Skip to content

Fail early if the access token is not returned from GitHub #47750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 7, 2025
Merged

Fail early if the access token is not returned from GitHub #47750

merged 1 commit into from
May 7, 2025

Conversation

sberyozkin
Copy link
Member

If GitHub provider fails to complete the authorization code flow, it will reply with 200, without the actual access token, causing a confusing error when Quarkus OIDC attempts to verify this non-existent token via the UserInfo injection...

This PR adds a couple of checks to fail early and an extra check to check the confusing error

@sberyozkin sberyozkin requested a review from gastaldi May 7, 2025 16:24
@quarkus-bot quarkus-bot bot added the area/oidc label May 7, 2025
gastaldi
gastaldi reviewed May 7, 2025
View reviewed changes
extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java Outdated
Comment on lines 872 to 873
LOG.errorf(
"Neither ID token nor access tokens are available in the authorization code grant response");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there anything the dev can do to fix that? (Check some URL, setting, etc?)

Copy link
Member Author

@sberyozkin sberyozkin May 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @gastaldi It depends on the situation, for example, in this case we saw GitHub returning GitHub specific error in JSON format with 200 response type...
Perhaps I should add Please check the logs for more details ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would be nice. Also if the data isn't visible in the logs, maybe point to a URL where you can find more info on how to fix that

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is in the actual GitHub response, it includes link to the trouble shooting guide, the problem they return it with 200 which needs a debug level to be seen... Let me tune it a bit

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I gave it a try :-)

@quarkus-bot quarkus-bot

This comment has been minimized.

Sign in to view
@sberyozkin sberyozkin force-pushed the internal_idtoken_fix branch from 99446fe to 32da46e Compare May 7, 2025 17:05
gastaldi
gastaldi approved these changes May 7, 2025
View reviewed changes
Copy link
Contributor

@gastaldi gastaldi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented May 7, 2025
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 32da46e.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

@sberyozkin sberyozkin merged commit 8bf9175 into quarkusio:main May 7, 2025
28 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.23 - main milestone May 7, 2025
@sberyozkin sberyozkin deleted the internal_idtoken_fix branch May 7, 2025 17:49
@gsmet gsmet modified the milestones: 3.23 - main, 3.22.3 May 13, 2025
@jmartisk jmartisk modified the milestones: 3.22.3, 3.20.2 Jun 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gastaldi gastaldi gastaldi approved these changes

Assignees

No one assigned

Labels

area/oidc

Projects

None yet

Milestone

3.20.2

Development

Successfully merging this pull request may close these issues.

4 participants

@sberyozkin @gastaldi @jmartisk @gsmet