Enforce OIDC code flow access token verification only if JWT is in the application code #39718
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…e application code
gastaldi
approved these changes
Mar 26, 2024
alesj
reviewed
Mar 26, 2024
| import io.quarkus.test.keycloak.server.KeycloakTestResourceLifecycleManager; | ||
|
|
||
| @QuarkusTestResource(KeycloakTestResourceLifecycleManager.class) | ||
| public class CodeFlowVerifyAccessTokenDisabled { |
There was a problem hiding this comment.
No need for the "Test" in the class name?
Status for workflow
|
| return true; | ||
| } | ||
| } | ||
| return false; | ||
| } | ||
|
|
||
| private static boolean isApplicationPackage(String injectionPointTargetInfo) { | ||
| return injectionPointTargetInfo != null | ||
| && !injectionPointTargetInfo.startsWith(QUARKUS_TOKEN_PROPAGATION_PACKAGE) |
There was a problem hiding this comment.
The OIDC Token propagation line basically says that we register filters that are not actually used while we have all build time information:
- We can detect when the filter is needed
- If the
JsonWebTokenis actually injected inside bean used by the application (by actively used JAX-RS filter), then it should use verified JWT?
As for SmallRye JWT package unfortunately I don't know it well enough, but to have unused beans registered by default surprises me.
There was a problem hiding this comment.
The OIDC Token propagation line basically says that we register filters that are not actually used while we have all build time information...We can detect when the filter is needed
This is only available in the Resteasy Classic based optional filter which as far as I know noone has used, this is why I did not make the same feature available in the reactive propagation filter. That feature is about using a JWT build API to construct a new JWT token from the coming JWT token and then resigning it with the new key, setting a new audience. But users never used it because the token propagation supports the token exchange grants.
So this check is just to avoid that unused feature interfering, IMHO it is not worth the effort and start checking at the quarkus-oidc level if that filter is used given that filter is also expected to work with smallrye-jwt.
If the JsonWebToken is actually injected inside bean used by the application (by actively used JAX-RS filter), then it should use verified JWT?
If it is meant to be propagated then not really, we won't use for any security decisions locally and users won't access it directly.
We are talking about this feature: https://quarkus.io/guides/security-openid-connect-client-reference#restclient-jsonwebtokenrequestfilter
As I said I haven' seen any evidence it being used, instead the exchange token grants are used to set a new audience, resign etc. And like I said, in cases where it is not enforced users can just enable with the property. But if resteasy easy client users will use that extension to propagate Google binary access token, it will cause a failure
because we will detect JsonWebToken - so if someone, theoretically at least, uses that feature, and wants to have it verified they can enable the verification, I suppose I can update the migration guide.
As for SmallRye JWT package unfortunately I don't know it well enough, but to have unused beans registered by default surprises me.
That producer is probably 7 years old, it may have been myself or Scott who coded it, fair to say it is not the best CDI code written but we just should not let in interfere in this feature
There was a problem hiding this comment.
Copy that. Thanks for in detail explanation.
There was a problem hiding this comment.
I approve (when the Ales comment about the test name is resolved) as this is time sensitive.
However we only detect active injection points, so I believe this is a workaround that is hiding actual bug - we should only have registered beans that we actually use. And the injection in application code requires verification, so should the framework injection.
My point is, with this PR In place there can be an actively used injection point that should use verified access token but does not.
Update: see #39718 (comment)
michalvavrik
approved these changes
Mar 26, 2024
I'm not sure what you mean, the bug in the OIDC token propagation filter ? I'm not sure where the bug is , that feature needs the JWT token. But It does not really matter because the idea behind the automatic token verification is about protecting the user code from accessing it and making some decisions, but with the token propagation filters, users don't see the access token, the target server will be verifying it. This is the whole reason why we don't verify the code flow access tokens by default, we don't use them in Quarkus by default. But in any case, IMHO, this feature, should not depend on how some other places in Quarkus use JsonWebToken. It is all about protecting the user code from getting access to the unverified JWTs if the users forget to enable the verification. Have you convinced you a little bit ? |
|
@alesj Sure, I'll update that test class name, but I can do it in a follow up PR if you want to merge today, I won't be waiting till another build passes, so it will be then merged in the morning, it will probably won't make it to 3.9.1 then, not sure it will make it in any case... |
The feature needs the JWT token and we enable the feature when nobody uses it. I don't want to continue discussing it, you explained it well enough above. Thanks
I would not guess it, because protecting the user code from accessing it and making some decisions is just a speculation, users can use the token for propagation as well, we don't know what they use with it. So I didn't realize that was the intention of this feature. It sounds reasonable.
That is sound if you are able to say that Quarkus will never use this injected JWT without verifying automatically. I don't see it currently, so you are right.
You had me after #39718 (comment), my notes above are just for me to learn. Thanks for the fix. |
We don't enable it by default
If the users inject it directly in their code, then indeed, we don't know what they will do with it - they may never access the claims, but does it matter ? The risk is there that they will - which is enough. We also document that if the users want to inject the token for the purpose of the manually propagating it, without the filters, then they should use If we follow your argument then when we see |
|
You know @sberyozkin , if that's a case and you are use we always want to inspect only application injection point, I suppose we can find something more robust. For example Quarkus never registers beans from runtime modules by default, so Quarkus knows what application classes are (I suspect |
I am sorry, I don't understand. How do you read this line: |
You got me, it is enabled by default. But is it relevant to this PR :-) ? |
I only mentioned it because originally (and incorrectly) I thought every active bean should be checked and I was surprised it breaks applications even without actively using this feature. No. it is not relevant for this PR. Let's get it in. |
|
@michalvavrik Indeed, we can improve the way that token propagation feature is registered (I probably added it as unremovable because it did not work otherwise, but to be honest I don't remember). Similarly for the smallrye-jwt filter. But in general I think it is good that this particular feature does not depend on how some other parts of the Quarkus ecosystem use JsonWebToken. Thanks for the feedback and good night ! |
benkard
added a commit
to benkard/mulkcms2
that referenced
this pull request
Apr 6, 2024
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.225.0` -> `^0.233.0`](https://renovatebot.com/diffs/npm/flow-bin/0.225.1/0.233.0) |
| [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | patch | `42.7.1` -> `42.7.3` |
| [org.liquibase.ext:liquibase-hibernate5](https://github.com/liquibase/liquibase-hibernate/wiki) ([source](https://github.com/liquibase/liquibase-hibernate)) | build | minor | `4.25.1` -> `4.27.0` |
| [org.liquibase:liquibase-maven-plugin](http://www.liquibase.org/liquibase-maven-plugin) ([source](https://github.com/liquibase/liquibase)) | build | minor | `4.25.1` -> `4.27.0` |
| [io.hypersistence:hypersistence-utils-hibernate-62](https://github.com/vladmihalcea/hypersistence-utils) | compile | patch | `3.7.0` -> `3.7.3` |
| [org.hibernate.orm:hibernate-envers](https://hibernate.org/orm) ([source](https://github.com/hibernate/hibernate-orm)) | build | patch | `6.4.1.Final` -> `6.4.4.Final` |
| [org.hibernate.orm:hibernate-core](https://hibernate.org/orm) ([source](https://github.com/hibernate/hibernate-orm)) | build | patch | `6.4.1.Final` -> `6.4.4.Final` |
| [com.blazebit:blaze-persistence-bom](https://persistence.blazebit.com) ([source](https://github.com/Blazebit/blaze-persistence)) | import | patch | `1.6.10` -> `1.6.11` |
| [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | build | minor | `2.41.1` -> `2.43.0` |
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.6.4` -> `3.9.2` |
| [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | minor | `3.6.4` -> `3.9.2` |
| [org.apache.maven.plugins:maven-compiler-plugin](https://maven.apache.org/plugins/) | build | minor | `3.12.1` -> `3.13.0` |
