Merge pull request #48914 from sberyozkin/improve_oidc_client_exchange_grant

Simplify OIDC client exchange grant configuration

Author: sberyozkin

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientRecorder.java

@@ -178,6 +178,11 @@ public OidcClient apply(OidcConfigurationMetadata metadata, Throwable t) {
                                         tokenGrantParams.addAll(grantOptions);
                                     }
                                 }
+                                if (oidcConfig.grant().type() == Grant.Type.EXCHANGE
+                                        && !tokenGrantParams.contains(OidcConstants.EXCHANGE_GRANT_SUBJECT_TOKEN_TYPE)) {
+                                    tokenGrantParams.add(OidcConstants.EXCHANGE_GRANT_SUBJECT_TOKEN_TYPE,
+                                            OidcConstants.EXCHANGE_GRANT_SUBJECT_ACCESS_TOKEN_TYPE);
+                                }
                             }
                         }
 

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcConstants.java

@@ -9,6 +9,9 @@ public final class OidcConstants {
     public static final String JWT_BEARER_CLIENT_ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
     public static final String JWT_BEARER_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
     public static final String JWT_BEARER_GRANT_ASSERTION = "assertion";
+    public static final String EXCHANGE_GRANT_SUBJECT_TOKEN = "subject_token";
+    public static final String EXCHANGE_GRANT_SUBJECT_TOKEN_TYPE = "subject_token_type";
+    public static final String EXCHANGE_GRANT_SUBJECT_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
 
     public static final String CLIENT_CREDENTIALS_GRANT = "client_credentials";
     public static final String PASSWORD_GRANT = "password";

extensions/oidc-token-propagation-reactive/runtime/src/main/java/io/quarkus/oidc/token/propagation/reactive/AccessTokenRequestReactiveFilter.java

@@ -24,6 +24,7 @@
 import io.quarkus.oidc.client.OidcClients;
 import io.quarkus.oidc.client.runtime.DisabledOidcClientException;
 import io.quarkus.oidc.client.runtime.OidcClientConfig.Grant;
+import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.quarkus.runtime.configuration.ConfigurationException;
 import io.quarkus.security.credential.TokenCredential;
 import io.quarkus.vertx.core.runtime.context.VertxContextSafetyToggle;
@@ -59,9 +60,9 @@ public void initExchangeTokenClient() {
                                     + "grant.type",
                             Grant.Type.class);
             if (exchangeTokenGrantType == Grant.Type.EXCHANGE) {
-                exchangeTokenProperty = "subject_token";
+                exchangeTokenProperty = OidcConstants.EXCHANGE_GRANT_SUBJECT_TOKEN;
             } else if (exchangeTokenGrantType == Grant.Type.JWT) {
-                exchangeTokenProperty = "assertion";
+                exchangeTokenProperty = OidcConstants.JWT_BEARER_GRANT_ASSERTION;
             } else {
                 throw new ConfigurationException("Token exchange is required but OIDC client is configured "
                         + "to use the " + exchangeTokenGrantType.getGrantType() + " grantType");

extensions/oidc-token-propagation/runtime/src/main/java/io/quarkus/oidc/token/propagation/AccessTokenRequestFilter.java

@@ -53,7 +53,7 @@ public void initExchangeTokenClient() {
                                     + "grant.type",
                             Grant.Type.class);
             if (exchangeTokenGrantType == Grant.Type.EXCHANGE) {
-                exchangeTokenProperty = "subject_token";
+                exchangeTokenProperty = OidcConstants.EXCHANGE_GRANT_SUBJECT_TOKEN;
             } else if (exchangeTokenGrantType == Grant.Type.JWT) {
                 exchangeTokenProperty = OidcConstants.JWT_BEARER_GRANT_ASSERTION;
             } else {

integration-tests/oidc-client-wiremock/src/main/java/io/quarkus/it/keycloak/FrontendResource.java

