Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate OIDC-based extensions from config classes to @ConfigMapping #39185

Closed
michalvavrik opened this issue Mar 5, 2024 · 15 comments · Fixed by #44860
Closed

Migrate OIDC-based extensions from config classes to @ConfigMapping #39185

michalvavrik opened this issue Mar 5, 2024 · 15 comments · Fixed by #44860
Assignees
Labels
area/config area/housekeeping Issue type for generalized tasks not related to bugs or enhancements area/oidc
Milestone

Comments

@michalvavrik
Copy link
Member

michalvavrik commented Mar 5, 2024

Description

I've mentioned extensions migrating to @ConfigMapping along its own axis. Some of them try to solve a bug like Hibernate, but there are other objections like performance, efficiency and possibly new features (config classes are maintained if there is a major bug found, but not developed). Cons is that some config classes can be injected by integrating extensions or users, therefore they can be considered API - #35246. However I don't believe that is a case of OIDC, how many extensions and users outside of Quarkus core extensions really needs to inject configuration classes as CDI beans, or use them in a build step?

I'd like to migrate OIDC config because I think impact will be absolutely minor. I don't know why should users inject OIDC config in general. Waiting probably solves nothing and migration can have positive performance impact (though migrating OIDC alone will hardly be measurable, it is one piece of the puzzle...).

Implementation ideas

No response

@michalvavrik michalvavrik added area/config area/oidc area/housekeeping Issue type for generalized tasks not related to bugs or enhancements labels Mar 5, 2024
Copy link

quarkus-bot bot commented Mar 5, 2024

/cc @pedroigor (oidc), @sberyozkin (oidc)

@geoand
Copy link
Contributor

geoand commented Mar 5, 2024

+1

@sberyozkin
Copy link
Member

sberyozkin commented Mar 5, 2024

@michalvavrik FYI, OidcTenantConfig and OidcClientConfig extend OidcCommonConfig. Can that work with ConfigMapping ?

Cons is that some config classes can be injected by integrating extensions or users, therefore they can be considered API - #35246. However I don't believe that is a case of OIDC

IMHO it has to be reviewed. I'm quite sure I saw people asking questions about accessing the OIDC config, probably a long while back on Zulip, but I remember it.

FYI, Keycloak Authorization and now OIDC Proxy need access to OidcTenantConfig but the latter accesses it via an instance of TenantConfigBean

@michalvavrik
Copy link
Member Author

michalvavrik commented Mar 5, 2024

Thanks for quick response @sberyozkin .

@michalvavrik FYI, OidcTenantConfig and OidcClientConfig extend OidcCommonConfig. Can that work with ConfigMapping ?

First I tried to detect whether the migration is acceptable. I'll try it, I expect it to work and if it does not, IMO it is candidate for new feature that I'd request from SR Config.

Cons is that some config classes can be injected by integrating extensions or users, therefore they can be considered API - #35246. However I don't believe that is a case of OIDC

IMHO it has to be reviewed. I'm quite sure I saw people asking questions about accessing the OIDC config, probably a long while back on Zulip, but I remember it.

Just because someone asked in past, it doesn't mean that person is still using it. I'm happy to investigate Quarkiverse extensions usage if you suggest concerned extensions (or I can try to look at Mvn central usage of the OIDC extension if it is there and inspect dependencies that are using the OIDC). That's only thing I can investigate.

FYI, Keycloak Authorization and now OIDC Proxy need access to OidcTenantConfig but the latter accesses it via an instance of TenantConfigBean

Hey, but OIDC Proxy extension is not released and Keycloak Authorization is in core, which I can fix as I'll migrate it. I agree that everything has to work as before, just migration from properties/getters to interface methods if that's what you mean by this FYI.

@sberyozkin
Copy link
Member

@michalvavrik One more thing I remember.

Dynamic TenantConfigResolver and it is used a lot. Users create the configuration themselves, OidcTenantConfig cfg = new OidcTenantConfig() - we can't break that

@michalvavrik
Copy link
Member Author

michalvavrik commented Mar 5, 2024

@michalvavrik One more thing I remember.

