Merge pull request quarkusio#47750 from sberyozkin/internal_idtoken_fix

sberyozkin · web-flow · commit 8bf917587f65 · 2025-05-07T18:49:08.000+01:00
Fail early if the access token is not returned from GitHub
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
@@ -845,10 +845,15 @@ public Uni<SecurityIdentity> apply(final AuthorizationCodeTokens tokens, final T
                             if (isIdTokenRequired(configContext)) {
                                 LOG.errorf("ID token is not available in the authorization code grant response");
                                 return Uni.createFrom().failure(new AuthenticationCompletionException());
-                            } else {
+                            } else if (tokens.getAccessToken() != null) {
                                 tokens.setIdToken(generateInternalIdToken(configContext, null, null,
                                         tokens.getAccessTokenExpiresIn()));
                                 internalIdToken = true;
+                            } else {
+                                LOG.errorf(
+                                        "Neither ID token nor access tokens are available in the authorization code grant response."
+                                                + " Please check logs for more details, enable debug log level if no details are visible.");
+                                return Uni.createFrom().failure(new AuthenticationCompletionException());
                             }
                         } else {
                             if (!prepareNonceForVerification(context, configContext.oidcConfig(), stateBean)) {
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java
@@ -810,6 +810,10 @@ private Uni<UserInfo> getUserInfoUni(Map<String, Object> requestData, TokenAuthe
 
         LOG.debug("Requesting UserInfo");
         String contextAccessToken = (String) requestData.get(OidcConstants.ACCESS_TOKEN_VALUE);
+        if (contextAccessToken == null && isIdToken(request)) {
+            throw new AuthenticationCompletionException(
+                    "Authorization code flow access token which is required to get UserInfo is missing");
+        }
         final String accessToken = contextAccessToken != null ? contextAccessToken : request.getToken().getToken();
 
         UserInfoCache userInfoCache = tenantResolver.getUserInfoCache();
