Get the user name as principal name with OAuth2 code flow

[sberyozkin]

This is a minor update to make it possible to get the user name using the same code with both authorization code and bearer token flows, when dealing with social provider tokens. I noticed it had to be tuned when working on the latest demo.

For example, given a GitHub token, if it is an authorization code flow login, then the user name can only be acquired from quarkus.oidc.UserInfo, as shown here, getting it from SecurityIdentity does not work.

But if it is a bearer access token, then using either UserInfo or SecurityIdentity (as shown here) works.

Ideally, the securityIdentity.getPrincipal().getName() option should also work for tokens acquired from OAuth2 social providers during the authorization code flow too.

The reason it currently does not is that in case of the code flow, an internal ID token is generated which is then used as a source for a principal name, while it is only available for OAuth2 providers in the UserInfo json.

So I did a minor update to fix it.

The updated test confirms it - note, that before, the augmentor was manually updating the principal to pick up the UserInfo property, for a test GitHub provider. It is no longer necessary if UserInfo contains the configured principal claim

[Copilot]

Pull Request Overview

This PR enables the OAuth2 code-flow to populate the principal name from a user-info claim (e.g., preferred_username) so that securityIdentity.getPrincipal().getName() works with social providers in both code and bearer flows.

• Added a new token.principal-claim property for the GitHub provider in tests
• Removed the custom augmentor override for the code-flow GitHub path
• Extended the identity provider to copy the configured principal claim from UserInfo into the token JSON

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
integration-tests/oidc-wiremock/src/main/resources/application.properties	Added quarkus.oidc.code-flow-user-info-github.token.principal-claim
integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/CustomSecurityIdentityAugmentor.java	Removed the code-flow-user-info-github branch from the augmentor
extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java	Populates the principal claim from UserInfo into the token JSON

Comments suppressed due to low confidence (1)

integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/CustomSecurityIdentityAugmentor.java:45

• [nitpick] Update or remove the surrounding comment/documentation to reflect that code-flow-user-info-github is now handled by configuration rather than the custom augmentor, preventing confusion.

|| routingContext.normalizedPath().endsWith("code-flow-user-info-github")

[Copilot]

[nitpick] Consider using the Optional API (ifPresent) instead of orElse(null) to avoid nulls and improve readability, for example:

resolvedContext.oidcConfig()
  .token()
  .principalClaim()
  .ifPresent(claim -> { ... });

Suggested change

	final String principalClaim = resolvedContext.oidcConfig().token().principalClaim().orElse(null);
	if (principalClaim != null && !tokenJson.containsKey(principalClaim) && userInfo != null
	&& userInfo.contains(principalClaim)) {
	tokenJson.put(principalClaim, userInfo.getString(principalClaim));
	}
	resolvedContext.oidcConfig().token().principalClaim().ifPresent(principalClaim -> {
	if (!tokenJson.containsKey(principalClaim) && userInfo != null
	&& userInfo.contains(principalClaim)) {
	tokenJson.put(principalClaim, userInfo.getString(principalClaim));
	}
	});

[sberyozkin]

@gastaldi I guess I'll ignore this one though with the lambda expression :-)

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 51b8e04.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.