Dynamic TenantConfigResolver and it is used a lot. Users create the configuration themselves, OidcTenantConfig cfg = new OidcTenantConfig() - we can't break that

I can see it is documented and used, alright, we can keep the OidcTenantConfig as POJO and map it to the interface. IMO it is not a good idea for users to manually create config class anyway (there are config builders and other sources and it is better that users use API).

Would it be acceptable @sberyozkin to keep OidcTenantConfig as something used by users, but use in the OidcConfig class some other class. That is fields defaultTenant and namedTenants will use interface TenantConfig instead?

@sberyozkin
Copy link
Member

@michalvavrik

IMO it is not a good idea for users to manually create config class anyway (there are config builders and other sources and it is better that users use API).

OIDC config probably covers may be 10+ different aspects, TLS, Proxy, OIDC connections details, a ton of them. And recall, this is created per tenant, dynamically.

I think if we can come up with a good OidcTenantConfig Builder API, @pedroigor was suggesting it, then it can indeed be a path forward, which will let us eventually break from the OidcTenantConfig config = new OidcTenantConfig(); config.setThisOrThat(); pattern that TenantConfigResolver users currently use

@sberyozkin
Copy link
Member

Though I'm not sure it is worth the effort, only if we will want to break the current approach. But OidcTenantConfig config = new OidcTenantConfig(); config.setThisOrThat(); is not perfect but it just works... For example: oidc.getAuthentication().setRedirectPath("/callback");

@michalvavrik
Copy link
Member Author

michalvavrik commented Mar 5, 2024

Alright then, I'll (eventually, not right now):

  1. investigate OIDC config usage and if it is rare, I'll prepare draft PRs that migrate config for the extension authors
  2. migrate current config classes to @ConfigMapping and test it with extension/integration tests
  3. prepare builder API for OidcTenantConfig

Then based on concrete proposal there can be discussion whether it's acceptable or not.

@michalvavrik michalvavrik self-assigned this Mar 5, 2024
@sberyozkin
Copy link
Member

@michalvavrik Sure, but lets avoid breaking TenantConfigResolver users - I know it is used a lot, deprecating the current way of creating the config would be the way to go if the builder API becomes available.

@michalvavrik
Copy link
Member Author

michalvavrik commented Mar 5, 2024

@michalvavrik Sure, but lets avoid breaking TenantConfigResolver users - I know it is used a lot, deprecating the current way of creating the config would be the way to go if the builder API becomes available.

Roger That.

@michalvavrik
Copy link
Member Author

ouch, I punched enter before I finished - it is interesting because there is overall intention to unify Quarkus specific config and SmallRye Config. So I meant to say I'll that OIDC extension migration will be bigger effort that I'm working on, but I'll start slowly with tiny PRs like OIDC token propagation that I already checked has no usage in Quarkiverse. And so on. thx

@michalvavrik
Copy link
Member Author

I made a smoke check in regards of the OIDC and the OIDC client extensions. io.quarkus.oidc.client.OidcClientConfig and io.quarkus.oidc.OidcTenantConfig are part of API, documented, created and used directly by users. We can't touch them. There are only 3 ways I can see, the first 2 unacceptable:

  1. keep config classes forever, never migrate
  2. break things, just introduce builder, try to write some openrewrite recepies and migrate to configmapping
  3. Turn the 2 config classes into POJO, back them with @ConfigMapping interface (called TenantConfig and ClientConfig) and introduce build method on the @ConfigMapping that turns the interface into POJO class if and only if needed.

My understand is that we can keep consistency reliably because the POJOs will implement the @ConfigMapping interfaces, therefore when something changes on the @ConfigMapping it will enforce change in the config POJO class.

Even so, I think it is likely that users are injecting io.quarkus.oidc.runtime.OidcConfig and it will be breaking change in sense of replacing property with method call, but that seems hardly big deal.

@michalvavrik
Copy link
Member Author

michalvavrik commented Oct 26, 2024

Just adding link to the current proposal #41866 (comment). Starting to working on the phase one right now. I think it's the right way to go, but I won't really know till I try it. I also need to look into extensibility of @ConfigMapping which could slow us down. Will report back when there is a progress.

Update: found one test in IT SR Config module that extends @ConfigMapping interface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/config area/housekeeping Issue type for generalized tasks not related to bugs or enhancements area/oidc
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants