Merge pull request quarkusio#43433 from michalvavrik/feature/fix-oidc…

…-issuer-unavailable

Make sure OIDC issuer-based tenant resolver can recover when OIDC server becomes available after Quarkus app started

extensions/oidc/deployment/src/test/resources/application-dev-mode.properties

@@ -9,7 +9,7 @@ quarkus.oidc.application-type=web-app
 quarkus.oidc.logout.path=/protected/logout
 quarkus.oidc.authentication.pkce-required=true
 quarkus.log.category."org.htmlunit".level=ERROR
-quarkus.log.category."io.quarkus.oidc.runtime.TenantConfigContext".level=DEBUG
+quarkus.log.category."io.quarkus.oidc.runtime.TenantConfigContextImpl".level=DEBUG
 quarkus.log.file.enable=true
 
 # use blocking DNS lookup so that we have it tested somewhere

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/BackChannelLogoutHandler.java

@@ -87,7 +87,7 @@ public void accept(MultiMap form) {
                                     try {
                                         // Do the general validation of the logout token now, compare with the IDToken later
                                         // Check the signature, as well the issuer and audience if it is configured
-                                        TokenVerificationResult result = tenantContext.provider
+                                        TokenVerificationResult result = tenantContext.provider()
                                                 .verifyLogoutJwtToken(encodedLogoutToken);
 
                                         if (verifyLogoutTokenClaims(result)) {
@@ -162,9 +162,9 @@ private TenantConfigContext getTenantConfigContext(final String requestPath) {
         }
 
         private boolean isMatchingTenant(String requestPath, TenantConfigContext tenant) {
-            return tenant.oidcConfig.isTenantEnabled()
-                    && tenant.oidcConfig.getTenantId().get().equals(oidcTenantConfig.getTenantId().get())
-                    && requestPath.equals(getRootPath() + tenant.oidcConfig.logout.backchannel.path.orElse(null));
+            return tenant.oidcConfig().isTenantEnabled()
+                    && tenant.oidcConfig().getTenantId().get().equals(oidcTenantConfig.getTenantId().get())
+                    && requestPath.equals(getRootPath() + tenant.oidcConfig().logout.backchannel.path.orElse(null));
         }
     }
 

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/BearerAuthenticationMechanism.java

@@ -37,7 +37,7 @@ public Uni<ChallengeData> getChallenge(RoutingContext context) {
             @Override
             public Uni<ChallengeData> apply(TenantConfigContext tenantContext) {
                 return Uni.createFrom().item(new ChallengeData(HttpResponseStatus.UNAUTHORIZED.code(),
-                        HttpHeaderNames.WWW_AUTHENTICATE, tenantContext.oidcConfig.token.authorizationScheme));
+                        HttpHeaderNames.WWW_AUTHENTICATE, tenantContext.oidcConfig().token.authorizationScheme));
             }
         });
     }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/LazyTenantConfigContext.java

@@ -0,0 +1,87 @@
+package io.quarkus.oidc.runtime;
+
+import java.util.List;
+import java.util.function.Supplier;
+
+import javax.crypto.SecretKey;
+
+import org.jboss.logging.Logger;
+
+import io.quarkus.oidc.OidcConfigurationMetadata;
+import io.quarkus.oidc.OidcRedirectFilter;
+import io.quarkus.oidc.OidcTenantConfig;
+import io.quarkus.oidc.Redirect;
+import io.smallrye.mutiny.Uni;
+
+final class LazyTenantConfigContext implements TenantConfigContext {
+
+    private static final Logger LOG = Logger.getLogger(LazyTenantConfigContext.class);
+
+    private final Supplier<Uni<TenantConfigContext>> staticTenantCreator;
+    private volatile TenantConfigContext delegate;
+
+    LazyTenantConfigContext(TenantConfigContext delegate, Supplier<Uni<TenantConfigContext>> staticTenantCreator) {
+        this.staticTenantCreator = staticTenantCreator;
+        this.delegate = delegate;
+    }
+
+    @Override
+    public Uni<TenantConfigContext> initialize() {
+        if (!delegate.ready()) {
+            LOG.debugf("Tenant '%s' is not initialized yet, trying to create OIDC connection now",
+                    delegate.oidcConfig().tenantId.get());
+            return staticTenantCreator.get().invoke(ctx -> LazyTenantConfigContext.this.delegate = ctx);
+        }
+        return Uni.createFrom().item(delegate);
+    }
+
+    @Override
+    public OidcTenantConfig oidcConfig() {
+        return delegate.oidcConfig();
+    }
+
+    @Override
+    public OidcProvider provider() {
+        return delegate.provider();
+    }
+
+    @Override
+    public boolean ready() {
+        return delegate.ready();
+    }
+
+    @Override
+    public OidcTenantConfig getOidcTenantConfig() {
+        return delegate.getOidcTenantConfig();
+    }
+
+    @Override
+    public OidcConfigurationMetadata getOidcMetadata() {
+        return delegate.getOidcMetadata();
+    }
+
+    @Override
+    public OidcProviderClient getOidcProviderClient() {
+        return delegate.getOidcProviderClient();
+    }
+
+    @Override
+    public SecretKey getStateEncryptionKey() {
+        return delegate.getStateEncryptionKey();
+    }
+
+    @Override
+    public SecretKey getTokenEncSecretKey() {
+        return delegate.getTokenEncSecretKey();
+    }
+
+    @Override
+    public SecretKey getInternalIdTokenSecretKey() {
+        return delegate.getInternalIdTokenSecretKey();
+    }
+
+    @Override
+    public List<OidcRedirectFilter> getOidcRedirectFilters(Redirect.Location loc) {
+        return delegate.getOidcRedirectFilters(loc);
+    }
+}

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcConfigurationMetadataProducer.java

@@ -20,8 +20,8 @@ public class OidcConfigurationMetadataProducer {
     OidcConfigurationMetadata produce() {
         OidcConfigurationMetadata configMetadata = OidcUtils.getAttribute(identity, OidcUtils.CONFIG_METADATA_ATTRIBUTE);
 
-        if (configMetadata == null && tenantConfig.getDefaultTenant().oidcConfig.tenantEnabled) {
-            configMetadata = tenantConfig.getDefaultTenant().provider.getMetadata();
+        if (configMetadata == null && tenantConfig.getDefaultTenant().oidcConfig().tenantEnabled) {
+            configMetadata = tenantConfig.getDefaultTenant().provider().getMetadata();
         }
         if (configMetadata == null) {
             throw new OIDCException("OidcConfigurationMetadata can not be injected");