---
### Release Notes
<details>
<summary>flowtype/flow-bin</summary>
### [`v0.233.0`](https://github.com/flowtype/flow-bin/compare/6e34f048ec7f5146297e258a60250c8e5af37bcc...2ebcdf3a8f03993e8ccab9e9fb6742000b54f929)
[Compare Source](https://github.com/flowtype/flow-bin/compare/6e34f048ec7f5146297e258a60250c8e5af37bcc...2ebcdf3a8f03993e8ccab9e9fb6742000b54f929)
### [`v0.232.0`](https://github.com/flowtype/flow-bin/compare/69ee58d99676a48984158d2cafcdb3b3f5ad5f15...6e34f048ec7f5146297e258a60250c8e5af37bcc)
[Compare Source](https://github.com/flowtype/flow-bin/compare/69ee58d99676a48984158d2cafcdb3b3f5ad5f15...6e34f048ec7f5146297e258a60250c8e5af37bcc)
### [`v0.231.0`](https://github.com/flowtype/flow-bin/compare/5c84049e450b37833fca5b547c1c2cb678436ef1...69ee58d99676a48984158d2cafcdb3b3f5ad5f15)
[Compare Source](https://github.com/flowtype/flow-bin/compare/5c84049e450b37833fca5b547c1c2cb678436ef1...69ee58d99676a48984158d2cafcdb3b3f5ad5f15)
### [`v0.230.0`](https://github.com/flowtype/flow-bin/compare/2c3181fa7aa928bd3735a7fad09e1be271c96c95...5c84049e450b37833fca5b547c1c2cb678436ef1)
[Compare Source](https://github.com/flowtype/flow-bin/compare/2c3181fa7aa928bd3735a7fad09e1be271c96c95...5c84049e450b37833fca5b547c1c2cb678436ef1)
### [`v0.229.2`](https://github.com/flowtype/flow-bin/compare/82b999003b85e827cd4dd36a8d3593979f1a9599...2c3181fa7aa928bd3735a7fad09e1be271c96c95)
[Compare Source](https://github.com/flowtype/flow-bin/compare/82b999003b85e827cd4dd36a8d3593979f1a9599...2c3181fa7aa928bd3735a7fad09e1be271c96c95)
### [`v0.229.0`](https://github.com/flowtype/flow-bin/compare/3d62fc76bf9b0ff63ec56d049c669958ef41f6b8...82b999003b85e827cd4dd36a8d3593979f1a9599)
[Compare Source](https://github.com/flowtype/flow-bin/compare/3d62fc76bf9b0ff63ec56d049c669958ef41f6b8...82b999003b85e827cd4dd36a8d3593979f1a9599)
### [`v0.228.0`](https://github.com/flowtype/flow-bin/compare/15db2846c1c63d3f26905f51e8c96c801cbc017b...3d62fc76bf9b0ff63ec56d049c669958ef41f6b8)
[Compare Source](https://github.com/flowtype/flow-bin/compare/15db2846c1c63d3f26905f51e8c96c801cbc017b...3d62fc76bf9b0ff63ec56d049c669958ef41f6b8)
### [`v0.227.0`](https://github.com/flowtype/flow-bin/compare/6fbe6faecdcb24e9ee660a0616705d46b9bd3c40...15db2846c1c63d3f26905f51e8c96c801cbc017b)
[Compare Source](https://github.com/flowtype/flow-bin/compare/6fbe6faecdcb24e9ee660a0616705d46b9bd3c40...15db2846c1c63d3f26905f51e8c96c801cbc017b)
### [`v0.226.0`](https://github.com/flowtype/flow-bin/compare/23ec6163cf6921d4ef74da53e1aaf4a35f798384...6fbe6faecdcb24e9ee660a0616705d46b9bd3c40)
[Compare Source](https://github.com/flowtype/flow-bin/compare/23ec6163cf6921d4ef74da53e1aaf4a35f798384...6fbe6faecdcb24e9ee660a0616705d46b9bd3c40)
</details>
<details>
<summary>pgjdbc/pgjdbc</summary>
### [`v42.7.3`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4273-2024-04-14-145100--0400)
##### Changed
- chore: gradle config enforces 17+ [MR #​3147](https://github.com/pgjdbc/pgjdbc/pull/3147)
##### Fixed
- fix: boolean types not handled in SimpleQuery mode [MR #​3146](https://github.com/pgjdbc/pgjdbc/pull/3146)
- make sure we handle boolean types in simple query mode
- support uuid as well
- handle all well known types in text mode and change `else if` to `switch`
- fix: released new versions of 42.2.29, 42.3.10, 42.4.5, 42.5.6, 42.6.2 to deal with `NoSuchMethodError on ByteBuffer#position` when running on Java 8
### [`v42.7.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4272-2024-02-21-082300--0500)
##### Security
- security: SQL Injection via line comment generation, it is possible in `SimpleQuery` mode to generate a line comment by having a placeholder for a numeric with a `-`
such as `-?`. There must be second placeholder for a string immediately after. Setting the parameter to a -ve value creates a line comment.
This has been fixed in this version fixes [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597). Reported by [Paul Gerste](https://github.com/paul-gerste-sonarsource). See the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56) for more details. This has been fixed in versions 42.7.2, 42.6.1 42.5.5, 42.4.4, 42.3.9, 42.2.28.jre7. See the security advisory for work arounds.
##### Changed
- fix: Use simple query for isValid. Using Extended query sends two messages checkConnectionQuery was never ever set or used, removed [MR #​3101](https://github.com/pgjdbc/pgjdbc/pull/3101)
- perf: Avoid autoboxing bind indexes by [@​bokken](https://github.com/bokken) in [MR #​1244](https://github.com/pgjdbc/pgjdbc/pull/1244)
- refactor: Document that encodePassword will zero out the password array, and remove driver's default encodePassword by [@​vlsi](https://github.com/vlsi) in [MR #​3084](https://github.com/pgjdbc/pgjdbc/pull/3084)
##### Added
- feat: Add PasswordUtil for encrypting passwords client side [MR #​3082](https://github.com/pgjdbc/pgjdbc/pull/3082)
</details>
<details>
<summary>liquibase/liquibase</summary>
### [`v4.27.0`](https://github.com/liquibase/liquibase/blob/HEAD/changelog.txt#Liquibase-4270-is-a-major-release)
[Compare Source](https://github.com/liquibase/liquibase/compare/v4.26.0...v4.27.0)
> Liquibase 4.27.0 contains several New Capabilities and Notable Enhancements for Liquibase Pro users: DATABASECHANGELOGHISTORY table, Quality Checks Chains, Rollback Reports
> See the [Liquibase 4.27.0 Release Notes](https://docs.liquibase.com/start/release-notes/liquibase-release-notes/liquibase-4.27.0.html) for the complete set of release information.
### [`v4.26.0`](https://github.com/liquibase/liquibase/blob/HEAD/changelog.txt#Liquibase-4260-is-a-major-release)
[Compare Source](https://github.com/liquibase/liquibase/compare/v4.25.1...v4.26.0)
> \[!IMPORTANT]
> Liquibase 4.26.0 contains several Notable Changes for Liquibase Pro users: Advanced IF conditionals, Simpler Regex-based pattern checks, and Checks Run Reports.
> \[!NOTE]
> See the [Liquibase 4.26.0 Release Notes](https://docs.liquibase.com/start/release-notes/liquibase-4.26.0.html) for the complete set of release information.
</details>
<details>
<summary>vladmihalcea/hypersistence-utils</summary>
### [`v3.7.3`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-373---February-16-2024)
\================================================================================
"java.lang.ClassCastException: class \[Ljava.lang.String; cannot be cast to class \[B" thrown when using multiLoad with Hibernate 6.4 [#​700](https://github.com/vladmihalcea/hypersistence-utils/issues/700)
### [`v3.7.2`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-372---February-08-2024)
\================================================================================
Expecting BasicPluralJavaType for array class \[Ljava.util.UUID;,
but got \`com.vladmihalcea.hibernate.type.array.internal.UUIDArrayTypeDescriptor error with Hibernate 6.4 [#​698](https://github.com/vladmihalcea/hypersistence-utils/issues/698)
### [`v3.7.1`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-371---January-30-2024)
\================================================================================
Add support for Hibernate 6.4 [#​685](https://github.com/vladmihalcea/hypersistence-utils/issues/685)
Remove hypersistence-utils-hibernate-5 module [#​693](https://github.com/vladmihalcea/hypersistence-utils/issues/693)
</details>
<details>
<summary>hibernate/hibernate-orm</summary>
### [`v6.4.4.Final`](https://github.com/hibernate/hibernate-orm/compare/6.4.3...6.4.4)
[Compare Source](https://github.com/hibernate/hibernate-orm/compare/6.4.3...6.4.4)
### [`v6.4.3.Final`](https://github.com/hibernate/hibernate-orm/compare/6.4.2...6.4.3)
[Compare Source](https://github.com/hibernate/hibernate-orm/compare/6.4.2...6.4.3)
### [`v6.4.2.Final`](https://github.com/hibernate/hibernate-orm/compare/6.4.1...6.4.2)
[Compare Source](https://github.com/hibernate/hibernate-orm/compare/6.4.1...6.4.2)
</details>
<details>
<summary>Blazebit/blaze-persistence</summary>
### [`v1.6.11`](https://github.com/Blazebit/blaze-persistence/blob/HEAD/CHANGELOG.md#​1611)
[Compare Source](https://github.com/Blazebit/blaze-persistence/compare/1.6.10...1.6.11)
10/01/2024 - [Release tag](https://github.com/Blazebit/blaze-persistence/releases/tag/1.6.11) [Resolved issues](https://github.com/Blazebit/blaze-persistence/issues?q=is%3Aissue+milestone%3A1.6.11+is%3Aclosed+sort%3Aupdated-desc)
##### New features
- Special case mappings with limit of 1 to use `=` instead of `IN` predicate
- Added support for extended GraphlQL types, for example support DateTime (please read `Backwards-incompatible changes` below )
##### Bug fixes
- Fix over-fetching of entity view data with dynamic fetches
- Fix Spring 6.1 compatibility
- Fix Hibernate 6.4.0.Final compatibility
- Disallow repository sorting by anything other than entity or entity view attribute paths
##### Backwards-incompatible changes
- If you use the GraphQL integration and you are loading the [graphql-java-extended-scalars](https://github.com/graphql-java/graphql-java-extended-scalars), you might need to migrate your `LocalDataTime` EntityViews to `OffsetDateTime`. Dates will no longer be represented as String in the GraphQl-Schema, but as [DateTime](https://the-guild.dev/graphql/scalars/docs/scalars/date-time).
