How to handle the OIDC provider which does not support openid scope

[abvaidya]

I am using OIDC multi-tenancy with multiple providers and one of the providers ( Atlassian ) does not support openid scope i.e. the consent screen doesnt even show up if I include openid scope, so :

• When I removed it by setting quarkus.oidc.atlassian.add-openid-scope=false, i get the error "ID token is not available in the authorization code grant response"
• then I tried setting quarkus.oidc.atlassian.id-token-required=false and I got the error "ID token verification has failed: {"error":"invalid_request","error_description":"You must request openid scope to use /userinfo"}"
• then i tried setting quarkus.oidc.atlassian.user-info-required=false and I got "io.quarkus.runtime.configuration.ConfigurationException: UserInfo is not required for OIDC tenant 'atlassian' but it will be needed to verify a code flow access token"
• then i tried setting quarkus.oidc.atlassian.token.verify-access-token-with-user-info=false but that doesnt seem to come into effect.

Am I missing something? Based on the documentation, I got the impression that Quarkus can handle oauth2 providers like Github / X which dont support openid / doesnt provide id_token

TIA

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

@abvaidya

If Atlassian is a pure OAuth2 provider that gives only access token that can not be verified via public keys or introspection, Quarkus OIDC can verify such tokens only indirectly, typically by accessing provider specific endpoint representing the current's user account, so in this context, UserInfo is some JSON data from an endpoint like /me, /account, etc .

I'm not really familiar with Atlassian REST API, but an endpoint such as https://docs.atlassian.com/software/jira/docs/api/REST/9.17.0/#api/2/user will do, so I'd set quarkus.oidc.atlassian.user-info-path=/api/2/user, etc, do not disable userinfo with quarkus.oidc.atlassian.user-info-required=false

Can you try it and let me know ?

[abvaidya]

My app is Oauth 2.0 (3LO) trying to access Jira Cloud which falls into https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/#other-integrations. So the right api endpoint would be https://api.atlassian.com/ex/jira/<cloudId>/rest/api/3/<resource-name>
even if i hardcode cloudId in my Quarkus configuration, the auth server is auth.atlassian.com but apis are hosted by api.atlassian.com. Would /userinfo endpoint take an absolute url as opposed to a relative path for auth server url?

[abvaidya]

oh looks like /userinfo can take absolute path, let me try that 🙂

[abvaidya]

ok, I tried using https://api.atlassian.com/oauth/token/accessible-resources as the user-info endpoint and from TRACE logs I see that request is successful [io.qu.oi.ru.OidcProviderClientImpl] (vert.x-eventloop-thread-6) Request succeeded: [{"id":"xxx","url":"https:/xxx.atlassian.net","name":"xxx","scopes":["read:comment:jira","read:issue-meta:jira","read:issue:jira","read:project:jira","read:user:jira"],"avatarUrl":"https://site-admin-avatar-cdn.prod.public.atl-paas.net/avatars/240/rocket.png"}]

but the response parsing fails probably because Quarkus is not expecting response to be an array? [io.qu.oi.ru.CodeAuthenticationMechanism] (vert.x-eventloop-thread-6) ID token verification has failed: JsonParser#getObject() or JsonParser#getObjectStream() is valid only for START_OBJECT parser state. But current parser state is START_ARRAY

Is there any workaround?

[sberyozkin]

unfortunately the /rest/api/3/user call response is json object but that needs to have the accountId= query param. FWIW accountId is present in sub claim of the access token but is there any way that can be configured in the user info call? ( I know its too much smh 🙂 )

I think you should be able to handle it with https://quarkus.io/guides/security-oidc-code-flow-authentication#code-flow-oidc-request-filters, restrict to OidcEndpoint.UserInfo, and add that query parameter, the question is how to get the access token, I believe you should be able to inject @RoutingContext, it might already be set as one of the context properties, and get AuthorizationCodeTokens.class.getName() from it and get the access token, please experiment

[sberyozkin]

if Quarkus is only concerned about being able to make a successful call to verify the token, then i can try to find something which just returns 200 with JSON object as response.

Right, this is always a reasonable enough workaround, like I said, it is still accessed on behalf of a user so it is somewhat related to UserInfo anyway.

[abvaidya]

Regarding the above suggestion, this is what I tried

@ApplicationScoped
@Unremovable
@OidcEndpoint(value = OidcEndpoint.Type.USERINFO)
public class OidcUserInfoCustomizer implements OidcRequestFilter {

    @Inject
    RoutingContext routingContext;

    @Override
    @ActivateRequestContext
    public void filter(OidcRequestContext context) {
      String accessToken = ((AuthorizationCodeTokens)routingContext.get(AuthorizationCodeTokens.class.getName())).getAccessToken();
   }
}

Please pardon my ignorance about correct usage, but I am seeing Normal scoped producer method may not return null: io.quarkus.vertx.http.runtime.CurrentVertxRequest.getCurrent() error

[sberyozkin]

@abvaidya @ActivateRequestContext should not be required, if it does not work, we may add the tokens in to the context properties for requests such as UserInfo, when they are already available...

