Issues with GitHub OIDC flow and ID token introspection (3.15.1)

[dergreg]

I want to implement a simple web app running on localhost:8080 to authenticate with GitHub.

I read the guides https://quarkus.io/guides/security-oidc-code-flow-authentication and the specifics for GitHub https://quarkus.io/guides/security-openid-connect-providers#github, but I keep receiving a 401 after authentication (which seems to work fine).

Here's the config:

quarkus.oidc.application-type=web-app
quarkus.oidc.logout.backchannel.path=/back-channel-logout
quarkus.oidc.logout.path=/logout
quarkus.oidc.logout.post-logout-path=/
quarkus.oidc.authentication.error-path=/oidcerror.html
quarkus.oidc.authentication.java-script-auto-redirect=false
quarkus.oidc.authentication.restore-path-after-redirect=true

quarkus.oidc.github.provider=github
quarkus.oidc.github.client-id=xxx
quarkus.oidc.github.credentials.secret=yyy
quarkus.oidc.github.authentication.redirect-path=/signed-in

quarkus.http.auth.permission.login.paths=/login/google,/login/github
quarkus.http.auth.permission.login.policy=authenticated

quarkus.http.auth.permission.public.paths=/*
quarkus.http.auth.permission.public.policy=permit
quarkus.http.auth.permission.public.methods=GET,HEAD

quarkus.http.auth.permission.authenticated.paths=/api/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.http.auth.permission.authenticated.methods=GET,POST,DELETE,PUT,HEAD

The user navigates in browser to http://localhost:8080, logs in via http://localhost:8080/login/github and is redirected to the GitHub login page. After successful authentication, the browser is redirected back to http://localhost:8080/signed-in with code and state query params:

http://localhost:8080/signed-in?code=xxx&state=0c230eb0-ebde-480c-a8e9-7ada2a8d23df

this triggers a 401 in quarkus. DEBUG logs outputs the following:

2024-09-26 19:36:23,891 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-3) Tenant id 'github' is selected on the '/login/github' request path
2024-09-26 19:36:23,892 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-3) Resolved OIDC tenant id: github
2024-09-26 19:36:23,895 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Starting an authentication challenge for tenant github.
2024-09-26 19:36:23,896 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Authentication request redirect_uri parameter: http://localhost:8080/signed-in
2024-09-26 19:36:23,898 DEBUG [io.qua.oid.run.OidcUtils] (vert.x-eventloop-thread-3) q_auth_github_0c230eb0-ebde-480c-a8e9-7ada2a8d23df cookie 'max-age' parameter is set to 300
2024-09-26 19:36:23,900 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Code flow redirect to: https://github.com/login/oauth/authorize?response_type=code&client_id=xxx&scope=openid+user%3Aemail&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsigned-in&state=0c230eb0-ebde-480c-a8e9-7ada2a8d23df
2024-09-26 19:36:24,542 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-3) q_auth_github_0c230eb0-ebde-480c-a8e9-7ada2a8d23df cookie set a 'github' tenant id on the /signed-in request path
2024-09-26 19:36:24,543 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-3) Resolved OIDC tenant id: github
2024-09-26 19:36:24,547 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) State cookie is present, processing an expected redirect from the OIDC provider
2024-09-26 19:36:24,547 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Authorization code is present, completing the code flow
2024-09-26 19:36:24,549 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Exchanging the authorization code for the tokens
2024-09-26 19:36:24,549 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Token request redirect_uri parameter: http://localhost:8080/signed-in
2024-09-26 19:36:24,552 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Get token on: https://github.com/login/oauth/access_token params: grant_type=authorization_code
code=xxx
redirect_uri=http://localhost:8080/signed-in
 headers: user-agent=Vert.x-WebClient/4.5.10
content-type=application/x-www-form-urlencoded
accept=application/json
authorization=Basic ......==