</details>
<details>
<summary>diffplug/spotless</summary>
### [`v2.43.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#​2430---2023-11-27)
##### Added
- Support custom rule sets for Ktlint. ([#​1896](https://github.com/diffplug/spotless/pull/1896))
##### Fixed
- Fix Eclipse JDT on some settings files. ([#​1864](https://github.com/diffplug/spotless/pull/1864) fixes [#​1638](https://github.com/diffplug/spotless/issues/1638))
##### Changes
- Bump default `ktlint` version to latest `1.0.0` -> `1.0.1`. ([#​1855](https://github.com/diffplug/spotless/pull/1855))
- Add a Step to remove semicolons from Groovy files. ([#​1881](https://github.com/diffplug/spotless/pull/1881))
### [`v2.42.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#​2420---2023-09-28)
##### Added
- Support for biome. The Rome project [was renamed to Biome](https://biomejs.dev/blog/annoucing-biome/).
The configuration is still the same, but you should switch to the new `biome` tag / function and adjust
the version accordingly. ([#​1804](https://github.com/diffplug/spotless/issues/1804)).
- Support for `google-java-format`'s `skip-javadoc-formatting` option. ([#​1793](https://github.com/diffplug/spotless/pull/1793))
- Support configuration of mirrors for P2 repositories in Maven DSL ([#​1697](https://github.com/diffplug/spotless/issues/1697)).
- New line endings mode `GIT_ATTRIBUTES_FAST_ALLSAME`. ([#​1838](https://github.com/diffplug/spotless/pull/1838))
##### Fixed
- Fix support for plugins when using Prettier version `3.0.0` and newer. ([#​1802](https://github.com/diffplug/spotless/pull/1802))
- Fix configuration cache issue around `external process started '/usr/bin/git --version'`. ([#​1806](https://github.com/diffplug/spotless/issues/1806))
##### Changes
- Bump default `flexmark` version to latest `0.64.0` -> `0.64.8`. ([#​1801](https://github.com/diffplug/spotless/pull/1801))
- Bump default `ktlint` version to latest `0.50.0` -> `1.0.0`. ([#​1808](https://github.com/diffplug/spotless/pull/1808))
</details>
<details>
<summary>quarkusio/quarkus</summary>
### [`v3.9.2`](https://github.com/quarkusio/quarkus/releases/tag/3.9.2)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.9.1...3.9.2)
##### Complete changelog
- [#​38964](https://github.com/quarkusio/quarkus/pull/38964) - Add smallrye metrics capability
- [#​39668](https://github.com/quarkusio/quarkus/pull/39668) - Recompute cache when the redis connection pool is exhausted
- [#​39705](https://github.com/quarkusio/quarkus/pull/39705) - WebSockets Next: error handlers part 1
- [#​39717](https://github.com/quarkusio/quarkus/issues/39717) - OIDC code flow access token verification is enforced even if the application code does not use it as JWT
- [#​39718](https://github.com/quarkusio/quarkus/pull/39718) - Enforce OIDC code flow access token verification only if JWT is in the application code
- [#​39725](https://github.com/quarkusio/quarkus/pull/39725) - Setting the correct CodeFlowVerifyAccessTokenDisabledTest test class name
- [#​39742](https://github.com/quarkusio/quarkus/pull/39742) - Fix a remaining reference to quarkus.resteasy-reactive. prefix
- [#​39746](https://github.com/quarkusio/quarkus/issues/39746) - ScheduledExecutorService: cannot remove future task from the scheduler
- [#​39763](https://github.com/quarkusio/quarkus/pull/39763) - WebSockets Next: error handlers part 2
- [#​39766](https://github.com/quarkusio/quarkus/pull/39766) - Properly handle array class types to be looked up
- [#​39770](https://github.com/quarkusio/quarkus/pull/39770) - Improve the multipart encoded mode handling in the rest client
- [#​39776](https://github.com/quarkusio/quarkus/issues/39776) - Cannot build native image after 3.9.1 upgrade - missing configuration properties but they exist
- [#​39777](https://github.com/quarkusio/quarkus/issues/39777) - Bean Param init issue - java.lang.NoClassDefFoundError: io/quarkus/generated/int$quarkusrestparamConverter$
- [#​39790](https://github.com/quarkusio/quarkus/pull/39790) - Add quarkus-credentials-deployment where it's missing
- [#​39794](https://github.com/quarkusio/quarkus/pull/39794) - Bump org.jboss.threads:jboss-threads from 3.6.0.Final to 3.6.1.Final
- [#​39797](https://github.com/quarkusio/quarkus/pull/39797) - Docs: fix typo in OIDC tenant resolution by configuration
- [#​39798](https://github.com/quarkusio/quarkus/issues/39798) - Update documentation for QUARKUS AND GRADLE - Development mode: quarkusDev#workingDir has been deprecated
- [#​39804](https://github.com/quarkusio/quarkus/pull/39804) - Always record profiles
- [#​39823](https://github.com/quarkusio/quarkus/pull/39823) - Ensure ParameterConverter is loaded from the TCCL
- [#​39829](https://github.com/quarkusio/quarkus/pull/39829) - Use quarkusDev#workingDirectory
- [#​39835](https://github.com/quarkusio/quarkus/pull/39835) - Bump maven-model-helper to 36
### [`v3.9.1`](https://github.com/quarkusio/quarkus/releases/tag/3.9.1)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.9.0...3.9.1)
##### Complete changelog
- [#​25682](https://github.com/quarkusio/quarkus/issues/25682) - Dev Services for Postgresql not working with Rancher
- [#​36736](https://github.com/quarkusio/quarkus/pull/36736) - Manage Jose4j dependency in the bom
- [#​36737](https://github.com/quarkusio/quarkus/issues/36737) - Add OpenAPI Filter usage to documentation
- [#​39088](https://github.com/quarkusio/quarkus/issues/39088) - Solve POM formatting issues when creating project/adding extension/removing extension
- [#​39224](https://github.com/quarkusio/quarkus/issues/39224) - WebSockets Next: support method parameter injection
- [#​39313](https://github.com/quarkusio/quarkus/issues/39313) - prod-profile configuration pollutes test profile in integration tests
- [#​39371](https://github.com/quarkusio/quarkus/pull/39371) - Avoid resolving plugin command after the first option
- [#​39382](https://github.com/quarkusio/quarkus/pull/39382) - Preserve POM format when extensions are added/removed
- [#​39385](https://github.com/quarkusio/quarkus/issues/39385) - smallrye-health should hande the case when Vert.x current context is null
- [#​39388](https://github.com/quarkusio/quarkus/issues/39388) - Hibernate runtime property persisting after build
- [#​39394](https://github.com/quarkusio/quarkus/pull/39394) - Handle null Vert.x context in smallrye-health
- [#​39426](https://github.com/quarkusio/quarkus/pull/39426) - Do not record active profile configuration name if a profile one exists
- [#​39443](https://github.com/quarkusio/quarkus/pull/39443) - Use Quarkus wide version of jna-platform in azure-functions
- [#​39496](https://github.com/quarkusio/quarkus/issues/39496) - Gradle build cache prevents source packages to be installed to local Maven repository
- [#​39513](https://github.com/quarkusio/quarkus/issues/39513) - `@SecureField` in members of the response class isn't applied
- [#​39528](https://github.com/quarkusio/quarkus/issues/39528) - (Doc issue) Getting token using blocking or non blocking calls
- [#​39544](https://github.com/quarkusio/quarkus/issues/39544) - OidcClient: Getting exception when trying to use tokenHelper
- [#​39546](https://github.com/quarkusio/quarkus/issues/39546) - Make maxParameters of MultiPartUploadHandler configurable
- [#​39549](https://github.com/quarkusio/quarkus/pull/39549) - Make max parameters of multipart handling configurable
- [#​39564](https://github.com/quarkusio/quarkus/pull/39564) - Fix Quarkus REST Jackson `@SecureField` detection on subclasses, interface implementors, fileds of the fields, parametrized types and arrays
- [#​39572](https://github.com/quarkusio/quarkus/pull/39572) - Remove mvnpm and webjars from the 404 page
- [#​39574](https://github.com/quarkusio/quarkus/pull/39574) - Add a section about openapi filters in the doc
- [#​39576](https://github.com/quarkusio/quarkus/pull/39576) - Fix semconv-stability.opt-in property name
- [#​39578](https://github.com/quarkusio/quarkus/pull/39578) - Update quarkus-project-develocity-extension to 1.0.7
- [#​39579](https://github.com/quarkusio/quarkus/pull/39579) - Don't run CDI interceptors on class-level exception mappers
- [#​39580](https://github.com/quarkusio/quarkus/pull/39580) - Fix directory name in vertx.adoc
- [#​39581](https://github.com/quarkusio/quarkus/issues/39581) - The http metrics provide a path instead of REDIRECTION and NOT_FOUND when possible
- [#​39583](https://github.com/quarkusio/quarkus/pull/39583) - Keep the URIs in the metrics tag if they match a client or server pattern
- [#​39586](https://github.com/quarkusio/quarkus/issues/39586) - RestMulti is not sending headers if there is no content
- [#​39587](https://github.com/quarkusio/quarkus/pull/39587) - Properly use headers from RestMulti when the multi is empty
- [#​39589](https://github.com/quarkusio/quarkus/pull/39589) - Only Add OTel Security Events when span is recording
- [#​39594](https://github.com/quarkusio/quarkus/pull/39594) - Redis: add documentation for replicas usage
- [#​39595](https://github.com/quarkusio/quarkus/pull/39595) - Update one of OIDC certificate chain tests to use TenantConfigResolver
- [#​39598](https://github.com/quarkusio/quarkus/issues/39598) - ClassNotFoundException for beanparam class with generics in external artifact
- [#​39599](https://github.com/quarkusio/quarkus/issues/39599) - JsonObject is empty when used with resteasy-reactive
- [#​39604](https://github.com/quarkusio/quarkus/pull/39604) - Do not record local sources in runtime config defaults.
