Skip to content

OpenID Connect: Respect the configured flow types if the server sends none #730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

OpenID Connect: Respect the configured flow types if the server sends none #730

wants to merge 4 commits into from

Conversation

@Traderjoe95
Copy link
Contributor

@Traderjoe95 Traderjoe95 commented Sep 4, 2025
edited
Loading

Motivation:

The OpenIDConnectAuth unconditionally resets the supportedGrantTypes of OAuth2Options to null. Therefore, the previously configured grant types are ignored and replaced by the default (implicit, auth_code). This triggers a configuration validation exception if no clientId is configured. In use cases that only need OAuth token validation functionality, this behavior is undesired, as they might never need a client ID.

This is fixed by only resetting supportedGrantTypes when the authentication server sends grant_types_supported on its own.

Fixes #729

Conformance:

You should have signed the Eclipse Contributor Agreement as explained in https://github.com/eclipse/vert.x/blob/master/CONTRIBUTING.md
Please also make sure you adhere to the code style guidelines: https://github.com/vert-x3/wiki/wiki/Vert.x-code-style-guidelines

@Traderjoe95 Traderjoe95 changed the title OpenID Connect: Honor supported grant types unless the server decides… OpenID Connect: Respect the configured flow types if the server sends none Sep 4, 2025
@vietj
Copy link
Member

vietj commented Sep 4, 2025

@Traderjoe95 can you add a test for this?

@Traderjoe95
Copy link
Contributor Author

@vietj sure, I'm working on it. It's been a bit of a hassle, but I'm getting to it.

There's one thing that just came to my mind, and I would like to get your opinion on this: When the user configures a set of supported flow types, and the server also sends a set, wouldn't it be better to use the intersection of both instead of overriding the previous configuration?

In this scenario, setting the supportedGrantTypes means "My application supports the following grant types". The server may specify which grant types it supports, so the resulting set of grant types agreed on by both parties would be the intersection. If it is empty, that would be an error.

If the user or server doesn't set any supported grant types, that means "I support all grant types", if both don't set anything, we fall back to the default.

What do you think? In my opinion that would allow more flexibility than just having the server override everything

@Traderjoe95
Copy link
Contributor Author

I will first push my tests for the original implementation, then in a second commit, I will update to my suggestion so it can be easily reverted if you don't like it

@Traderjoe95
Copy link
Contributor Author

I updated the code to the alternative solution I proposed earlier. Let me know what you think!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OpenIDConnectAuth.discover: Only reset supported grant types when the server sends it

2 participants

@Traderjoe95 @vietj