Skip to content

OpenID Connect: Respect the configured flow types if the server sends none#730

Open
Traderjoe95 wants to merge 4 commits intoeclipse-vertx:masterfrom
Traderjoe95:fix/respect-configured-grant-types
Open

OpenID Connect: Respect the configured flow types if the server sends none#730
Traderjoe95 wants to merge 4 commits intoeclipse-vertx:masterfrom
Traderjoe95:fix/respect-configured-grant-types

Conversation

@Traderjoe95
Copy link
Contributor

@Traderjoe95 Traderjoe95 commented Sep 4, 2025
edited
Loading

Motivation:

The OpenIDConnectAuth unconditionally resets the supportedGrantTypes of OAuth2Options to null. Therefore, the previously configured grant types are ignored and replaced by the default (implicit, auth_code). This triggers a configuration validation exception if no clientId is configured. In use cases that only need OAuth token validation functionality, this behavior is undesired, as they might never need a client ID.

This is fixed by only resetting supportedGrantTypes when the authentication server sends grant_types_supported on its own.

Fixes #729

Conformance:

You should have signed the Eclipse Contributor Agreement as explained in https://github.com/eclipse/vert.x/blob/master/CONTRIBUTING.md
Please also make sure you adhere to the code style guidelines: https://github.com/vert-x3/wiki/wiki/Vert.x-code-style-guidelines

@Traderjoe95 Traderjoe95 changed the title OpenID Connect: Honor supported grant types unless the server decides… OpenID Connect: Respect the configured flow types if the server sends none Sep 4, 2025
@vietj
Copy link
Member

vietj commented Sep 4, 2025

@Traderjoe95 can you add a test for this?

@Traderjoe95
Copy link
Contributor Author

Traderjoe95 commented Sep 5, 2025

@vietj sure, I'm working on it. It's been a bit of a hassle, but I'm getting to it.

There's one thing that just came to my mind, and I would like to get your opinion on this: When the user configures a set of supported flow types, and the server also sends a set, wouldn't it be better to use the intersection of both instead of overriding the previous configuration?

In this scenario, setting the supportedGrantTypes means "My application supports the following grant types". The server may specify which grant types it supports, so the resulting set of grant types agreed on by both parties would be the intersection. If it is empty, that would be an error.

If the user or server doesn't set any supported grant types, that means "I support all grant types", if both don't set anything, we fall back to the default.

What do you think? In my opinion that would allow more flexibility than just having the server override everything

@Traderjoe95
Copy link
Contributor Author

Traderjoe95 commented Sep 5, 2025

I will first push my tests for the original implementation, then in a second commit, I will update to my suggestion so it can be easily reverted if you don't like it

@Traderjoe95
Copy link
Contributor Author

Traderjoe95 commented Sep 5, 2025

I updated the code to the alternative solution I proposed earlier. Let me know what you think!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OpenIDConnectAuth.discover: Only reset supported grant types when the server sends it

2 participants

@Traderjoe95 @vietj