- [#​39615](https://github.com/quarkusio/quarkus/pull/39615) - Allow JsonObject and JsonArray to be used in any POJO for JSON handling
- [#​39623](https://github.com/quarkusio/quarkus/issues/39623) - Type not consistent in sample code
- [#​39626](https://github.com/quarkusio/quarkus/pull/39626) - Update parameter type to be consistent across the doc
- [#​39628](https://github.com/quarkusio/quarkus/pull/39628) - Bump smallrye-jwt.version from 4.4.0 to 4.5.0
- [#​39630](https://github.com/quarkusio/quarkus/pull/39630) - Bump smallrye-reactive-messaging.version from 4.18.0 to 4.19.0
- [#​39638](https://github.com/quarkusio/quarkus/pull/39638) - Avoid all caching in DevModeClient
- [#​39642](https://github.com/quarkusio/quarkus/pull/39642) - WebSocket Next: endpoint callback arguments injection
- [#​39645](https://github.com/quarkusio/quarkus/pull/39645) - Improve the OIDC Client Quickstart document
- [#​39651](https://github.com/quarkusio/quarkus/pull/39651) - Bump io.quarkus.bot:build-reporter-maven-extension from 3.5.0 to 3.6.0
- [#​39656](https://github.com/quarkusio/quarkus/pull/39656) - Bump maven-model-helper to 35
- [#​39661](https://github.com/quarkusio/quarkus/pull/39661) - Fix property name in OIDC docs
- [#​39679](https://github.com/quarkusio/quarkus/pull/39679) - Bump mime4j version to 0.8.11
- [#​39682](https://github.com/quarkusio/quarkus/pull/39682) - Fix postgres datasource devservice not working with rancher-desktop on mac arm
- [#​39691](https://github.com/quarkusio/quarkus/pull/39691) - Fix dev-mode issue with generated classes for Quarkus REST converters
- [#​39699](https://github.com/quarkusio/quarkus/issues/39699) - UpxCompressionBuildStep Not Executed Since Quarkus 3.8.2
- [#​39702](https://github.com/quarkusio/quarkus/pull/39702) - Bring back erroneously removed `@BuildStep`
- [#​39706](https://github.com/quarkusio/quarkus/pull/39706) - Use --no-daemon when calling gradle update
### [`v3.9.0`](https://github.com/quarkusio/quarkus/releases/tag/3.9.0)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.8.3...3.9.0)
##### Complete changelog
- [#​25101](https://github.com/quarkusio/quarkus/issues/25101) - \[CI] - quarkus-devtools-compat + Quarkus main
- [#​27374](https://github.com/quarkusio/quarkus/issues/27374) - Update Quarkus CLI doc for installing specific version of the CLI to avoid printing warnings
- [#​39144](https://github.com/quarkusio/quarkus/issues/39144) - WebSockets Next: documentation
- [#​39315](https://github.com/quarkusio/quarkus/issues/39315) - `@ConfigMapping` handling of Maps is not compatible with old config classes
- [#​39344](https://github.com/quarkusio/quarkus/issues/39344) - Avro schemas aren't generated in isolation
- [#​39345](https://github.com/quarkusio/quarkus/pull/39345) - Isolate Avro schema code generation when using multiple schema files
- [#​39363](https://github.com/quarkusio/quarkus/pull/39363) - Initial version of the WebSocket Next documentation
- [#​39413](https://github.com/quarkusio/quarkus/pull/39413) - Refresh documentation (and some tests) of the Hibernate Search + ORM extension
- [#​39427](https://github.com/quarkusio/quarkus/issues/39427) - Enforce authorization code flow access token verification if `JsonWebToken` is injected
- [#​39428](https://github.com/quarkusio/quarkus/issues/39428) - Enforce OIDC UserInfo acquisition if `UserInfo` is injected
- [#​39441](https://github.com/quarkusio/quarkus/issues/39441) - RESTEasy Reactive dependency added to deployment classpath of nearly all Quarkus apps
- [#​39445](https://github.com/quarkusio/quarkus/pull/39445) - Remove Quarkus REST deployment dependency from Vertx HTTP deployment
- [#​39447](https://github.com/quarkusio/quarkus/pull/39447) - Save concat indy allocations on JarResource::getResourceURL
- [#​39454](https://github.com/quarkusio/quarkus/pull/39454) - Bump org.jboss.threads:jboss-threads from 3.5.1.Final to 3.6.0.Final
- [#​39458](https://github.com/quarkusio/quarkus/pull/39458) - Enforce OIDC UserInfo acquisition and authorization code flow access token verification if UserInfo and JsonWebToken beans are injected
- [#​39467](https://github.com/quarkusio/quarkus/pull/39467) - Fix codestarts compatibility with older CLI
- [#​39468](https://github.com/quarkusio/quarkus/issues/39468) - ChainBuildException - Cycle detected after [#​39352](https://github.com/quarkusio/quarkus/issues/39352) MR
- [#​39470](https://github.com/quarkusio/quarkus/pull/39470) - Remove the old MetricBuildItem SPI
- [#​39471](https://github.com/quarkusio/quarkus/pull/39471) - Update to Vert.x 4.5.5
- [#​39472](https://github.com/quarkusio/quarkus/pull/39472) - Update SmallRye Config to 3.7.0
- [#​39474](https://github.com/quarkusio/quarkus/pull/39474) - Use explicit jar reference instead of GAV to avoid duplicate log warning
- [#​39476](https://github.com/quarkusio/quarkus/pull/39476) - Fix the broken link to the OIDC client reference doc
- [#​39477](https://github.com/quarkusio/quarkus/pull/39477) - Adjust toggle names in OTel InstrumentBuildTimeConfig
- [#​39479](https://github.com/quarkusio/quarkus/issues/39479) - 3.9.0.CR2: NoClassDefFoundError: io/quarkus/security/spi/runtime/SecurityEvent
- [#​39480](https://github.com/quarkusio/quarkus/pull/39480) - Fix security spi dependency on OTel
- [#​39487](https://github.com/quarkusio/quarkus/pull/39487) - Allow occasional pin events in ShouldNotPin
- [#​39491](https://github.com/quarkusio/quarkus/pull/39491) - Ignore the split access and refresh token cookies for resolving the tenant
- [#​39519](https://github.com/quarkusio/quarkus/issues/39519) - OpenTelemetry - respect proxy settings in VertxGrpcExporter and VertxHttpExporter
- [#​39522](https://github.com/quarkusio/quarkus/pull/39522) - Fix typos in rest doc
- [#​39530](https://github.com/quarkusio/quarkus/pull/39530) - Update profile section in building-native-image.adoc
- [#​39531](https://github.com/quarkusio/quarkus/pull/39531) - Use SmallRye Commons Inet
- [#​39533](https://github.com/quarkusio/quarkus/issues/39533) - Class loader leak in configuration
- [#​39536](https://github.com/quarkusio/quarkus/pull/39536) - Bump org.postgresql:postgresql from 42.7.2 to 42.7.3
- [#​39541](https://github.com/quarkusio/quarkus/pull/39541) - Update SmallRye Config to 3.7.1
- [#​39543](https://github.com/quarkusio/quarkus/pull/39543) - Enable proxy configuration for OpenTelemetry exporters
- [#​39562](https://github.com/quarkusio/quarkus/pull/39562) - Bump io.smallrye.config:smallrye-config-source-yaml from 3.7.0 to 3.7.1 in /devtools/gradle
### [`v3.8.3`](https://github.com/quarkusio/quarkus/releases/tag/3.8.3)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.8.2...3.8.3)
##### Complete changelog
- [#​25453](https://github.com/quarkusio/quarkus/issues/25453) - Mutiny is not compatible with quarkus opentelemetry
- [#​31497](https://github.com/quarkusio/quarkus/issues/31497) - Enabled micrometer.binder.http-server should also capture parameterized sub-resources
- [#​39047](https://github.com/quarkusio/quarkus/issues/39047) - Reactive pg datasource with enabled health check opens more connections than configured
- [#​39145](https://github.com/quarkusio/quarkus/issues/39145) - Hibernate schema validation is flaky and fails due missing tables (while the tables are present)
- [#​39162](https://github.com/quarkusio/quarkus/pull/39162) - Add mapping to a Map\<String, ConfigObject> in the documentation
- [#​39178](https://github.com/quarkusio/quarkus/pull/39178) - Update grpc-service-implementation.adoc
- [#​39192](https://github.com/quarkusio/quarkus/pull/39192) - Make HTTP templates for observability work with subresources
- [#​39197](https://github.com/quarkusio/quarkus/issues/39197) - Qute is not adding the right NativeImageResourceBuildItem when using a custom template root
- [#​39204](https://github.com/quarkusio/quarkus/issues/39204) - Update partial extension names to include full extension names
- [#​39216](https://github.com/quarkusio/quarkus/pull/39216) - Unwrap processing exception from REST Client when returning a Uni
- [#​39223](https://github.com/quarkusio/quarkus/pull/39223) - Fix WithSpan uni and multi
- [#​39225](https://github.com/quarkusio/quarkus/pull/39225) - Upgrade to Mutiny 2.5.8
- [#​39242](https://github.com/quarkusio/quarkus/issues/39242) - e quarkus-azure-functions-http generationg function.json with missing method.
