---|---|---|
| ✖ | JVM Tests - JDK 11 | Build |
Failures | Logs | Raw logs |
| ✖ | JVM Tests - JDK 17 | Build |
Failures | Logs | Raw logs |
| ✖ | JVM Tests - JDK 18 | Build |
Failures | Logs | Raw logs |
Full information is available in the Build summary check run.
Failures
:gear: JVM Tests - JDK 11 #
- Failing: extensions/oidc-client-filter/deployment
! Skipped: integration-tests/oidc-client integration-tests/oidc-client-wiremock integration-tests/oidc-token-propagation
:package: extensions/oidc-client-filter/deployment
✖ io.quarkus.oidc.client.filter.OidcClientFilterDevModeTest.testGetUserName line 60 - More details - Source on GitHub
java.lang.AssertionError:
1 expectation failed.
Expected status code <200> but was <500>.
:gear: JVM Tests - JDK 17 #
- Failing: extensions/oidc-client-filter/deployment
! Skipped: integration-tests/oidc-client integration-tests/oidc-client-wiremock integration-tests/oidc-token-propagation
:package: extensions/oidc-client-filter/deployment
✖ io.quarkus.oidc.client.filter.OidcClientFilterDevModeTest.testGetUserName line 60 - More details - Source on GitHub
java.lang.AssertionError:
1 expectation failed.
Expected status code <200> but was <500>.
:gear: JVM Tests - JDK 18 #
- Failing: extensions/oidc-client-filter/deployment
! Skipped: integration-tests/oidc-client integration-tests/oidc-client-wiremock integration-tests/oidc-token-propagation
:package: extensions/oidc-client-filter/deployment
✖ io.quarkus.oidc.client.filter.OidcClientFilterDevModeTest.testGetUserName line 60 - More details - Source on GitHub
java.lang.AssertionError:
1 expectation failed.
Expected status code <200> but was <500>.
![quarkus-bot[bot] avatar](https://avatars.githubusercontent.com/in/90234?v=4 "Published by a pub.dev verified publisher"){kind=small}
During the rebase I lost the code moved in the original PR from OidcClientRecorder to OidcClientImpl (related to the client secret post auth) which is what was causing a test failure
:waning_crescent_moon: This workflow status is outdated as a new workflow run has been triggered.
Failing Jobs - Building 69235766c30a204464cb155a0801f45cd588bada
| Status | Name | Step | Failures | Logs | Raw logs |
|---|---|---|---|---|---|
| :heavy_check_mark: | JVM Tests - JDK 11 | ||||
| ✖ | JVM Tests - JDK 11 Windows | Build |
Failures | Logs | Raw logs |
| :heavy_check_mark: | JVM Tests - JDK 17 | ||||
| :heavy_check_mark: | JVM Tests - JDK 18 |
Full information is available in the Build summary check run.
Failures
:gear: JVM Tests - JDK 11 Windows #
- Failing: integration-tests/oidc-client-wiremock
:package: integration-tests/oidc-client-wiremock
✖ io.quarkus.it.keycloak.OidcClientTest.testEchoAndRefreshTokens line 39 - More details - Source on GitHub
java.lang.AssertionError:
1 expectation failed.
Response body doesn't match expectation.
This test (oidc-client-wiremock) is passing all the time for me, it feels like KC 19.0.1 might not be removing some state in time between the tests, as I also some some unexpected test failures in one of the other PRs, for the moment it is not easy to pinpoint...