OIDC client takes multiple retries to refresh the token (reactive)

[IvanPuntev]

Regarding #44037
I'm using version 3.28.1 and I'm trying the new auto refresh token functionality when 401 is received. I've added and set quarkus.rest-client-oidc-filter.refresh-on-unauthorized property to true and when the token is revoked it takes 3 calls to refresh the token. First and second time i receive error response:

"errors": [
       {
           "errorCode": "INVALID_AUTH_HEADER",
           "errorMsg": "INVALID_JWT_FORMAT"
       }
   ]

Is this proper behavior? Do I also need to add something else on my side like additional retry logic or this needs some improvement?

I'm using these properties:
quarkus.oidc-client.salesforce.auth-server-url=
quarkus.oidc-client.salesforce.client-id=
quarkus.oidc-client.salesforce.credentials.jwt.key=
quarkus.oidc-client.salesforce.credentials.jwt.audience=
quarkus.oidc-client.salesforce.credentials.jwt.subject=
quarkus.oidc-client.salesforce.credentials.jwt.issuer=
quarkus.oidc-client.salesforce.credentials.jwt.lifespan=3600
quarkus.oidc-client.salesforce.grant.type=jwt
quarkus.oidc-client.salesforce.credentials.jwt.assertion=true
quarkus.oidc-client.salesforce.token-path=/services/oauth2/token
quarkus.oidc-client.salesforce.discovery-enabled=false
quarkus.rest-client-oidc-filter.refresh-on-unauthorized=true

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

@IvanPuntev Thanks for testing it, just adding quarkus.rest-client-oidc-filter.refresh-on-unauthorized=true is enough.

when the token is revoked it takes 3 calls to refresh the token. First and second time i receive error response...

I don't think OIDC Client changes something at the 3rd attempt to get it working, I'll add a LOG debug support to log the request body and headers, similar to how Quarkus OIDC does it shortly, can you please register a custom OidcRequestFilter for the Token endpoint only and print the headers ?

Also CC @michalvavrik

[IvanPuntev]

The SalesforceException extends RuntimeException and again the same i just return different format of the error.

[sberyozkin]

That explains why Michal does not see a retry

[michalvavrik]

this code

@Override
    public Response toResponse(ClientWebApplicationException exception) {
ErrorResponse errorResponse = new ErrorResponse(.....);
return Response.status(exception.getResponse().getStatus()).entity(errorResponse).build();
}

may be part of the server exception mapper? I am judging by the signature. If so, that happens after your retry, not before. I have tried it with the client exception mapper but that one does not support returning Response as far as I could find. I still can't reproduce it - 30fb10e - which definitely does not mean there is no bug in Quarkus, but we should not conclude there is some concurrency issue in Quarkus and that users need to use @Retry until we have more signals that it is really a Quarkus issue. I appreciate very much all the information you provided, I know some people wouldn't have patience for that.

[sberyozkin]

Thanks Michal, if @IvanPuntev can create a reproducer, perhaps against a shareable Salesforce test account, then it can indeed be easier to narrow it down.

@IvanPuntev, can you please try the following: update quarkus-quickstarts/security-openid-connect-quickstart to launch Keycloak on fixed port, or use DevUi to find its port, and then write another app that uses OidcClient to get a token from Keycloak, and then in Keycloak admin - revoke token, etc, if you see 3 retries consistently then you should be able to reproduce it with Keycloak

[sberyozkin]

@IvanPuntev I created a branch to confirm there is only a single error response from the API endpoint after the token is revoked, and we'd appreciate if you work with this branch to reproduce what you are seeing, by adding you own code.

So, the branch is here: https://github.com/quarkusio/quarkus-quickstarts/compare/main...sberyozkin:oidc_client_revoke_token?expand=1

So, fork quarkus-quickstarts, get this branch, go to security-openid-connect-client-quickstart, start with uncommenting the code I commented here, and comment the code with the recovery I added starting from line 42.

Then do mv quarkus:dev, and curl -v http://localhost:8080/frontend/user-name-with-oidc-client-token, and you will see 200 OK:

Next, go to Dev UI, find OIDC card, click on Keycloak Admin, login as admin:admin, and revoke the token, in Keycloak it is done by signing out of the alice session for the backend-service client in a quarkus realm (even though in this case it is not an actual session):

Repeat curl -v http://localhost:8080/frontend/user-name-with-oidc-client-token, you will see 401:

Now, comment the code without the recovery and uncomment the one with the recovery, exactly as this PR does it, save, Quarkus will reload it.

Repeat curl -v http://localhost:8080/frontend/user-name-with-oidc-client-token, you will see 200, and in console - no errors.

Go to Keycloak again, and sign out of the the session as done earlier, repeat curl -v http://localhost:8080/frontend/user-name-with-oidc-client-token, and you will see a single expected error returned, followed by a successful call:

It works as expected.

Now, can you please spend time with this branch, and change the code that I added, to recover differently, tge way you do it n your code, to reproduce 2 error responses ?

Thanks