- [#​39245](https://github.com/quarkusio/quarkus/issues/39245) - dev-ui shows wrong property for rest-client
- [#​39251](https://github.com/quarkusio/quarkus/pull/39251) - Make mutiny version of pool use the already configured vertx pool
- [#​39252](https://github.com/quarkusio/quarkus/pull/39252) - Explicitly set all HTTP methods for Azure Functions
- [#​39255](https://github.com/quarkusio/quarkus/pull/39255) - Fix config key for dev-ui
- [#​39257](https://github.com/quarkusio/quarkus/issues/39257) - Quarkus 3.8.1: Use GraalVM sdk 23.1.2 over 23.0.1
- [#​39260](https://github.com/quarkusio/quarkus/pull/39260) - Bump GraalVM SDK version to 23.1.2
- [#​39265](https://github.com/quarkusio/quarkus/pull/39265) - Properly support sending InputStream in REST Client
- [#​39266](https://github.com/quarkusio/quarkus/issues/39266) - ./mvnw --file $(pwd)/./pom.xml broken since quarkus 3.7.1
- [#​39270](https://github.com/quarkusio/quarkus/issues/39270) - Update the title of dev-ui.adoc
- [#​39271](https://github.com/quarkusio/quarkus/pull/39271) - Update the title of dev-ui.adoc and fix minor typos
- [#​39294](https://github.com/quarkusio/quarkus/pull/39294) - Qute: add correct NativeImageResourceBuildItem for custom template root
- [#​39309](https://github.com/quarkusio/quarkus/pull/39309) - Normalize POM path
- [#​39310](https://github.com/quarkusio/quarkus/issues/39310) - Wrong reference on list of injected beans
- [#​39311](https://github.com/quarkusio/quarkus/pull/39311) - Be more consistent with extension names in datasource.adoc
- [#​39316](https://github.com/quarkusio/quarkus/issues/39316) - Empty container-group not allowed in Quarkus 3.8.2
- [#​39319](https://github.com/quarkusio/quarkus/pull/39319) - org.graalvm.js:js was renamed to org.graalvm.polyglot:js-community
- [#​39337](https://github.com/quarkusio/quarkus/pull/39337) - Fix rest-client-mutiny mention in the docs
- [#​39350](https://github.com/quarkusio/quarkus/issues/39350) - Exception when building application with a lot of dependencies, String too large to record error
- [#​39352](https://github.com/quarkusio/quarkus/pull/39352) - Make Hibernate / Micrometer integration run after schema creation
- [#​39353](https://github.com/quarkusio/quarkus/pull/39353) - Allow config empty values in the Gradle worker
- [#​39354](https://github.com/quarkusio/quarkus/pull/39354) - Add note about pre-matching filters execution model
- [#​39368](https://github.com/quarkusio/quarkus/issues/39368) - Submodule on second level fails to find itself in dev mode
- [#​39372](https://github.com/quarkusio/quarkus/pull/39372) - Replace `org.graalvm.sdk:graal-sdk` dependency with `org.graalvm.sdk:nativeimage`
- [#​39379](https://github.com/quarkusio/quarkus/pull/39379) - Bump org.apache.commons:commons-compress from 1.26.0 to 1.26.1
- [#​39383](https://github.com/quarkusio/quarkus/pull/39383) - Typo at OIDC Client Mutual TLS config properties
- [#​39386](https://github.com/quarkusio/quarkus/pull/39386) - Update to Brotli4J 1.16.0
- [#​39402](https://github.com/quarkusio/quarkus/pull/39402) - ArC: fix creation of synthetic beans
- [#​39411](https://github.com/quarkusio/quarkus/pull/39411) - Fix typo in Building my first extension
- [#​39418](https://github.com/quarkusio/quarkus/pull/39418) - Use the value of project/default-codestart from the platform descriptor as the default codestart instead of a hardcoded value
- [#​39430](https://github.com/quarkusio/quarkus/pull/39430) - Fix misleading error message when REST Client interface has been indexed
- [#​39434](https://github.com/quarkusio/quarkus/pull/39434) - Qute: fix the NoRestartTemplatesDevModeTest on Windows
- [#​39437](https://github.com/quarkusio/quarkus/pull/39437) - Make sure the current project location isn't overridden by other modules with the same groupId and artifactId
- [#​39440](https://github.com/quarkusio/quarkus/issues/39440) - graal-sdk in 23.1.x brings in `org.graalvm.polyglot` which causes a couple of issues (wrap up)
- [#​39442](https://github.com/quarkusio/quarkus/pull/39442) - Exclude org.graalvm.polyglot:polyglot from graal-sdk
### [`v3.8.2`](https://github.com/quarkusio/quarkus/releases/tag/3.8.2)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.8.1...3.8.2)
##### Complete changelog
- [#​19849](https://github.com/quarkusio/quarkus/issues/19849) - Reactive rest client invoke MessageBodyReader.isReadable with null value of annotations parameter
- [#​27999](https://github.com/quarkusio/quarkus/issues/27999) - quarkus.datasource."datasource-name".jdbc.min-size not honored if max-lifetime is set
- [#​35993](https://github.com/quarkusio/quarkus/issues/35993) - Event-loop thread blocked when connecting to an unavailable OIDC server
- [#​37984](https://github.com/quarkusio/quarkus/issues/37984) - Custom SecretsKeyHandler not found after update to 3.6.4
- [#​38007](https://github.com/quarkusio/quarkus/issues/38007) - Failure to resolve encrypted configuration properties with the Gradle plugin
- [#​38392](https://github.com/quarkusio/quarkus/issues/38392) - Application.properties string substitution does not work when using gradle variables
- [#​38424](https://github.com/quarkusio/quarkus/issues/38424) - application-test.yml is not utilized during tests executed during gradle build
- [#​38435](https://github.com/quarkusio/quarkus/pull/38435) - Fix CLI not recognizing installed plugins
- [#​38900](https://github.com/quarkusio/quarkus/pull/38900) - Bump Smallrye Reactive Messaging from 4.16.2 to 4.17.0
- [#​38971](https://github.com/quarkusio/quarkus/pull/38971) - Clarify that `quarkus.profile` cannot be set from a profile aware file
- [#​38988](https://github.com/quarkusio/quarkus/pull/38988) - Do not expand configuration for Gradle cache
- [#​38989](https://github.com/quarkusio/quarkus/issues/38989) - cert chain public key resolver thumbprints
- [#​39001](https://github.com/quarkusio/quarkus/pull/39001) - Update to Vert.x 4.5.4 and Netty 4.1.107
- [#​39021](https://github.com/quarkusio/quarkus/pull/39021) - Upgrade to testcontainers 1.19.6
- [#​39023](https://github.com/quarkusio/quarkus/pull/39023) - Remove selector field from generated Job manifest in docs
- [#​39041](https://github.com/quarkusio/quarkus/issues/39041) - JAX-RS seeOther does not work with IPv6
- [#​39046](https://github.com/quarkusio/quarkus/pull/39046) - Make sure Response and RestResponse work properly with IPv6 addresses
- [#​39057](https://github.com/quarkusio/quarkus/pull/39057) - Skip analysis of plugin executions with phases post quarkus:dev preparing for dev mode launch
- [#​39059](https://github.com/quarkusio/quarkus/issues/39059) - Exception in blocking graphql query is wrapped
- [#​39063](https://github.com/quarkusio/quarkus/pull/39063) - Fix the OIDC token verification failure with the inlined cert chain
- [#​39067](https://github.com/quarkusio/quarkus/pull/39067) - Updates to Infinispan 14.0.25.Final
- [#​39068](https://github.com/quarkusio/quarkus/pull/39068) - Optionally run DNS lookup for OIDC server requests on worker thread
- [#​39069](https://github.com/quarkusio/quarkus/pull/39069) - Do not fail UPX if compression level is not given
- [#​39070](https://github.com/quarkusio/quarkus/pull/39070) - Doc: add Pulsar in Dev Services Overview
- [#​39072](https://github.com/quarkusio/quarkus/pull/39072) - Update to Agroal 2.3
- [#​39078](https://github.com/quarkusio/quarkus/pull/39078) - Unwrap actual GraphQL data fetching exception if it is wrapped
- [#​39093](https://github.com/quarkusio/quarkus/pull/39093) - Fix cross-references in the Vert.x Reference Guide
- [#​39094](https://github.com/quarkusio/quarkus/pull/39094) - Emphasize the need to add quarkus-junit5-mockito as a dependency to use mock injection
- [#​39102](https://github.com/quarkusio/quarkus/pull/39102) - Properly pass annotations to MessageBodyReader in REST Client
- [#​39120](https://github.com/quarkusio/quarkus/issues/39120) - Startup fails with Kafka Stream if topics for topics check not defined when check is disabled
- [#​39121](https://github.com/quarkusio/quarkus/pull/39121) - Do not fail on resolve kafka streams topics when topics check disabled
- [#​39122](https://github.com/quarkusio/quarkus/pull/39122) - Use bcrypt password mapper in elytron-security-jdbc docs
- [#​39123](https://github.com/quarkusio/quarkus/issues/39123) - Quarkus Dev Services passes wrong volume path to Docker on Windows
- [#​39130](https://github.com/quarkusio/quarkus/issues/39130) - When building images with jib the fast-jar-lib layer is always changed
- [#​39136](https://github.com/quarkusio/quarkus/pull/39136) - Fix wrong volume host path being used on Windows
- [#​39147](https://github.com/quarkusio/quarkus/pull/39147) - Keep the timestamps when copying jars and building JIB layers
