Support for a custom OIDC resource metadata's authorization server URL

sberyozkin · gsmet · commit 75bf854c9f07 · 2025-09-05T18:19:18.000+02:00
(cherry picked from commit 9db0d2c)
diff --git a/docs/src/main/asciidoc/security-oidc-expanded-configuration.adoc b/docs/src/main/asciidoc/security-oidc-expanded-configuration.adoc
@@ -1295,6 +1295,7 @@ In turn, a client that requested the protected resource metadata can use its pro
 
 |quarkus.oidc.resource-metadata.enabled |false|Enable resource metadata properties
 |quarkus.oidc.resource-metadata.resource ||Resource identifier
+|quarkus.oidc.resource-metadata.authorization-server ||Authorization server URL
 |quarkus.oidc.resource-metadata.force-https-scheme |true|Force that a resource identifier URL has an HTTPS scheme
 |====
 
@@ -1307,7 +1308,9 @@ According to the https://datatracker.ietf.org/doc/rfc9728/[OAuth2 Protected Reso
 
 If it is configured as a relative path then it is added to the current request URL's host and port to build a resource identifier URL. If it is not configured at all then, unless it is a default tenant id, the tenand id is added to the current request URL's host and port to build a resource identifier URL.
 
-In such cases, the `quarkus.oidc.resource-metadata.force-https-scheme` property can be used to set a correct URL scheme, which is set to HTTPS by default.
+The resource identifier URL scheme is set to `HTTPS` by default. You can enable an `HTTP` URL scheme with `quarkus.oidc.resource-metadata.force-https-scheme=false`, it can be particularly useful in simple demos and tests.
+
+`quarkus.oidc.resource-metadata.authorization-server` allows to customize an authorization server URL that will be included in the resource metadata. The `quarkus.oidc.auth-server-url` URL is included by default, however, for some cases where an OIDC proxy interposes over the actual OIDC provider, returning the OIDC proxy's URL is required instead.
 
 See also the <<oidc-metadata-properties>> for details about the OIDC provider metadata that Quarkus OIDC uses for its work.
 
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
@@ -2751,6 +2751,7 @@ public static class ResourceMetadata implements io.quarkus.oidc.runtime.OidcTena
 
         public boolean enabled;
         public Optional<String> resource = Optional.empty();
+        public Optional<String> authorizationServer = Optional.empty();
         public boolean forceHttpsScheme = true;
 
         @Override
@@ -2763,6 +2764,11 @@ public Optional<String> resource() {
             return resource;
         }
 
+        @Override
+        public Optional<String> authorizationServer() {
+            return authorizationServer;
+        }
+
         @Override
         public boolean forceHttpsScheme() {
             return forceHttpsScheme;
@@ -2771,6 +2777,7 @@ public boolean forceHttpsScheme() {
         private void addConfigMappingValues(io.quarkus.oidc.runtime.OidcTenantConfig.ResourceMetadata mapping) {
             enabled = mapping.enabled();
             resource = mapping.resource();
+            authorizationServer = mapping.authorizationServer();
             forceHttpsScheme = mapping.forceHttpsScheme();
         }
     }
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfigBuilder.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfigBuilder.java
@@ -863,12 +863,13 @@ public CertificateChain build() {
     public static final class ResourceMetadataBuilder {
 
         private record ResourceMetadataImpl(boolean enabled, Optional<String> resource,
-                boolean forceHttpsScheme) implements ResourceMetadata {
+                Optional<String> authorizationServer, boolean forceHttpsScheme) implements ResourceMetadata {
         }
 
         private final OidcTenantConfigBuilder builder;
         private boolean enabled;
         private Optional<String> resource;
+        private Optional<String> authorizationServer;
         private boolean forceHttpsScheme;
 
         public ResourceMetadataBuilder() {
@@ -879,6 +880,7 @@ public ResourceMetadataBuilder(OidcTenantConfigBuilder builder) {
             this.builder = Objects.requireNonNull(builder);
             this.enabled = builder.resourceMetadata.enabled();
             this.resource = builder.resourceMetadata.resource();
+            this.authorizationServer = builder.resourceMetadata.authorizationServer();
             this.forceHttpsScheme = builder.resourceMetadata.forceHttpsScheme();
         }
 
@@ -909,6 +911,15 @@ public ResourceMetadataBuilder resource(String resource) {
             return this;
         }
 
