Re-authenticate users if the OIDC session cookie can not be read

sberyozkin · sberyozkin · commit 3b248a56ad82 · 2025-03-14T16:10:50.000Z
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
@@ -338,13 +338,15 @@ private Uni<SecurityIdentity> reAuthenticate(String sessionCookie,
         context.put(TenantConfigContext.class.getName(), configContext);
         return resolver.getTokenStateManager().getTokens(context, configContext.oidcConfig(),
                 sessionCookie, getTokenStateRequestContext)
-                .onFailure(AuthenticationCompletionException.class)
+                .onFailure(Throwable.class)
                 .recoverWithUni(
                         new Function<Throwable, Uni<? extends AuthorizationCodeTokens>>() {
                             @Override
                             public Uni<AuthorizationCodeTokens> apply(Throwable t) {
+                                Throwable failure = t instanceof AuthenticationFailedException ? t
+                                        : new AuthenticationFailedException(t);
                                 return removeSessionCookie(context, configContext.oidcConfig())
-                                        .replaceWith(Uni.createFrom().failure(t));
+                                        .replaceWith(Uni.createFrom().failure(failure));
                             }
                         })
                 .chain(new Function<AuthorizationCodeTokens, Uni<? extends SecurityIdentity>>() {
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java
@@ -2,12 +2,13 @@
 
 import jakarta.enterprise.context.ApplicationScoped;
 
+import org.jboss.logging.Logger;
+
 import io.quarkus.oidc.AuthorizationCodeTokens;
 import io.quarkus.oidc.OidcRequestContext;
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.TokenStateManager;
 import io.quarkus.oidc.runtime.OidcTenantConfig.TokenStateManager.Strategy;
-import io.quarkus.security.AuthenticationCompletionException;
 import io.quarkus.security.AuthenticationFailedException;
 import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
 import io.smallrye.mutiny.Uni;
@@ -17,6 +18,7 @@
 
 @ApplicationScoped
 public class DefaultTokenStateManager implements TokenStateManager {
+    private static final Logger LOG = Logger.getLogger(DefaultTokenStateManager.class);
 
     @Override
     public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantConfig oidcConfig,
@@ -125,13 +127,17 @@ public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, Oid
 
                 if (oidcConfig.tokenStateManager().strategy() == Strategy.KEEP_ALL_TOKENS) {
                     accessToken = tokens[1];
-                    accessTokenExpiresIn = tokens[2].isEmpty() ? null : Long.valueOf(tokens[2]);
+                    accessTokenExpiresIn = tokens[2].isEmpty() ? null : parseAccessTokenExpiresIn(tokens[2]);
                     refreshToken = tokens[3];
                 } else if (oidcConfig.tokenStateManager().strategy() == Strategy.ID_REFRESH_TOKENS) {
                     refreshToken = tokens[3];
                 }
             } catch (ArrayIndexOutOfBoundsException ex) {
-                return Uni.createFrom().failure(new AuthenticationCompletionException("Session cookie is malformed"));
+                final String error = "Session cookie is malformed";
+                LOG.debug(ex);
+                return Uni.createFrom().failure(new AuthenticationFailedException(error));
+            } catch (AuthenticationFailedException ex) {
+                return Uni.createFrom().failure(ex);
             }
         } else {
             // Decrypt ID token from the q_session cookie
@@ -147,9 +153,15 @@ public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, Oid
                     String[] accessTokenData = CodeAuthenticationMechanism.COOKIE_PATTERN.split(accessTokenState);
                     accessToken = accessTokenData[0];
                     try {
-                        accessTokenExpiresIn = accessTokenData[1].isEmpty() ? null : Long.valueOf(accessTokenData[1]);
+                        accessTokenExpiresIn = accessTokenData[1].isEmpty() ? null
+                                : parseAccessTokenExpiresIn(accessTokenData[1]);
                     } catch (ArrayIndexOutOfBoundsException ex) {
-                        return Uni.createFrom().failure(new AuthenticationCompletionException("Session cookie is malformed"));
+                        final String error = "Session cookie is malformed";
+                        LOG.debug(ex);
+                        // Make this error message visible in the dev mode
+                        return Uni.createFrom().failure(new AuthenticationFailedException(error));
+                    } catch (AuthenticationFailedException ex) {
+                        return Uni.createFrom().failure(ex);
                     }
                 }
                 Cookie rtCookie = getRefreshTokenCookie(routingContext, oidcConfig);
@@ -179,6 +191,19 @@ public Uni<Void> deleteTokens(RoutingContext routingContext, OidcTenantConfig oi
         return CodeAuthenticationMechanism.VOID_UNI;
     }
 
+    private static Long parseAccessTokenExpiresIn(String accessTokenExpiresInString) {
+        try {
+            return Long.valueOf(accessTokenExpiresInString);
+        } catch (NumberFormatException ex) {
+            final String error = """
+                    Access token expires_in property in the session cookie must be a number, found %s
+                    """.formatted(accessTokenExpiresInString);
+            LOG.debug(ex);
+            // Make this error message visible in the dev mode
+            throw new AuthenticationFailedException(error);
+        }
+    }
+
     private static ServerCookie getAccessTokenCookie(RoutingContext routingContext, OidcTenantConfig oidcConfig) {
         return (ServerCookie) routingContext.request().getCookie(getAccessTokenCookieName(oidcConfig));
     }
diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java
@@ -892,11 +892,13 @@ public void testIdTokenInjection() throws IOException {
             sessionCookie = getSessionCookie(webClient, null);
             assertEquals("1|2|3", sessionCookie.getValue());
 
+            webClient.getOptions().setRedirectEnabled(false);
+
             try {
                 webClient.getPage("http://localhost:8081/web-app");
-                fail("401 status error is expected");
+                fail("302 status error is expected");
             } catch (FailingHttpStatusCodeException ex) {
-                assertEquals(401, ex.getStatusCode());
+                assertEquals(302, ex.getStatusCode());
                 assertNull(getSessionCookie(webClient, null));
             }
             webClient.getCookieManager().clearCookies();
@@ -910,9 +912,9 @@ public void testIdTokenInjection() throws IOException {
 
             try {
                 webClient.getPage("http://localhost:8081/web-app");
-                fail("401 status error is expected");
+                fail("302 status error is expected");
             } catch (FailingHttpStatusCodeException ex) {
-                assertEquals(401, ex.getStatusCode());
+                assertEquals(302, ex.getStatusCode());
                 assertNull(getSessionCookie(webClient, null));
             }
             webClient.getCookieManager().clearCookies();