- [#​39160](https://github.com/quarkusio/quarkus/pull/39160) - Fail on conflicting deployment kinds
- [#​39168](https://github.com/quarkusio/quarkus/pull/39168) - Remove misleading note from jacoco.enabled
- [#​39169](https://github.com/quarkusio/quarkus/issues/39169) - Unable to produce multiple synthetic beans of same type having different identifiers
- [#​39179](https://github.com/quarkusio/quarkus/pull/39179) - Allow setting the SettingsDecrypter when initializing a Maven artifact resolver
- [#​39181](https://github.com/quarkusio/quarkus/pull/39181) - ArC: fix BeanConfiguratorBase#read()
- [#​39201](https://github.com/quarkusio/quarkus/pull/39201) - Bump quarkus-http.version from 5.2.0.Final to 5.2.1.Final
- [#​39203](https://github.com/quarkusio/quarkus/pull/39203) - Fix typo in testing Getting Started guide example
### [`v3.8.1`](https://github.com/quarkusio/quarkus/releases/tag/3.8.1)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.8.0...3.8.1)
##### Complete changelog
- [#​5314](https://github.com/quarkusio/quarkus/issues/5314) - Subresouce init resource failed when using `ResourceContext.getResource`
- [#​36427](https://github.com/quarkusio/quarkus/issues/36427) - Keycloak admin client fail with "authHeader" is null when using classic extensions
- [#​37065](https://github.com/quarkusio/quarkus/issues/37065) - Azure Functions Http: missing HTTP method definitions for delete and patch
- [#​37779](https://github.com/quarkusio/quarkus/issues/37779) - No healthcheck for default Agroal datasource if `quarkus.datasource.db-kind` is not set
- [#​37962](https://github.com/quarkusio/quarkus/issues/37962) - Can't specify custom quarkus.profile when running tests
- [#​38557](https://github.com/quarkusio/quarkus/issues/38557) - Overwriting application configuration does not work with .env File
- [#​38798](https://github.com/quarkusio/quarkus/issues/38798) - Using custom header in REST client together with `@NotBody` annotated argument results in warning from EndpointIndexer
- [#​38880](https://github.com/quarkusio/quarkus/issues/38880) - CronJob deployment doesn't work due to `selector` field
- [#​38881](https://github.com/quarkusio/quarkus/pull/38881) - Remove selector field if it's empty from manifest
- [#​38891](https://github.com/quarkusio/quarkus/pull/38891) - Reduce message log level
- [#​38895](https://github.com/quarkusio/quarkus/pull/38895) - Make VertxGrpcExporter more robust
- [#​38899](https://github.com/quarkusio/quarkus/pull/38899) - Fix Keycloak Admin Client Classic when used with the RESTEasy JSON-B and REST Client JSON-B extensions
- [#​38901](https://github.com/quarkusio/quarkus/issues/38901) - OidcProvider throws NPE when certificate chain is configured with OIDC server which has no JWK keys at the startup
- [#​38909](https://github.com/quarkusio/quarkus/pull/38909) - Bump org.postgresql:postgresql from 42.7.1 to 42.7.2
- [#​38923](https://github.com/quarkusio/quarkus/pull/38923) - Allow all HTTP methods in Azure functions
- [#​38925](https://github.com/quarkusio/quarkus/pull/38925) - Improve shutdown of VertxHttpExporter and VertxGrpcExporter
- [#​38927](https://github.com/quarkusio/quarkus/pull/38927) - Use supplier in order to properly have mutiny retry
- [#​38928](https://github.com/quarkusio/quarkus/issues/38928) - quarkus-quartz: CDIAwareJob destroys instance of Quartz Job too early when Job is a `@Dependent` bean
- [#​38932](https://github.com/quarkusio/quarkus/pull/38932) - Fix NPE when OIDC token must be verified with the chain with OIDC server returning no JWKs
- [#​38934](https://github.com/quarkusio/quarkus/issues/38934) - Agroal Data Source Health check failing for reactive data source
- [#​38935](https://github.com/quarkusio/quarkus/pull/38935) - Upgrade to Mutiny 2.5.7
- [#​38938](https://github.com/quarkusio/quarkus/pull/38938) - Propagate user.dir to Gradle worker
- [#​38944](https://github.com/quarkusio/quarkus/pull/38944) - Bump smallrye-open-api.version from 3.9.0 to 3.10.0
- [#​38949](https://github.com/quarkusio/quarkus/issues/38949) - Postgresql bump causing detection of instance Random/SplittableRandom
- [#​38952](https://github.com/quarkusio/quarkus/issues/38952) - Properly pass errors from JsonRPC backends to Dev UI
- [#​38953](https://github.com/quarkusio/quarkus/pull/38953) - Unwrap the actual failure from JsonRPC if it's wrapped
- [#​38955](https://github.com/quarkusio/quarkus/pull/38955) - Try to get more disk space
- [#​38957](https://github.com/quarkusio/quarkus/pull/38957) - Quartz - fix `@Dependent` job creation/destruction when there is a re-fire
- [#​38958](https://github.com/quarkusio/quarkus/pull/38958) - Runtime reinitialize org.postgresql.util.PasswordUtil$SecureRandomHolder
- [#​38959](https://github.com/quarkusio/quarkus/pull/38959) - Agroal - Only generate health checks for JDBC datasources
- [#​38978](https://github.com/quarkusio/quarkus/pull/38978) - Bump org.mariadb.jdbc:mariadb-java-client from 3.3.2 to 3.3.3
- [#​38979](https://github.com/quarkusio/quarkus/pull/38979) - Propagate quarkus.test.profile to Gradle worker
- [#​38986](https://github.com/quarkusio/quarkus/pull/38986) - Add missing brace in property expression
- [#​38990](https://github.com/quarkusio/quarkus/issues/38990) - Quarkus 3.7.4 java.lang.ClassNotFoundException when running devsevices with gradle
- [#​38995](https://github.com/quarkusio/quarkus/pull/38995) - Take client methods into account in server endpoint indexer
- [#​38997](https://github.com/quarkusio/quarkus/pull/38997) - Add hint about exporter collector protocol on generic gRPC error
- [#​38999](https://github.com/quarkusio/quarkus/pull/38999) - Remove JetBrains `@Nullable` from RESTEasy Reactive code
- [#​39006](https://github.com/quarkusio/quarkus/pull/39006) - Bump Keycloak version to 23.0.7
- [#​39020](https://github.com/quarkusio/quarkus/pull/39020) - Make VertxHttpExporter more robust
- [#​39022](https://github.com/quarkusio/quarkus/issues/39022) - `JAVA_APP_DIR` should be set for container images
- [#​39024](https://github.com/quarkusio/quarkus/pull/39024) - Set JAVA_APP_DIR env var when necessary
- [#​39028](https://github.com/quarkusio/quarkus/pull/39028) - Make Sub Resources unremovable beans
- [#​39029](https://github.com/quarkusio/quarkus/pull/39029) - Update to Brotli 1.14.0
- [#​39031](https://github.com/quarkusio/quarkus/pull/39031) - Add commons-codec to Dev Services dependencies
### [`v3.8.0`](https://github.com/quarkusio/quarkus/releases/tag/3.8.0)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.7.4...3.8.0)
##### Complete changelog
- [#​35686](https://github.com/quarkusio/quarkus/issues/35686) - Sporadic "Failed to export spans. The request could not be executed. Full error message: Stream was closed"
### [`v3.7.4`](https://github.com/quarkusio/quarkus/releases/tag/3.7.4)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.7.3...3.7.4)
##### Complete changelog
- [#​37608](https://github.com/quarkusio/quarkus/issues/37608) - gRPC starter app is using legacy approach, single HTTP server should be used instead
- [#​38236](https://github.com/quarkusio/quarkus/issues/38236) - Adding a decorator causes bytecode error
- [#​38504](https://github.com/quarkusio/quarkus/issues/38504) - NPE on oidc-client when quarkus.oidc-client.grant-options.password.password not provided
- [#​38533](https://github.com/quarkusio/quarkus/issues/38533) - 'Unable to find a JDBC driver' for Hibernate Reactive after updating to 3.7.1
- [#​38683](https://github.com/quarkusio/quarkus/issues/38683) - Build time performance regression and bigger native binaries when migrating from 3.5 to 3.6 or 3.7
- [#​38688](https://github.com/quarkusio/quarkus/pull/38688) - Making sure deployment modules excluded in POM files aren't pulled in by the Gradle plugin
- [#​38721](https://github.com/quarkusio/quarkus/issues/38721) - Java 21: `@VirtualThreadUnit` produces very slow tests
- [#​38763](https://github.com/quarkusio/quarkus/issues/38763) - Enable an injection of the OIDC code flow access token verificaton material
- [#​38767](https://github.com/quarkusio/quarkus/pull/38767) - Fail early if OIDC client password grant is misconfigured
- [#​38771](https://github.com/quarkusio/quarkus/pull/38771) - Adds an implementation note about `@VirtualThreadUnit` limitations
- [#​38775](https://github.com/quarkusio/quarkus/pull/38775) - Use the right MongoDB ClientSession interface
- [#​38776](https://github.com/quarkusio/quarkus/issues/38776) - OidcRequestFilter with OidcEndpoint applied to all endpoints
- [#​38777](https://github.com/quarkusio/quarkus/issues/38777) - OIDC Code flow access token verification goes ahead even if the ID token verification has failed