+        /**
+         * @param resource {@link ResourceMetadata#authorizationServer()}
+         * @return this builder
+         */
+        public ResourceMetadataBuilder authorizationServer(String authorizationServer) {
+            this.authorizationServer = Optional.ofNullable(authorizationServer);
+            return this;
+        }
+
         /**
          * forceHttpsScheme {@link ResourceMetadata#forceHttpsScheme()}
          *
@@ -938,7 +949,7 @@ public OidcTenantConfigBuilder end() {
          * @return built ResourceMetadata
          */
         public ResourceMetadata build() {
-            return new ResourceMetadataImpl(enabled, resource, forceHttpsScheme);
+            return new ResourceMetadataImpl(enabled, resource, authorizationServer, forceHttpsScheme);
         }
     }
 
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTenantConfig.java
@@ -162,6 +162,12 @@ interface ResourceMetadata {
          */
         Optional<String> resource();
 
+        /**
+         * Authorization server URL.
+         * 'quarkus.oidc.auth-server-url' property value is reported by default.
+         */
+        Optional<String> authorizationServer();
+
         /**
          * Force a protected resource identifier HTTPS scheme.
          * This property is ignored if {@link #resource() is an absolute URL}
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/ResourceMetadataHandler.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/ResourceMetadataHandler.java
@@ -147,7 +147,8 @@ private String prepareMetadata(RoutingContext context) {
             metadata.put(OidcConstants.RESOURCE_METADATA_RESOURCE, resourceIdentifier);
 
             JsonArray authorizationServers = new JsonArray();
-            authorizationServers.add(0, oidcConfig.authServerUrl().get());
+            authorizationServers.add(0, oidcConfig.resourceMetadata().authorizationServer()
+                    .orElse(oidcConfig.authServerUrl().get()));
             metadata.put(OidcConstants.RESOURCE_METADATA_AUTHORIZATION_SERVERS, authorizationServers);
             return metadata.toString();
         }
diff --git a/extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcTenantConfigImpl.java b/extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcTenantConfigImpl.java
@@ -161,6 +161,7 @@ enum ConfigMappingMethods {
         CERTIFICATION_CHAIN_TRUST_STORE_FILE_TYPE,
         RESOURCE_METADATA_ENABLED,
         RESOURCE_METADATA_RESOURCE,
+        RESOURCE_METADATA_AUTHORIZATION_SERVER,
         RESOURCE_METADATA_FORCE_HTTPS_SCHEME,
         LOGOUT_PATH,
         LOGOUT_POST_LOGOUT_PATH,
@@ -620,6 +621,12 @@ public Optional<String> resource() {
                 return Optional.empty();
             }
 
+            @Override
+            public Optional<String> authorizationServer() {
+                invocationsRecorder.put(ConfigMappingMethods.RESOURCE_METADATA_AUTHORIZATION_SERVER, true);
+                return Optional.empty();
+            }
+
             @Override
             public boolean forceHttpsScheme() {
                 invocationsRecorder.put(ConfigMappingMethods.RESOURCE_METADATA_FORCE_HTTPS_SCHEME, true);
diff --git a/integration-tests/oidc-code-flow/src/main/resources/application.properties b/integration-tests/oidc-code-flow/src/main/resources/application.properties
@@ -138,6 +138,7 @@ quarkus.oidc.tenant-nonce.token-state-manager.encryption-required=false
 quarkus.oidc.tenant-nonce.token.allow-jwt-introspection=false
 quarkus.oidc.tenant-nonce.resource-metadata.enabled=true
 quarkus.oidc.tenant-nonce.resource-metadata.resource=/metadata
+quarkus.oidc.tenant-nonce.resource-metadata.authorization-server=http://localhost:8080/q/oidc
 
 quarkus.oidc.tenant-javascript.auth-server-url=${quarkus.oidc.auth-server-url}
 quarkus.oidc.tenant-javascript.client-id=quarkus-app
diff --git a/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java b/integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java
@@ -150,7 +150,7 @@ public void testCodeFlowNoConsent() throws IOException {
             checkHealth();
 
             // Static default tenant
-            checkResourceMetadata(null, "quarkus");
+            checkResourceMetadata(null, "/realms/quarkus");
         }
     }
 
@@ -465,7 +465,7 @@ public void testCodeFlowNonce() throws Exception {
             assertEquals("Unexpected 401", ex.getMessage());
         }
         // Static `tenant-nonce` tenant with custom resource path
-        checkResourceMetadata("metadata", "quarkus");
+        checkResourceMetadata("metadata", ":8080/q/oidc");
     }
 
     private void doTestCodeFlowNonce(boolean wrongRedirect) throws Exception {
@@ -869,7 +869,7 @@ public Boolean call() throws Exception {
             webClient.getCookieManager().clearCookies();
 
             // Static `tenant-refresh` tenant
-            checkResourceMetadata("tenant-refresh", "logout-realm");
+            checkResourceMetadata("tenant-refresh", "/realms/logout-realm");
         }
     }
 
