Merge pull request #49662 from sberyozkin/oidc_protected_resource_metadata_www_authenticate

Set correct OAuth2 protected metadata challenge parameter

Author: sberyozkin

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/ResourceMetadataHandler.java

@@ -184,7 +184,8 @@ private static void fireResourceMetadataEvent() {
 
     static String resourceMetadataAuthenticateParameter(RoutingContext context, DefaultTenantConfigResolver resolver,
             OidcTenantConfig oidcConfig) {
-        return " " + RESOURCE_METADATA_AUTHENTICATE_PARAM + "=\"" + buildResourceIdentifierUrl(context, resolver, oidcConfig)
+        return " " + RESOURCE_METADATA_AUTHENTICATE_PARAM + "=\""
+                + buildAbsoluteResourceIdentifierUrl(context, resolver, oidcConfig)
                 + "\"";
     }
 
@@ -208,6 +209,19 @@ static String buildResourceIdentifierUrl(RoutingContext context, DefaultTenantCo
         }
     }
 
+    static String buildAbsoluteResourceIdentifierUrl(RoutingContext context, DefaultTenantConfigResolver resolver,
+            OidcTenantConfig oidcConfig) {
+        String configuredResource = getResourceMetadataPath(oidcConfig, resolver.getRootPath());
+
+        if (configuredResource.startsWith(HTTP_SCHEME)) {
+            return configuredResource;
+        } else {
+            String authority = URI.create(context.request().absoluteURI()).getAuthority();
+            return buildUri(context, resolver.isEnableHttpForwardedPrefix(),
+                    oidcConfig.resourceMetadata().forceHttpsScheme(), authority, configuredResource);
+        }
+    }
+
     private static String buildUri(RoutingContext context,
             boolean enableHttpForwardedPrefix, boolean forceHttps, String authority, String path) {
         final String scheme = forceHttps ? "https" : context.request().scheme();

integration-tests/oidc/src/test/java/io/quarkus/it/keycloak/AbstractBearerTokenAuthorizationTest.java

@@ -10,6 +10,7 @@
 import org.junit.jupiter.api.RepeatedTest;
 import org.junit.jupiter.api.Test;
 
+import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.quarkus.test.keycloak.client.KeycloakTestClient;
 import io.quarkus.test.keycloak.client.KeycloakTestClient.Tls;
 import io.restassured.RestAssured;
@@ -149,7 +150,8 @@ public void testVerificationFailedInvalidToken() {
         RestAssured.given().auth().oauth2("123")
                 .when().get("/api/users/me").then()
                 .statusCode(401)
-                .header("WWW-Authenticate", equalTo("Bearer resource_metadata=\"https://localhost:8081\""));
+                .header("WWW-Authenticate", equalTo("Bearer resource_metadata=\"https://localhost:8081"
+                        + OidcConstants.RESOURCE_METADATA_WELL_KNOWN_PATH + "\""));
     }
 
     //see https://github.com/quarkusio/quarkus/issues/5809
@@ -187,7 +189,8 @@ public void testBasicAuthFailureWhereBearerIsRequired() {
                 .when().get("/bearer-only")
                 .then()
                 .statusCode(401)
-                .header("WWW-Authenticate", equalTo("Bearer resource_metadata=\"https://localhost:8081\""));
+                .header("WWW-Authenticate", equalTo("Bearer resource_metadata=\"https://localhost:8081"
+                        + OidcConstants.RESOURCE_METADATA_WELL_KNOWN_PATH + "\""));
     }
 
     @Test