- [#​38779](https://github.com/quarkusio/quarkus/pull/38779) - Fix OidcEndpoint annotation processing
- [#​38784](https://github.com/quarkusio/quarkus/pull/38784) - Fix guide URL in RESTEasy Client extension
- [#​38785](https://github.com/quarkusio/quarkus/pull/38785) - ArC: fix interception when some methods return void
- [#​38798](https://github.com/quarkusio/quarkus/issues/38798) - Using custom header in REST client together with `@NotBody` annotated argument results in warning from EndpointIndexer
- [#​38800](https://github.com/quarkusio/quarkus/pull/38800) - Don't warn about `@NotBody` use in `@GET` methods in REST Client
- [#​38802](https://github.com/quarkusio/quarkus/issues/38802) - Multipart form data is interpreted as a file although it's not a file
- [#​38803](https://github.com/quarkusio/quarkus/issues/38803) - OIDC server is erroneously shown as not available
- [#​38810](https://github.com/quarkusio/quarkus/pull/38810) - Expand types which are considered text in multipart handling
- [#​38815](https://github.com/quarkusio/quarkus/issues/38815) - Support security identity propagation in VT
- [#​38816](https://github.com/quarkusio/quarkus/pull/38816) - Propagate Vert.x context on all ExecutorService methods for VirtualThreadExecutor
- [#​38817](https://github.com/quarkusio/quarkus/issues/38817) - Mocking Singleton does not work even when using `@MockitoConfig`(convertScopes = true) - Bean produced from factory method
- [#​38818](https://github.com/quarkusio/quarkus/pull/38818) - Allow `RunAndCheckMojoTestBase` subclasses to override how much memory extension tests are allowed
- [#​38819](https://github.com/quarkusio/quarkus/pull/38819) - Add response text to the OIDC bootstrap log errors
- [#​38821](https://github.com/quarkusio/quarkus/pull/38821) - Configure SISU bean filtering for the bootstrap Maven resolver
- [#​38824](https://github.com/quarkusio/quarkus/issues/38824) - Memory leak when using FT Fallback with dependent beans
- [#​38833](https://github.com/quarkusio/quarkus/issues/38833) - Keycloak Admin Client Reactive error id: [`9009f9b`](https://github.com/quarkusio/quarkus/commit/9009f9b4)-1d58-4011-9ff2-49b87bb59ddd-1: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "authHeader" is null
- [#​38836](https://github.com/quarkusio/quarkus/pull/38836) - Fix Keycloak Admin Client Reactive Jackson reader provider priority so that the client can work when the JSONB REST client extension is present
- [#​38837](https://github.com/quarkusio/quarkus/issues/38837) - Quarkus create new project fails when -DnoCode is used and artifactId is not set properly
- [#​38843](https://github.com/quarkusio/quarkus/pull/38843) - Check the code flow access token after ID token
- [#​38844](https://github.com/quarkusio/quarkus/pull/38844) - Fix copy/paste typo
- [#​38849](https://github.com/quarkusio/quarkus/pull/38849) - Ensure that generated project GAV is always set
- [#​38851](https://github.com/quarkusio/quarkus/issues/38851) - Kafka integration tests fail with latest Mandrel/GraalVM 24.1-dev builds
- [#​38853](https://github.com/quarkusio/quarkus/pull/38853) - \[3.7] Perform security checks on inherited endpoints before payload deserialization in the RESTEasy Reactive
- [#​38855](https://github.com/quarkusio/quarkus/pull/38855) - Make registration of OAuthBearerValidatorCallbackHandler conditional
- [#​38858](https://github.com/quarkusio/quarkus/pull/38858) - Testing: fix `@MockitoConfig`(convertScopes=true) with auto-producers
- [#​38859](https://github.com/quarkusio/quarkus/pull/38859) - Fix warning when launching dev mode specifying quarkus-maven-plugin GAV on the command line
- [#​38865](https://github.com/quarkusio/quarkus/pull/38865) - Update commons-compress version to mitigate CVE-2024-25710
- [#​38866](https://github.com/quarkusio/quarkus/issues/38866) - Sporadic error in custom readiness check using `keycloak-admin-client`: `IllegalStateException: Client is closed`
- [#​38868](https://github.com/quarkusio/quarkus/pull/38868) - Add config flag to disable jacoco
- [#​38882](https://github.com/quarkusio/quarkus/pull/38882) - Quartz - prevent memory leak when Job instance is a `@Dependent` bean
- [#​38886](https://github.com/quarkusio/quarkus/pull/38886) - Ignore `ValidationSchema` that results in registering all models
- [#​38888](https://github.com/quarkusio/quarkus/pull/38888) - SmallRye Health: terminate request context properly
- [#​38889](https://github.com/quarkusio/quarkus/issues/38889) - Kafka reactive messaging extension incompatible with Micrometer Prometheus extension for Quarkus 3.7.\*
- [#​38890](https://github.com/quarkusio/quarkus/pull/38890) - Log resolved OIDC tenant id and how the bearer token is found
- [#​38894](https://github.com/quarkusio/quarkus/pull/38894) - Disable messaging observation by default for backwards compatibility
- [#​38897](https://github.com/quarkusio/quarkus/pull/38897) - Attempt to fix flaky DependentBeanJobTest
### [`v3.7.3`](https://github.com/quarkusio/quarkus/releases/tag/3.7.3)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.7.2...3.7.3)
##### Complete changelog
- [#​36341](https://github.com/quarkusio/quarkus/issues/36341) - The API method KafkaStreams#cleanUp() is not applicable when use `@Produces` to build the topology
- [#​37091](https://github.com/quarkusio/quarkus/pull/37091) - Fix VertxGrpcExporter reponse status handling
- [#​37911](https://github.com/quarkusio/quarkus/pull/37911) - Store since JavaDoc tag in the configuration metadata, so that Quarkiverse projects can render it in their documentation if they like
- [#​38055](https://github.com/quarkusio/quarkus/issues/38055) - Make annotation app.quarkus.io/vcs-uri optional in Kubernetes extension
- [#​38079](https://github.com/quarkusio/quarkus/pull/38079) - Make OidcTestSecurityIdentityAugmentor faster by making privateKey's generation final and static
- [#​38196](https://github.com/quarkusio/quarkus/pull/38196) - Use Vert.x pool with Jackson
- [#​38477](https://github.com/quarkusio/quarkus/pull/38477) - Add disabled workflow to deploy snapshots in Quarkiverse extensions
- [#​38489](https://github.com/quarkusio/quarkus/issues/38489) - OIDC authentication.extra-params not added to dev-services auth request
- [#​38602](https://github.com/quarkusio/quarkus/issues/38602) - QuarkusComponentTest: `@TestConfigProperties` not applicable to method (override multiple config properties)
- [#​38607](https://github.com/quarkusio/quarkus/pull/38607) - Gradle: fix IllegalStateException when resolving project deps
- [#​38613](https://github.com/quarkusio/quarkus/issues/38613) - RabbitMQ Health Checks cannot be disabled from 3.7+
- [#​38615](https://github.com/quarkusio/quarkus/pull/38615) - Updates to Infinispan 14.0.24.Final
- [#​38619](https://github.com/quarkusio/quarkus/pull/38619) - Pass extra authentication params in the OIDC DevUI code flow redirect URL
- [#​38626](https://github.com/quarkusio/quarkus/pull/38626) - Bump org.junit.jupiter:junit-jupiter from 5.10.1 to 5.10.2
- [#​38650](https://github.com/quarkusio/quarkus/issues/38650) - UI doesn't work correct with umlauts
- [#​38653](https://github.com/quarkusio/quarkus/pull/38653) - Enforce Dev UI charset to UTF-8
- [#​38655](https://github.com/quarkusio/quarkus/pull/38655) - Allow for multiple TestConfigProperty annotations on methods
- [#​38656](https://github.com/quarkusio/quarkus/pull/38656) - Upgrade the Mutiny Vert.x bindings to 3.9.0
- [#​38658](https://github.com/quarkusio/quarkus/issues/38658) - Configure a REST Client ClientLogger vía CDI
- [#​38662](https://github.com/quarkusio/quarkus/pull/38662) - Bump io.smallrye.config:smallrye-config-source-yaml from 3.5.2 to 3.5.4 in /devtools/gradle
- [#​38663](https://github.com/quarkusio/quarkus/issues/38663) - ContainerRequestContext.getUriInfo().getMatchedURIs() IndexOutOfBoundsException
- [#​38664](https://github.com/quarkusio/quarkus/pull/38664) - Bump Smallrye RM from 4.16.0 to 4.16.1
- [#​38670](https://github.com/quarkusio/quarkus/pull/38670) - Make ClientLogger beans unremovable
- [#​38671](https://github.com/quarkusio/quarkus/pull/38671) - Redis Client: improve documentation for sentinel and cluster
- [#​38672](https://github.com/quarkusio/quarkus/pull/38672) - Remove WATCH Command in absence of Optimistic Locking
- [#​38673](https://github.com/quarkusio/quarkus/pull/38673) - Fix OidcRequestFiler typo in security docs
- [#​38674](https://github.com/quarkusio/quarkus/pull/38674) - Improve flaky test
- [#​38675](https://github.com/quarkusio/quarkus/pull/38675) - Correct example generated yaml in extension metadata docs
- [#​38676](https://github.com/quarkusio/quarkus/issues/38676) - OpenAPI does not fill roles in SecurityScheme in schema
