-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for the TLS registry to OIDC and OIDC client extensions #43148
Add support for the TLS registry to OIDC and OIDC client extensions #43148
Conversation
michalvavrik
commented
Sep 9, 2024
- Closes: Add support for the TLS registry to the OIDC Common HTTP client #41001
🙈 The PR is closed and the preview is expired. |
This comment has been minimized.
This comment has been minimized.
docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc
Outdated
Show resolved
Hide resolved
Hi Michal, @michalvavrik Thanks for this PR, and I'm sure it will work out well, but my immediate concern is that I'm seeing OIDC users are asked to enter one more configuration property and I don't see what is the point. So before me going further with the review, I'd like us agree on it. |
Old code still works, I simply c&p original tests and changed config properties, original tests are still in place. Dropping deprecation of config properties and of docs adjustments is matter of minute. I can do that.
I deprecated OIDC-specific properties because of this sentence in ADR:
So, yes, there can be one extra property in case the TLS registry is only configured for let's say JWT credentials via keystore. On the other hand, OIDC-specific code in place only works TL;DR; if you want to keep existing OIDC-specific stuff in place, nothing forces us to deprecate it. I don't have strong opinion, honestly, these are little things. Let me know. |
Hi @michalvavrik, thanks, let me get back to you on it, I've been thinking, can we have a convention, like a default oidc tls registry name, say I'd also consider giving an example of the old approach and explain it may be eventually gone. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good - I just asked a few questions.
docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc
Outdated
Show resolved
Hide resolved
...zation/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerUtil.java
Show resolved
Hide resolved
...zation/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerUtil.java
Show resolved
Hide resolved
FYI @sberyozkin , when the old config is deprecated, it disappears from list of configuration properties, so it is either keeping the OIDC-specific properties not deprecated, or removing them from docs. Both does not make sense. |
docs/src/main/asciidoc/security-openid-connect-client-reference.adoc
Outdated
Show resolved
Hide resolved
...deployment/src/test/java/io/quarkus/oidc/client/OidcClientCredentialsJwtTlsRegistryTest.java
Outdated
Show resolved
Hide resolved
...oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcClientCommonConfig.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry Michal, all the changes impacting Credentials.JWT should be reverted
Well, not that I mind, but I don't understand you. I won't answer individual comments because it makes sense to discuss this at one place. Here it is: Why cannot user use one shared registry among |
@sberyozkin to quicken this discussion bit and cut down your time, you are basically saying it's called TLS registry not Keystore registry so we cannot use it for this purpose because here, we don't configure TLS, right? Yeah, I don't have answer for that, apart of that I don't care how is it called, it's positive feature. Let me remove it and wait if there is ever user request for this option. |
@michalvavrik Using the private key from the keystore to create a signed authentication token is really nothing to do with TLS or any registry, in fact one of the ideas about using this authentication method is to be able to use plain HTTP since the client secret won't be going on the wire. |
Yeah, thanks @michalvavrik, things like trust all, etc, do not apply in this case. This signed token might travel over MTLS to OIDC but I'd say it would be either MTLS or just plain HTTP plus this token. |
Copy that, will push changes in couple of minutes. |
c31e62f
to
2c2c2dc
Compare
2c2c2dc
to
46f3904
Compare
Status for workflow
|