OpenID Connect: Respect the configured flow types if the server sends none

vertx-auth-oauth2/pom.xml

@@ -32,6 +32,18 @@
     <vertx.surefire.useModulePath>false</vertx.surefire.useModulePath>
   </properties>
 
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.testcontainers</groupId>
+        <artifactId>testcontainers-bom</artifactId>
+        <version>1.21.3</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>io.vertx</groupId>
@@ -50,9 +62,18 @@
     <dependency>
       <groupId>org.testcontainers</groupId>
       <artifactId>testcontainers</artifactId>
-      <version>1.18.0</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.testcontainers</groupId>
+      <artifactId>mockserver</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mock-server</groupId>
+      <artifactId>mockserver-client-java</artifactId>
+      <version>5.15.0</version>
+    </dependency>
   </dependencies>
 
   <profiles>

vertx-auth-oauth2/src/main/java/io/vertx/ext/auth/oauth2/providers/OpenIDConnectAuth.java

@@ -19,13 +19,18 @@
 import io.vertx.core.Future;
 import io.vertx.core.Vertx;
 import io.vertx.core.http.HttpMethod;
-import io.vertx.core.json.JsonArray;
 import io.vertx.core.json.JsonObject;
 import io.vertx.ext.auth.JWTOptions;
 import io.vertx.ext.auth.impl.http.SimpleHttpClient;
 import io.vertx.ext.auth.oauth2.OAuth2Auth;
 import io.vertx.ext.auth.oauth2.OAuth2Options;
 
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
 /**
  * Simplified factory to create an {@link io.vertx.ext.auth.oauth2.OAuth2Auth} for OpenID Connect.
  *
@@ -134,14 +139,39 @@ static Future<OAuth2Auth> discover(final Vertx vertx, final OAuth2Options config
           jwtOptions.setIssuer(json.getString("issuer"));
         }
 
-
-        // reset config
-        config.setSupportedGrantTypes(null);
-
         if (json.containsKey("grant_types_supported")) {
           // optional config
-          JsonArray flows = json.getJsonArray("grant_types_supported");
-          flows.forEach(el -> config.addSupportedGrantType((String) el));
+          List<String> configuredGrantTypes = config.getSupportedGrantTypes();
+          final Set<String> configured = configuredGrantTypes == null ? null : new HashSet<>(configuredGrantTypes);
+
+          // reset config
+          config.setSupportedGrantTypes(null);
+
+          Stream<String> supportedGrantTypes = json.getJsonArray("grant_types_supported")
+            .stream()
+            .map(el -> (String) el);
+
+          // If the caller configured supported grant types, use the intersection with the server-supported grant types.
+          // Otherwise, use all grant types that the server supports.
+          if (configured != null) {
+            supportedGrantTypes = supportedGrantTypes.filter(configured::contains);
+          }
+
+          supportedGrantTypes
+            .forEach(config::addSupportedGrantType);
+
+          // If the supported grant types are still null here, either the server sent an empty list of supported grant
+          // types or the intersection with the configured grant types was empty. Both cases are errors.
+          if (config.getSupportedGrantTypes() == null) {
+            return Future.failedFuture(
+              "No supported grant types with this authorization provider. Supported: " +
+                json.getJsonArray("grant_types_supported").stream()
+                  .map(el -> (String) el)
+                  .collect(Collectors.joining(", ", "[", "]")) +
+                ". Configured: " +
+                (configuredGrantTypes == null ? "<any>" : configuredGrantTypes.stream().collect(Collectors.joining(", ", "[", "]")))
+            );
+          }
         }
 
         try {