Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OIDC `CodeAuthenticationMechanism` should not fail silently
See original GitHub issueDescription
When users are redirected back to Quarkus after authentication, it’s possible for their request to ‘fail silently’ (return a 401 with no body) if there’s an issue calling the token endpoint. Because no body is returned, and errors are logged at debug level, it can be difficult to troubleshoot the 401.
One could argue that this doesn’t need to be logged, but in my experience it’s confusing to see a “401” and not be able to tell if it’s coming from the application or the IdP. I encountered this issue after following the “Using OpenID Connect (OIDC) to Protect Web Applications…” and accidentally setting quarkus.oidc.secret instead of quarkus.oidc.credentials.secret; it wasn’t obvious that “401” mean “error trying to authenticate because of invalid credentials”.
2021-11-16 16:29:25,837 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-1) Request has failed: status: 401, error message: {"error_description":"Invalid client or client credentials.","error":"invalid_client"}
2021-11-16 16:29:25,837 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) Exception during the code to token exchange: {"error_description":"Invalid client or client credentials.","error":"invalid_client"}
Implementation ideas
Two potential ways to make this more obvious:
- Log failures at the
WARNlevel instead ofDEBUGhttps://github.com/quarkusio/quarkus/blob/2e8c6a869788339f4018779dbdd36867a6be4bd1/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java#L300 - (Any security concerns?) Include the body when an unexpected error occurs (not sure if there are security concerns for this)
- (May not be practical) Validate the quarkus configuration to check for a client secret… assuming all IdPs require one. 😃
- (May not be practical) Return a
5xxerror if there’s an unexpected authentication error. For example, Quarkus throws an error if you provide an invalidauth-server-url:io.quarkus.oidc.OIDCException: OIDC server is not available at the ‘…’ URL. Please make sure it is correct.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @rgmz Oh, thanks for spotting it 😃. It would be fine to open dedicated issues, the epic issue is a high level one to improve the security docs. If you’d like, please create the one for the userinfo typo, a PR will be welcome too
@sberyozkin: Thanks for the quick reply; I’ll provide a thoughtful response later.
I also noticed that the UserInfo section of that guide refers to
quarkus.oidc.user-info-required, which isn’t a known configuration key (it should bequarkus.oidc.authenticaton.user-info-required).If I noticed any other issues with the OIDC docs, would you prefer that I open separate issues for each, or note them in the existing meta-issue (#20036)?