Quarkus OIDC guide example for OidcWiremock fails due to invalid audience

[douglas444]

I tried replicating the exact same example from this section of the OIDC code flow authentication guide but I go the following error:

2024-10-17 13:58:31,340 INFO  [io.qua.ama.lam.run.MockEventServer] (build-31) Mock Lambda Event Server Started
2024-10-17 13:58:32,692 INFO  [io.qua.tes.oid.ser.OidcWiremockTestResource] (pool-3-thread-1) Keycloak started in mock mode: http://localhost:49212
2024-10-17 13:58:33,640 WARN  [io.qua.oid.run.TenantConfigContext] (vert.x-eventloop-thread-1) Secret key for encrypting tokens in a session cookie should be at least 32 characters long for the strongest cookie encryption to be produced. Please configure 'quarkus.oidc.token-state-manager.encryption-secret' or update the configured client secret. You can disable the session cookie encryption with 'quarkus.oidc.token-state-manager.encryption-required=false' but only if it is considered to be safe in your application's network.
2024-10-17 13:58:33,691 INFO  [io.qua.ama.lam.run.AbstractLambdaPollLoop] (Lambda Thread (TEST)) Listening on: http://localhost:8081/_lambda_/2018-06-01/runtime/invocation/next
2024-10-17 13:58:33,695 INFO  [io.quarkus] (main) code-with-quarkus 1.0.0-SNAPSHOT on JVM (powered by Quarkus 3.15.1) started in 4.262s. 
2024-10-17 13:58:33,696 INFO  [io.quarkus] (main) Profile test activated. 
2024-10-17 13:58:33,696 INFO  [io.quarkus] (main) Installed features: [amazon-lambda, cdi, oidc, qute, rest, rest-qute, security, smallrye-context-propagation, vertx]
2024-10-17 13:58:34,448 ERROR [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-6) ID token verification has failed: JWT (claims->{"preferred_username":"alice","groups":["admin","user"],"iss":"https://server.example.com","aud":"https://id.server.example.com","sid":"session-id","sub":"123456","typ":"ID","iat":1729184312,"exp":1729184612,"jti":"9243a462-65c8-446a-8c79-15f128958c0d"}) rejected due to invalid claims or other invalid content. Additional details: [[8] Audience (aud) claim [https://id.server.example.com] doesn't contain an acceptable identifier. Expected quarkus-web-app as an aud value.]

org.htmlunit.FailingHttpStatusCodeException: 401 Unauthorized for http://localhost:8081/welcome?state=4b5a8fc2-e26e-448f-88a7-6c85267d53b1&code=58af24f2-9093-4674-a431-4a9d66be719c.50437113-cd78-48a2-838e-b936fe458c5d.0ac5df91-e044-4051-bd03-106a3a5fb9cc

	at org.htmlunit.WebClient.throwFailingHttpStatusCodeExceptionIfNecessary(WebClient.java:749)
	at org.htmlunit.WebClient.loadDownloadedResponses(WebClient.java:2720)
	at org.htmlunit.html.DomElement.click(DomElement.java:1131)
	at org.htmlunit.html.DomElement.click(DomElement.java:1054)
	at org.htmlunit.html.DomElement.click(DomElement.java:940)
	at org.htmlunit.html.DomElement.click(DomElement.java:917)
	at org.htmlunit.html.DomElement.click(DomElement.java:894)
	at WelcomeResourceTest.testCodeFlow(WelcomeResourceTest.java:27)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at io.quarkus.test.junit.QuarkusTestExtension.runExtensionMethod(QuarkusTestExtension.java:973)
	at io.quarkus.test.junit.QuarkusTestExtension.interceptTestMethod(QuarkusTestExtension.java:823)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)

I created this repository with the code: https://github.com/douglas444/oidc-mock-example/blob/main/src/test/java/WelcomeResourceTest.java But here is a copy of the test class:

@QuarkusTest
@QuarkusTestResource(OidcWiremockTestResource.class)
public class WelcomeResourceTest {

    @Test
    public void testCodeFlow() throws Exception {
        try (final WebClient webClient = createWebClient()) {
            // the test REST endpoint listens on '/code-flow'
            HtmlPage page = webClient.getPage("http://localhost:8081/welcome");

            HtmlForm form = page.getFormByName("form");
            // user 'alice' has the 'user' role
            form.getInputByName("username").type("alice");
            form.getInputByName("password").type("alice");

            page = form.getInputByValue("login").click();

            assertEquals("Welcome", page.getTitleText());
        }
    }

    private WebClient createWebClient() {
        WebClient webClient = new WebClient();
        webClient.setCssErrorHandler(new SilentCssErrorHandler());
        return webClient;
    }
}

The same test works if I set the client-id to https://id.server.example.com.
It works well when I use the same app in dev mode with keycloak dev service.

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

Thanks @douglas444, Quarkus now enforces that the ID token aud is set to the client id, while the OidcWiremock code was created earlier so when the ID token is generated, the aud is set to https://id.server.example.com. I guess those existing tests which use OidcWiremock for the CodeFlow tests customize it with quarkus.oidc.token.audience=https://id.server.example.com .
It may be tricky to have OIDC wiremock updated to use the client id for the ID token's aud because this OidcWiremock is used for different OIDC tenant test in the oidc-wiremock which also may have different client ids, so simplest is to customize it at the test level

[douglas444]

I see. Thank you @sberyozkin
Would it be ok if I opened a PR updating the documentation to include the aud customization? Like this one #43949