@@ -17,6 +17,7 @@
 import io.quarkus.oidc.client.OidcClientException;
 import io.quarkus.oidc.client.OidcClients;
 import io.quarkus.oidc.client.Tokens;
+import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.smallrye.mutiny.Uni;
 
 @Path("/frontend")
@@ -57,6 +58,10 @@ public class FrontendResource {
     @NamedOidcClient("jwtbearer-grant")
     OidcClient jwtBearerGrantClient;
 
+    @Inject
+    @NamedOidcClient("exchange-grant")
+    OidcClient exchangeGrantClient;
+
     @Inject
     @RestClient
     ProtectedResourceServiceRefreshIntervalTestClient tokenRefreshIntervalTestClient;
@@ -70,6 +75,13 @@ public String echoToken() {
         return protectedResourceServiceOidcClient.echoToken();
     }
 
+    @GET
+    @Path("echoTokenExchangeGrant")
+    public String echoTokenExchangeGrant() {
+        return exchangeGrantClient.getTokens(Map.of(OidcConstants.EXCHANGE_GRANT_SUBJECT_TOKEN, "token_to_be_exchanged"))
+                .await().indefinitely().getAccessToken();
+    }
+
     @GET
     @Path("crashTest")
     public String crashTest() {

integration-tests/oidc-client-wiremock/src/main/resources/application.properties

@@ -47,6 +47,14 @@ quarkus.oidc-client.password-grant-public-client.grant.type=password
 quarkus.oidc-client.password-grant-public-client.grant-options.password.username=alice
 quarkus.oidc-client.password-grant-public-client.grant-options.password.password=alice
 
+quarkus.oidc-client.exchange-grant.auth-server-url=${keycloak.url}
+quarkus.oidc-client.exchange-grant.discovery-enabled=false
+quarkus.oidc-client.exchange-grant.token-path=/tokens-exchange
+quarkus.oidc-client.exchange-grant.grant.type=exchange
+quarkus.oidc-client.exchange-grant.client-id=quarkus-app
+quarkus.oidc-client.exchange-grant.credentials.secret=secret
+
+
 quarkus.oidc-client.non-standard-response.token-path=${keycloak.url}/non-standard-tokens
 quarkus.oidc-client.non-standard-response.client-id=quarkus-app
 quarkus.oidc-client.non-standard-response.credentials.secret=secret

integration-tests/oidc-client-wiremock/src/test/java/io/quarkus/it/keycloak/KeycloakRealmResourceManager.java

@@ -42,6 +42,15 @@ public Map<String, String> start() {
                         .withHeader("Content-Type", MediaType.APPLICATION_JSON)
                         .withBody(
                                 "{\"access_token\":\"access_token_1\", \"expires_in\":4, \"refresh_token\":\"refresh_token_1\"}")));
+        server.stubFor(WireMock.post("/tokens-exchange")
+                .withRequestBody(containing("grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange"))
+                .withRequestBody(containing("subject_token=token_to_be_exchanged"))
+                .withRequestBody(containing("subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token"))
+                .willReturn(WireMock
+                        .aResponse()
+                        .withHeader("Content-Type", MediaType.APPLICATION_JSON)
+                        .withBody(
+                                "{\"access_token\":\"access_token_exchanged\", \"expires_in\":4}")));
         server.stubFor(WireMock.post("/tokens-jwtbearer")
                 .withRequestBody(matching("grant_type=client_credentials&"
                         + "client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&"

integration-tests/oidc-client-wiremock/src/test/java/io/quarkus/it/keycloak/OidcClientTest.java

@@ -318,6 +318,15 @@ public void testEchoWithRefreshInterval() {
         }
     }
 
+    @Order(15)
+    @Test
+    public void testEchoTokensExchangeGrant() {
+        RestAssured.when().get("/frontend/echoTokenExchangeGrant")
+                .then()
+                .statusCode(200)
+                .body(equalTo("access_token_exchanged"));
+    }
+
     private void checkLog() {
         final Path logDirectory = Paths.get(".", "target");
         given().await().pollInterval(100, TimeUnit.MILLISECONDS)