[abvaidya]

I tried sniffing in the OidcRequestContext but didnt find any tokens, so are there any alternatives to get the token? I dont really need the whole token, jsut the sub claim from the access token which i can set as query param. Will that be available in some object?

[abvaidya]

@sberyozkin Thank you so much for replies. They are very much appreciated. I had to take a detour to implement my own TokenStateManager because I dont want to add new dependencies ( available implementations db, redis ) and Atlassian access tokens are bigger than allowed cookie sizes.
But thats done and I am running into ID token verification has failed: JWT (claims->{"aud":"<CID>","iat":1764898566,"exp":1764902166,"jti":"98492d34-69ae-47bb-a7ad-cf1b48b213e9"}) rejected due to invalid claims or other invalid content. Additional details: [[11] No Issuer (iss) claim present.]
From what I understand, this is Quarkus generated internal id_token since Atlassian doesnt provide one. Is there any way to bypass the issuer claim check?

[abvaidya]

access token has the issuer, the code complained about the iss in quarkus generated id_token. does the token config apply to both access and id tokens?

[sberyozkin]

does the token config apply to both access and id tokens?

Good observation, currently yes, there is an issue to distinguish between the two.

But in this case, the discovery returns an issuer, and the verification code insists that the ID token which represents the session, has it.

For the internal ID token we can skip this check though

[abvaidya]

ok setting token.issuer=any on the Atlassian tenant worked. 🙂 is disabling discovery a safer option?

[sberyozkin]

ok setting token.issuer=any on the Atlassian tenant worked. 🙂 is disabling discovery a safer option?

Either option makes no difference on the safety here as in your case no ID token is even returned if I understand it correctly, so we are skipping this check for the internal token that Quarkus OIDC itself generates, while the access token is verified indirectly via a remote call.

I think, if the internal ID token is generated and the issuer is available in metadata, we may as well set it on the internal ID token...

I'll probably have to look into Atlassian integration as it does look it has everything, for example, the error from the decription

then I tried setting quarkus.oidc.atlassian.id-token-required=false and I got the error "ID token verification has failed: {"error":"invalid_request","error_description":"You must request openid scope to use /userinfo"}"

This one came from Atlassian, so it does insist on requesting an openid scope yet it fails to offer an authentication challenge/consent screen if openid is included....

So, in any case, so far I see 3 items to look at:

• if the metadata issuer is available, set on internal ID token, to avoid skipping an issuer check
• figure out how to deal with 431
• have current tokens visible to UserInfo request filters

[abvaidya]

yes that summarizes it. Once again, really appreciate your responses and attention! 🙌🏽

[sberyozkin]

@abvaidya Can you give me a favor and describe how can I set up Atlassian OAuth2 to reproduce your own setup, I see that they have docs how to do it, but I'm concerned my setup will end up working against some other, newer Atlassian OAuth2 deployment (which can happen even with GitHub)

[abvaidya]

Yeah, its a bit convoluted and requires multiple steps.
Atlassian has 2 main options to create "apps" which can be made available via Atlassian marketplace - Forge (new) & Connect (old).
What i needed was a simple Oauth 2.0 (3LO) so that I can get access token and refresh token on behalf of users. So i chose the third option of Oauth 2.0
This kind of app can not be shared on Atlassian marketplace but it can be installed in your Atlassian site ( jira / confluence ) by "enabling private apps" and "allowing users to install apps" via admin settings.

I, myself need to verify with someone if what i did is correct but here are my steps.

• login to developer.atlassian.com
• create oauth 2.0 app ( platform will generate client id & secret )
• Add required scopes
• Add a callback url pointing to your quarkus app ( there can only be 1 )
• you will find a sample oauth initiation flow link below

For next steps, you would need an Atlassian org with org admin access.

• go to admin.atlassian.com
• go to the site settings ( apps -> sites -> $SITE )
• In site settings go to connected apps -> settings tab, enable development mode which enables the option to install private apps
• also select the option to allow users to install apps in their userspace
• then initiate the oauth flow for the app from developer.atlassian which should show you a consent screen and allows to install that app on available site

Depending on the domain of the callback url, you may need to verify the domain ownership in org security settings before the app installation.

[abvaidya]

I am not in front of the computer right now but later i will double check the steps to make sure i didn't miss anything

[sberyozkin]

Thanks @abvaidya , I probably won't be able to complete 2nd step, as it will require admin level access.
Going through the first step might be enough, I'll have a look later