- [#​38680](https://github.com/quarkusio/quarkus/pull/38680) - Log how Keycloak devservice maps resources
- [#​38681](https://github.com/quarkusio/quarkus/pull/38681) - Upgrade to Hibernate ORM 6.4.4.Final / bytebuddy 1.14.11
- [#​38686](https://github.com/quarkusio/quarkus/pull/38686) - Make GraphQL Metrics End when Exceptional
- [#​38692](https://github.com/quarkusio/quarkus/pull/38692) - Bump com.gradle:gradle-enterprise-maven-extension from 1.20 to 1.20.1
- [#​38693](https://github.com/quarkusio/quarkus/pull/38693) - Bump commons-codec:commons-codec from 1.16.0 to 1.16.1
- [#​38694](https://github.com/quarkusio/quarkus/pull/38694) - OpenAPI: remove check that avoids running auto-security at build
- [#​38703](https://github.com/quarkusio/quarkus/issues/38703) - RESTEasy Reactive Multipart struggles with non-file binary uploads
- [#​38705](https://github.com/quarkusio/quarkus/pull/38705) - Kafka Streams fire event after created and before scheduling the start
- [#​38706](https://github.com/quarkusio/quarkus/issues/38706) - Elasticsearch container reuse creates a new container on each run
- [#​38709](https://github.com/quarkusio/quarkus/pull/38709) - Don't provide empty paths when using a root prefix
- [#​38710](https://github.com/quarkusio/quarkus/pull/38710) - Avoid Vert.x GraphQL deprecation warning
- [#​38712](https://github.com/quarkusio/quarkus/pull/38712) - Bump Smallrye RM from 4.16.1 to 4.16.2
- [#​38713](https://github.com/quarkusio/quarkus/pull/38713) - Only configure shared network for Elasticsearch/OpenSearch containers where necessary
- [#​38714](https://github.com/quarkusio/quarkus/pull/38714) - Don't assume that multipart part without filename is always text
- [#​38728](https://github.com/quarkusio/quarkus/pull/38728) - Encode Kafka messages with UTF8
- [#​38730](https://github.com/quarkusio/quarkus/issues/38730) - Accept-Header in hibernate validator's ResteasyReactiveLocaleResolver is resolved case-sensitive
- [#​38732](https://github.com/quarkusio/quarkus/issues/38732) - Quarkus should still allow to create project with Java 11 (for older streams and other platforms)
- [#​38733](https://github.com/quarkusio/quarkus/pull/38733) - Allow Java 11 as LTS for older streams and other platforms
- [#​38738](https://github.com/quarkusio/quarkus/pull/38738) - Make accept header check in validation case insensitive
- [#​38748](https://github.com/quarkusio/quarkus/pull/38748) - Sanitize app.dekorate.io/vcs-url kubernetes annotation
- [#​38755](https://github.com/quarkusio/quarkus/pull/38755) - Log when a RestEasy Reactive client close method is called
- [#​38756](https://github.com/quarkusio/quarkus/pull/38756) - Bump Keycloak version to 23.0.6
- [#​38760](https://github.com/quarkusio/quarkus/pull/38760) - Set COMPILE_ONLY flag on relevant dependencies that appear on DEPLOYMENT_CP and RUNTIME_CP
### [`v3.7.2`](https://github.com/quarkusio/quarkus/releases/tag/3.7.2)
[Compare Source](https://github.com/quarkusio/quarkus/compare/3.7.1...3.7.2)
##### Complete changelog
- [#​37807](https://github.com/quarkusio/quarkus/issues/37807) - SSL requests hang when returning a CompletableFuture
- [#​38101](https://github.com/quarkusio/quarkus/issues/38101) - smallrye-openapi property `oidc-open-id-connect-url` might not be fixed at build time
- [#​38231](https://github.com/quarkusio/quarkus/pull/38231) - OpenAPI: Always run OpenIDConnectSecurityFilter at runtime
- [#​38310](https://github.com/quarkusio/quarkus/pull/38310) - Add note about the two quarkus-extension files
- [#​38394](https://github.com/quarkusio/quarkus/issues/38394) - quarkus-cache: "keyGenerator" destroyed, even if it is annotated with "Singleton"
- [#​38397](https://github.com/quarkusio/quarkus/pull/38397) - Use actions/setup-java GPG key feature
- [#​38411](https://github.com/quarkusio/quarkus/pull/38411) - Cache: only dependent CacheKeyGenerator beans are destroyed after use
- [#​38422](https://github.com/quarkusio/quarkus/issues/38422) - nested configurations in extension: sub-property is seen as nested entity.
- [#​38431](https://github.com/quarkusio/quarkus/issues/38431) - `quarkus.oidc-token-propagation-reactive.enabled-during-authentication` does not work correctly in the code flow
- [#​38442](https://github.com/quarkusio/quarkus/pull/38442) - Make sure the code flow access token is propagated during the authentication
- [#​38444](https://github.com/quarkusio/quarkus/pull/38444) - Fix request hanging condition
- [#​38451](https://github.com/quarkusio/quarkus/issues/38451) - Remove workaround for HHH-17683 in Panache
- [#​38479](https://github.com/quarkusio/quarkus/issues/38479) - Stricter and false positive env variables validation after upgrade to 3.7.0
- [#​38483](https://github.com/quarkusio/quarkus/pull/38483) - Add a tool to check cross references
- [#​38488](https://github.com/quarkusio/quarkus/pull/38488) - Update to Vert.x 4.5.2
- [#​38495](https://github.com/quarkusio/quarkus/pull/38495) - Add org.graalvm.regex:regex to runnerParentFirstArtifacts
- [#​38499](https://github.com/quarkusio/quarkus/issues/38499) - Alpn property not work in rest client reactive
- [#​38500](https://github.com/quarkusio/quarkus/pull/38500) - Make quarkus.rest-client.alpn work in programmatically created client
- [#​38506](https://github.com/quarkusio/quarkus/issues/38506) - lombok warning when building with 3.7.1
- [#​38514](https://github.com/quarkusio/quarkus/issues/38514) - Alpn property not work for single rest client reactive
- [#​38516](https://github.com/quarkusio/quarkus/pull/38516) - Add missing alpn config key handling from named config
- [#​38521](https://github.com/quarkusio/quarkus/issues/38521) - Panache sorting no longer works for embedded fields in Quarkus 3.7.1
- [#​38525](https://github.com/quarkusio/quarkus/pull/38525) - Fix typo in RedisClientConfig JavaDoc
- [#​38527](https://github.com/quarkusio/quarkus/pull/38527) - Revert "Escape column names with backticks in order by clause of hql query"
- [#​38543](https://github.com/quarkusio/quarkus/issues/38543) - LinksProcessor ID field error for native class HalCollectionWrapper
- [#​38545](https://github.com/quarkusio/quarkus/issues/38545) - Enhance Adding extension section in cli-tooling documentation page
- [#​38546](https://github.com/quarkusio/quarkus/pull/38546) - Add globbing pattern to cli-tooling.adoc
- [#​38548](https://github.com/quarkusio/quarkus/pull/38548…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #39717
This PR avoids enforcing the code flow access token
JsonWebTokenis the application code does not use it.Just to summarize, with the authorization code flow, ID token is always verified. But the code flow access token is verified optionally because it is not used for the local security decisions, unless the user requests with
quarkus.oidc.authentication.verify-access-token=true. Bearer access tokens are always verified or it is expected to contain the roles.We made, IMHO, a good hardening fix with #39458, which will minimize the risk of the user code working with the unverified code flow access tokens and making some decisions, by forgetting to request its verification. This feature has been requested a few times, Paulo was asling about it. We just have to be careful because some access tokens are binary ones, from Google, etc, which can not be verified without the user enabling the indirect user info verification which may not always work. In fact I already enabled it by default awhile back and had to immediately revert it for this reason.
So the fix from Michal is much better - we enable it if we detect the user code has an intention to use the code flow JWT access token but it picks up
JsonWebTokenfrom smallrye-jwt.So this PR filters out smallrye-jwt and the OIDC token propagation, the only known OIDC related dependencies that have
JsonWebTokeninjected. smallrye-jwt has a producer which may not be used at all in the application code, and the OIDC token propagation (resteasy based one) has a feature related toJsonWebToken, if it is available.We can still imagine some custom producers working with
JsonWebToken- but in that case the users will have a control around it - and remove the dependency if they don't needJsonWebTokenin the code. And if really necessary, they can disable the verification withquarkus.oidc.authentication.verify-access-token=false, IMHO we should try to keep the hardening fix by all means.@pedroigor @gastaldi If @michalvavrik approves, then IMHO it is good to go, in which case, please approve if you don't have any other concerns, as #39717 is a 3.9.0 regression . We don't change the OIDC logic at all, only would like to enforce the code flow access token verification whenever possible