openid-connectquarkus

Quarkus with OIDC and VertX static route not redirecting on token expiration


I have a super simple application that is used to serve static HTML files and leverage OIDC for access to these files.

What I'm seeing is that on first access Quarkus redirects the browser to the IDP (Keycloak) properly, I get the token, and all is good.

However, once the token expires I'm only given a 401 with no chance to re-login. I know it's not up to the Quarkus server side to refresh the token but why not another redirect to the IDP?

The parts that I believe are relevant - this is Quarkus 3.4.3 using Java 17. My application.properties contains:

quarkus.oidc.auth-server-url=https://auth.domain.tld/realms/realmname
quarkus.oidc.client-id=client_id
quarkus.oidc.credentials.secret=supersecret

quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated

quarkus.oidc.application-type=web-app

quarkus.oidc.token-state-manager.split-tokens=true

the last line is suggested by io.qua.oid.run.CodeAuthenticationMechanism (logged with package names limited to 3 chars) on startup.

I setup the static files with:

@ApplicationScoped
public class StaticContentDeclarativeRoute {
    @ConfigProperty(name = "static.root.directory")
    String staticRootDirectory;

    @Route(path = "/*", methods = Route.HttpMethod.GET)
    void indexContent(RoutingContext routingContext) {
        StaticHandler.create(FileSystemAccess.ROOT, staticRootDirectory)
                .setDirectoryListing(false)
                .setIncludeHidden(false).handle(routingContext);
    }
}

Lastly, the only other code is to help with logging:

public class VertexFilter {
    @Inject
    Logger logger;

    @RouteFilter
    void routeFilter(RoutingContext routingContext) {
        logger.info("user \"" +
           (routingContext.user() == null ? "unknown" : routingContext.user().subject()) +
           "\" is accessing " + routingContext.normalizedPath() );

        routingContext.next();
    }
}

Am I being naive to not have something more sophisticated on the front end to manage the tokens (i.e. something like this)? Is there a configuration parameter I'm missing that is the "redirect back to the IDP if the token is expired" parameter?

Thanks for your help.


Solution

  • I had the same behavior with quarkus v3.4.3. I solved it by setting the property quarkus-oidc_quarkus.oidc.authentication.fail-on-missing-state-param to false (https://quarkus.io/version/3.2/guides/security-oidc-configuration-properties-reference#quarkus-oidc_quarkus.oidc.authentication.fail-on-missing-state-param).

    At the moment I am not sure why the state is missing. I checked the current quarkus version and the property has changed to false as default (https://quarkus.io/guides/security-oidc-configuration-properties-reference#quarkus-oidc_quarkus.oidc.authentication.fail-on-missing-state-param)

    Edit: Was changed with the commit - https://github.com/quarkusio/quarkus/commit/29f169e7bdc7c27f2a2e26b92176c1189dfed2a3