Let AbstractTokensProducer.getTokens being overridden in AbstractOidcClientRequestReactiveFilter implementation

[jdussouillez]

Description

I'm trying to refactor some code to use custom filters using AbstractOidcClientRequestReactiveFilter and when I override getTokens(), it's not called because the filter implementation is calling super.getTokens(), so calling the method in parent class AbstractTokensProducer.

Would it be possible to change this so custom AbstractOidcClientRequestReactiveFilter can override getTokens() properly?

Note: if you have a better/more standard solution on how to do this in Quarkus OIDC clients, I'll be very happy to get a second opinion! Like maybe implement a custom OidcClient with inside the default OIDC client and then use the AbstractOidcClientRequestReactiveFilter without overriding anything but AbstractTokensProducer.client?

---

Use case:

I have to get an OIDC token to call an API, that gives another OIDC token.
I know it's weird, it was introduced more in details in this comment

What I have now:

I have a REST client taking @HeaderParam(HttpHeaders.AUTHORIZATION) String token parameter. My caller service has a piece of code to get a valid OIDC token from client (so very classic flow), then it calls another REST client to get the second token, and then it calls my REST client token in parameter.

What I'm trying to achieve:

For a while now, we're using @OidcClientFilter("xxx") for our REST clients (I have like 4 or 5 REST clients with specific OIDC client for each). And I wanted to unify this logic.
I can't do what I want with @OidcClientFilter but I was thinking of doing something like this:

// @OidcClientFilter("inventory-visibility") // Can't use this because of the token exchange
@RegisterProvider(InventoryVisibilityOidcClientFilter.class)
public interface InventoryVisibilityApiClient {

    @POST
    @Path("onhand/indexquery")
    Uni<List<D365InventoryResponse>> getInventories(D365InventoryRequest request);
}

// ---

@Priority(Priorities.AUTHENTICATION)
public class InventoryVisibilityOidcClientFilter extends AbstractOidcClientRequestReactiveFilter {

    @Inject
    protected SecurityServiceApiClient client;

    // This is the token of for inventory visibility
    private volatile Tokens tokens;

    @Override
    public Uni<Tokens> getTokens() {
        if (tokens != null && !tokens.isAccessTokenExpired() && !tokens.isAccessTokenWithinRefreshInterval()) {
            return Uni.createFrom().item(tokens);
        }
        return refresh()
            .invoke(t -> this.tokens = t);
    }

    @Override
    protected Optional<String> clientId() {
        return Optional.of("inventory-visibility");
    }

    private Uni<Tokens> refresh() {
        // Get OIDC token for security service (it's regular Quarkus OIDC client)
        return super.getTokens()
            // Then use it to get an inventory service token
            .map(securityServiceTokens -> new InventoryTokenRequest(...))
            .chain(tokenReq -> client.getToken(tokenReq));
    }
}

The problem is, my custom OIDC client filter is created and called, but AbstractOidcClientRequestReactiveFilter.filter is not calling my implementation of getTokens, it calls the one from it's parent class AbstractTokensProducer.

Implementation ideas

In AbstractOidcClientRequestReactiveFilter.filter, call getTokens() instead of super.getTokens().

[quarkus-bot]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

Thanks, can you clarify please, what OidcClient method do you need to call with this flow, where you pass it an acquired token

[jdussouillez]

what OidcClient method do you need to call with this flow, where you pass it an acquired token

I'm sorry @sberyozkin, but I'm not sure to understand the question. Please feel free to ask for more details.

I'm not calling any method of OidcClient myself. I let the OidcClient do its job, and give me a valid Tokens instance (let's call it T1). But I don't want to use T1 in authorization header, I want to exchange T1 to get T2 (another Tokens instance).

To get T2, I'm calling another REST client (without authentication) with T1 in request body. Response is T2.

My first idea was to implement a custom filter, that is getting T1 from OidcClient, then get T2, then add the authorization header manually in that filter. Then I figured out I can use AbstractOidcClientRequestReactiveFilter to do most of the work and just add one extra step: exchange T1 for T2 just before using the token.

---

Authentication document for real life use case: https://learn.microsoft.com/en-us/dynamics365/supply-chain/inventory/inventory-visibility-api#inventory-visibility-authentication

[sberyozkin]

@jdussouillez Sorry, I thought you needed to customize the way OidcClient is called...

AbstractTokensProducer#getTokens is a public method and AbstractOidcClientRequestReactiveFilter extends AbstractTokensProducer, so you can override it. Am I still missing something ?

Thanks

[jdussouillez]

@sberyozkin

AbstractTokensProducer#getTokens is a public method and AbstractOidcClientRequestReactiveFilter extends AbstractTokensProducer, so you can override it.

Yes, exactly. I can override it, but it's never called because in the filter, the call is super.getTokens(), not this.getTokens().
So each time, we call the AbstractTokensProducer default implementation, not my overriden method.

See https://github.com/quarkusio/quarkus/blob/3.29.0/extensions/oidc-client-reactive-filter/runtime/src/main/java/io/quarkus/oidc/client/reactive/filter/runtime/AbstractOidcClientRequestReactiveFilter.java#L42

[sberyozkin]

@jdussouillez Oh I see, thanks, looks like an easy fix where we just need to drop super., would you like to open a PR ?

[jdussouillez]

@sberyozkin Done in #50873