@@ -1762,7 +1762,7 @@ private String getIdToken(Cookie sessionCookie) {
         return sessionCookie.getValue().split("\\|")[0];
     }
 
-    private static void checkResourceMetadata(String resource, String realm) {
+    private static void checkResourceMetadata(String resource, String authorizationServerSuffix) {
         Response metadataResponse = RestAssured.when()
                 .get("http://localhost:8081" + OidcConstants.RESOURCE_METADATA_WELL_KNOWN_PATH
                         + (resource == null ? "" : "/" + resource));
@@ -1774,6 +1774,6 @@ private static void checkResourceMetadata(String resource, String realm) {
 
         String authorizationServer = jsonAuthorizarionServers.getString(0);
         assertTrue(authorizationServer.startsWith("http://localhost:"));
-        assertTrue(authorizationServer.endsWith("/realms/" + realm));
+        assertTrue(authorizationServer.endsWith(authorizationServerSuffix));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -147,7 +147,8 @@ private String prepareMetadata(RoutingContext context) {`
`147`	`147`	`metadata.put(OidcConstants.RESOURCE_METADATA_RESOURCE, resourceIdentifier);`
`148`	`148`
`149`	`149`	`JsonArray authorizationServers = new JsonArray();`
`150`		`- authorizationServers.add(0, oidcConfig.authServerUrl().get());`
	`150`	`+ authorizationServers.add(0, oidcConfig.resourceMetadata().authorizationServer()`
	`151`	`+ .orElse(oidcConfig.authServerUrl().get()));`
`151`	`152`	`metadata.put(OidcConstants.RESOURCE_METADATA_AUTHORIZATION_SERVERS, authorizationServers);`
`152`	`153`	`return metadata.toString();`
`153`	`154`	`}`
Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ public void testCodeFlowNoConsent() throws IOException {`
`150`	`150`	`checkHealth();`
`151`	`151`
`152`	`152`	`// Static default tenant`
`153`		`- checkResourceMetadata(null, "quarkus");`
	`153`	`+ checkResourceMetadata(null, "/realms/quarkus");`
`154`	`154`	`}`
`155`	`155`	`}`
`156`	`156`
`@@ -465,7 +465,7 @@ public void testCodeFlowNonce() throws Exception {`
`465`	`465`	`assertEquals("Unexpected 401", ex.getMessage());`
`466`	`466`	`}`
`467`	`467`	// Static `tenant-nonce` tenant with custom resource path
`468`		`- checkResourceMetadata("metadata", "quarkus");`
	`468`	`+ checkResourceMetadata("metadata", ":8080/q/oidc");`
`469`	`469`	`}`
`470`	`470`
`471`	`471`	`private void doTestCodeFlowNonce(boolean wrongRedirect) throws Exception {`
`@@ -869,7 +869,7 @@ public Boolean call() throws Exception {`
`869`	`869`	`webClient.getCookieManager().clearCookies();`
`870`	`870`
`871`	`871`	// Static `tenant-refresh` tenant
`872`		`- checkResourceMetadata("tenant-refresh", "logout-realm");`
	`872`	`+ checkResourceMetadata("tenant-refresh", "/realms/logout-realm");`
`873`	`873`	`}`
`874`	`874`	`}`
`875`	`875`
`@@ -1762,7 +1762,7 @@ private String getIdToken(Cookie sessionCookie) {`
`1762`	`1762`	`return sessionCookie.getValue().split("\\\|")[0];`
`1763`	`1763`	`}`
`1764`	`1764`
`1765`		`- private static void checkResourceMetadata(String resource, String realm) {`
	`1765`	`+ private static void checkResourceMetadata(String resource, String authorizationServerSuffix) {`
`1766`	`1766`	`Response metadataResponse = RestAssured.when()`
`1767`	`1767`	`.get("http://localhost:8081" + OidcConstants.RESOURCE_METADATA_WELL_KNOWN_PATH`
`1768`	`1768`	`+ (resource == null ? "" : "/" + resource));`
`@@ -1774,6 +1774,6 @@ private static void checkResourceMetadata(String resource, String realm) {`
`1774`	`1774`
`1775`	`1775`	`String authorizationServer = jsonAuthorizarionServers.getString(0);`
`1776`	`1776`	`assertTrue(authorizationServer.startsWith("http://localhost:"));`
`1777`		`- assertTrue(authorizationServer.endsWith("/realms/" + realm));`
	`1777`	`+ assertTrue(authorizationServer.endsWith(authorizationServerSuffix));`
`1778`	`1778`	`}`
`1779`	`1779`	`}`