-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Quarkus OIDC CredenitalsProvider does not follow conventions of allowing a separate "bean name" and "keyring name" #41265
Comments
@ryandens There is a test |
hi @sberyozkin, thanks for your response! I'm assuming you're talking about this file: https://github.com/quarkusio/quarkus/blob/79dbe9ff7a6575633d1aed1e8222720224c6e52c/extensions/oidc/deployment/src/test/java/io/quarkus/oidc/test/SecretProvider.java This is a Imagine for a moment that this test |
@ryandens Hi, OK, I see now. For simple cases it should not be a problem, but I can imagine why it can actually be a problem for more advanced implementations. |
Sounds good, thank you for the help! |
👋 just checking back in here - is this fix targeting the 3.13 milestone? I noticed #41223 is but that this issue/PR is not If there's something I need to do/can do to help get it in a future milestone, let me know! |
Describe the bug
Other
CredentialsProvdider
integrations, such as the ones built by Quarkus Data source, RabbitMQ, and Quarkiverse GitHub app extensions allow for separate configuration of a "bean name" of theCredentialsProvider
implementation to be used by the extension and a "keyring name". This is also laid out inCredentialsProvider
documentation here.However, the Quarkus OIDC extension only allows for the configuration of
quarkus.oidc.credentials.client-secret.provider.name
(which is used here to first lookup the CDI bean and then used here to look up the secret from the keyringI think the only way this could be successfully used today is by always supplying what's supposed to be an optional bean name for the
CredentialsProvider
implementation because otherwise the call toCredentialsProvider.getCredentials(String)
will always be providednull
.This mandates that the bean name and the value in the keyring be the same. For my use case, which is a
CredentialsProvider
implementation backed by data in AWS SecretsManager, in means I need a separateCredentialsProvider
implementation for just this extension where the name of the secret in SecretsManager matches the bean name of theCredentialsProvider
implementation.Expected behavior
We should adapt the OIDC extension to look more like other usages of
CredentialsProviderFinder.find
, like thisThis does the following:
CredentialsProviderFinder.find
throws aRuntimeException
if theCredentialsProvider
resolved from theArc
container is null, and therefore this method will never return nullIn a future release of Quarkus, the breaking change to require the user to provide a keyring name (like all other extensions that support
CredentialsProvider
should be considered, but this change was structured in this way to be backward compatible.I'm definitely open to other suggestions for implementing a change like this! I'm also appy to contribute this change myself if the workaround to conform to conventions is accepted.
Note, normally
quarkus.oidc.credentials.client-secret.provider.name
would be the name of the keyring, not the name of the CDI bean, but since it's already being used here for both in order to be backward compatible we have to introduce a new property for when users want to configure the keyring name (which is usually non-optional when configuring extensions to useCredentialsProvider
implementationsActual behavior
No response
How to Reproduce?
No response
Output of
uname -a
orver
No response
Output of
java -version
No response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response
The text was updated successfully, but these errors were encountered: