Check required claims in OIDC issuer-based resolver #46634
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gastaldi
approved these changes
Mar 5, 2025
Status for workflow
|
|
Michal, @michalvavrik, this PR is super simple and since you agreed with the idea in the issue description, I'm going to merge given George's approval. Ping my any time if you'd like to change something |
haha, yeah I have extremely little time, but I just reviewed when you merged it :-D |
|
Thanks @michalvavrik |
|
Suggesting a backport given the simplicity of this update, unless there are concerns about it |
benkard
pushed a commit
to benkard/quarkus-googlecloud-jsonlogging
that referenced
this pull request
Mar 14, 2025
…us-googlecloud-jsonlogging!27) This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [io.quarkus:quarkus-extension-processor](https://github.com/quarkusio/quarkus) | | patch | `3.19.2` -> `3.19.3` | | [io.quarkus:quarkus-extension-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `3.19.2` -> `3.19.3` | | [io.quarkus:quarkus-bom](https://github.com/quarkusio/quarkus) | import | patch | `3.19.2` -> `3.19.3` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `3.19.2` -> `3.19.3` | --- ### Release Notes <details> <summary>quarkusio/quarkus</summary> ### [`v3.19.3`](https://github.com/quarkusio/quarkus/releases/tag/3.19.3) [Compare Source](quarkusio/quarkus@3.19.2...3.19.3) ##### Complete changelog - [#​45112](quarkusio/quarkus#45112) - Exception about missing maven classes when opening the dev-ui (gradle based project) - [#​46430](quarkusio/quarkus#46430) - ResponseBuilderImpl NumberFormatException with IPv6 - [#​46459](quarkusio/quarkus#46459) - Upgrading from 3.18.2 to 3.18.3 Results in OutOfMemoryError when using `@QuarkusTest` with Quarkus Junit 5 - [#​46527](quarkusio/quarkus#46527) - Broken archive in vaadin-webcomponent dependency - [#​46566](quarkusio/quarkus#46566) - Issuer-based OIDC tenant resolver should check `quarkus.oidc.token.required-claims` - [#​46615](quarkusio/quarkus#46615) - OIDC client token requests retry not working - [#​46621](quarkusio/quarkus#46621) - Bump testcontainers.version from 1.20.5 to 1.20.6 - [#​46624](quarkusio/quarkus#46624) - Devui Database View can not find tables in different schemas - [#​46632](quarkusio/quarkus#46632) - Make ResponseBuilderImpl more ipv6 aware - [#​46634](quarkusio/quarkus#46634) - Check required claims in OIDC issuer-based resolver - [#​46635](quarkusio/quarkus#46635) - Update some dev-ui libs versions - [#​46638](quarkusio/quarkus#46638) - Bump Keycloak version to 26.1.3 - [#​46640](quarkusio/quarkus#46640) - Using SocketException in all of the OIDC retry code - [#​46651](quarkusio/quarkus#46651) - Fix non-public schema in DB Viewer for Dev UI - [#​46653](quarkusio/quarkus#46653) - Add -e to quarkus update commands and improve display - [#​46655](quarkusio/quarkus#46655) - JSON-B link - [#​46659](quarkusio/quarkus#46659) - Correct link to JSON-B API - [#​46660](quarkusio/quarkus#46660) - Correct summary text of config-yaml.adoc - [#​46661](quarkusio/quarkus#46661) - Correct summary text of spring-boot-properties.adoc - [#​46664](quarkusio/quarkus#46664) - ArC: fix disposer resolution in case the disposed parameter declares no qualifiers - [#​46680](quarkusio/quarkus#46680) - Fix gradle devui NoClassDefFound - [#​46684](quarkusio/quarkus#46684) - Revert "Execute simple JUnit tests and `@QuarkusComponentTest` first" - [#​46685](quarkusio/quarkus#46685) - Micrometer docs moved - fix links - [#​46695](quarkusio/quarkus#46695) - Introduce `server.port` tag into `http.server.active.requests` metric - [#​46700](quarkusio/quarkus#46700) - Exclude `.github/project.yml` from triggering workflows on push event - [#​46706](quarkusio/quarkus#46706) - Fix wording in quarkus-rest jsonview support - [#​46709](quarkusio/quarkus#46709) - Fix true-false typo - [#​46712](quarkusio/quarkus#46712) - Bump resteasy.version from 6.2.11.Final to 6.2.12.Final - [#​46713](quarkusio/quarkus#46713) - Bump hibernate-orm.version from 6.6.9.Final to 6.6.10.Final - [#​46714](quarkusio/quarkus#46714) - Bump io.micrometer:micrometer-bom from 1.14.4 to 1.14.5 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #46566
This PR updates OIDC issuer based resolver to check the extra required claims if configured, to support cases where multiple tenants have the same issuer but different tenant-specific token verification or key retrieval etc requirements.
I originally planned to do these checks at the tenant resolution time only if more than tenant with the same issuer is configured but it does not really work because the process of the actual token retrieval can vary on per tenant basis.
So I simply added a quick required-claims check which should be enough, with the test updated