Add custom aud for OidcWireMock testing doc

[douglas444]

As mentioned in this discussion, Quarkus now enforces that the ID token aud is set to the client id and because the OidcWiremock code was created earlier, the ID token granted sets the aud to https://id.server.example.com. Because of that, tests that use OidcWireMockTestResource will not work unless the aud is customized through the quarkus.oidc.token.audience property.

This PR updates the documentation to customize the audience used in the example for code-flow testing with OidcWireMock, making the example functional.

[github-actions]

🎊 PR Preview 5c3944b has been successfully built and deployed to https://quarkus-pr-main-43949-preview.surge.sh/version/main/guides/

• Images of blog posts older than 3 months are not available.
• Newsletters older than 3 months are not available.

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit a6745b0.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

[sberyozkin]

Thanks @douglas444, I was thinking about it, and I wonder if we can just fix OidcWiremock instead to follow the OIDC spec requirement for ID token's audience be set to the client id.

I can't find anywhere how to use a POST url form encoded parameter like client_id in the response.

This code must be updated, I've tried:

private void defineCodeFlowAuthorizationMockTokenStub() {
        server.stubFor(post("/auth/realms/quarkus/token")
                .withRequestBody(containing("authorization_code"))
                .willReturn(aResponse()
                        .withHeader("Content-Type", "application/json")
                        .withBody("{\n" +
                                "  \"access_token\": \""
                                + getAccessToken("alice", getAdminRoles()) + "\",\n" +
                                "  \"refresh_token\": \"07e08903-1263-4dd1-9fd1-4a59b0db5283\",\n" +
                                "  \"id_token\": \""
                                + getIdToken("{{request.body.client_id}}", getAdminRoles())
                                + "\"\n" +
                                "}")
                        .withTransformers("response-template")));
    }

replacing alice for a moment with "{{request.body.client_id}}", just to get integration-tests/oidc-wiremock fail with a value like quarkus-web-app returned, instead of alice, the tests are failing all right but "{{request.body.client_id}}" is returned...

Can you experiment please, and try to find the way to refer to the client_id request parameter ?

[douglas444]

@sberyozkin I guess wiremock can't replace the placeholder because when withBody is called, the {{request.body.client_id}} is inside the base64 encoded string. To access the client_id value in this way, we would need to call getIdToken "lazily" somehow, meaning after withBody is called, maybe with handlebars template helpers https://wiremock.org/docs/extensibility/adding-template-helpers/ ...

Anyway, yes, I will experiment and let you know when I find a solution! Thank you for the reply!

[sberyozkin]

Thanks @douglas444, yeah, I forgot that the client id is coming by default in the Basic scheme, while not everyone is using a client post form authentication. Indeed, the only option is likely to be a custom transformer, have a look please

[sberyozkin]

That said, if requiring users setting the client post authentication option to have something like {{request.body.client_id}} pick up the client_id, then this PR can recommend it as an alternative to customizing the audience.