2024-09-26 19:36:25,306 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Request succeeded: {"access_token":"gho_xxx","token_type":"bearer","scope":"user:email"}
2024-09-26 19:36:25,319 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Signing internal ID token with a configured client secret
2024-09-26 19:36:25,384 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Authorization code has been exchanged, verifying ID token
2024-09-26 19:36:25,386 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-3) Starting creating SecurityIdentity
2024-09-26 19:36:25,390 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-3) Requesting UserInfo
2024-09-26 19:36:25,391 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Get UserInfo on: https://api.github.com/user auth: Bearer gho_xxx
2024-09-26 19:36:25,861 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Request succeeded: {"login":"xxx","id":xxx,"node_id":"xxx",  ... }
2024-09-26 19:36:25,886 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-3) Starting the JWT token introspection
2024-09-26 19:36:25,889 ERROR [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) ID token verification has failed: Token issued to client xxx can not be introspected because the introspection endpoint address is unknown - please check if your OpenId Connect Provider supports the token introspection

What am I missing here? I also tried id-token-required=false and other related properties, but no avail.

Thanks

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[dergreg]

/signed-in redirect from GitHub to Quarkus is still not secured according to this

I added this to quarkus.http.auth.permission.authenticated.paths=/api/*,/signed-in for a test.

I'm afraid I won't be able to help until I see the sample app, please adapt what you have to some hello world endpoint and have it and its config zipped or available in the github repository

Sure, I understand. I'll try to create a small reproducer with just a simple index.html, pom.xml and application.properties, as this a rather bloated, existing app where I added authentication afterwards

[sberyozkin]

@dergreg I've done a quick test with Quarkus 3.15.1

Endpoint:

package org.acme.github;

import io.quarkus.oidc.UserInfo;
import io.quarkus.security.Authenticated;
import jakarta.inject.Inject;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;

// Registered Github application has a callback path set to localhost:8080/login

@Path("/login")
@Authenticated
public class GithubService {
	
    @Inject
    UserInfo userInfo;

    @GET
    @Produces("text/plain")
    public String userinfo() {
	    return userInfo.getUserInfoString();
	}
	
}

Configuration:

quarkus.oidc.provider=github
quarkus.oidc.client-id=${github-client-id}
quarkus.oidc.credentials.secret=${github-client-secret}

I access http://localhost:8080/login, am redirected to Github, authorize the app, and get Userinfo displayed in the browser

[sberyozkin]

I've also tried your variation where an authenticated user is redirected back to Quarkus on a public endpoint, it also works

[sberyozkin]

@dergreg

I'll try to create a small reproducer with just a simple index.html, pom.xml and application.properties, as this a rather bloated, existing app where I added authentication afterwards

Thanks, please do. The problem from my point of view is that you are getting this strange unexpected JWT verification error, I need to understand what type of user setup is triggering it and add some docs or do some build time validation to prevent them

[sberyozkin]

I'll update the logs to make it easier to identify such errors

[sberyozkin]

@dergreg Hi, I'm pretty sure I've reproduced the problem.

Do you have

@Inject
JsonWebToken jwt;

in the code ? The problem here is that it injects an access token, since no @IdToken qualifier is present, while Github access tokens are opaque/binary. The problem you are seeing occurring even before the injection itself would fail, when Quarkus sees access token injections in the JWT format, it enforces the access token verification, in addition to the mandatory ID token verification.

You just need to remove this injection and all should be good. Do you need to use Github access token to access Github API ? You only need to add @AccessToken to the REST client and Quarkus will propagate it for you.

Let me know if the above helps

[sberyozkin]

I have a PR, just need to add a test. The PR is about making sure a more appropriate error is reported but only if an attempt to access a binary token via JsonWebToken is made.

In general, it is not very easy to write a code which will remain portable across multiple providers, due to each of them using different token formats, etc, but it is possible, we can discuss it later

[dergreg]

Thanks for your efforts, highly appreciated.

I'm not at home this weekend so I won't be able to test your suggestions. But since you have reproduced it, I should be able to locally fix it.

Yes I'm injecting the JsonWebToken, but I don't actually need it. Just pasted the code from one of the quarkus tutorials. I only need an authenticated user for my app.

More logging is really helpful in such cases.

I will test next week, thank you.

[sberyozkin]

@dergreg FYI, #43585, so even if a user copies @Inject JsonWebToken jwt; but does not use it, it won't lead to confusing errors, thanks

[dergreg]

I managed to verify your answer now, i.e. I removed the JsonWebToken injection and all is fine now. Thanks for the fix which makes this clearer in the future