OIDC introspection of opaque access-token does not fill principal of SecurityIdentity

Describe the bug My service uses OIDC (application-type=service) and is called with an opaque access-token. The REST endpoints are protected with @RolesAllowed annotations.

Because of the opaque access-token, the introspect endpoint is called by Quarkus/Vert.x to get the JWT. Because my identity-provider is ForgeRock the response of the introspection endpoint does not contain a key “username” but “user_id”.

Response:

{
  "active": true,
  "scope": "openid profile email myroles",
  "client_id": "***",
  "user_id": "***",
  "token_type": "Bearer",
  "exp": 1602839252,
  "sub": "***",
  "iss": "***",
  "auth_level": 1000,
  "auditTrackingId": "***"
}

The Vert.x and Quarkus-implementation expect the “username” key, so the principal of the SecurityIdentity is not filled.

See:

• io.quarkus.oidc.runtime.OidcIdentityProvider.validateTokenWithOidcServer
• io.vertx.ext.auth.oauth2.impl.OAuth2TokenImpl.introspect

Expected behavior Principal of SecurityIdentity gets filled.

Actual behavior Principal is null

Configuration

quarkus.oidc.application-type=service
quarkus.oidc.auth-server-url=***
quarkus.oidc.client-id=***
quarkus.oidc.credentials.client-secret.value=***
quarkus.oidc.token.issuer=***

quarkus.oidc.authentication.user-info-required=true
quarkus.oidc.roles.source=userinfo
quarkus.oidc.roles.role-claim-path=myroles
quarkus.oidc.discovery-enabled=false
quarkus.oidc.introspection-path=/introspect
quarkus.oidc.user-info-path=/userinfo

Environment (please complete the following information):

• Quarkus version or git rev: 1.9.0.CR1