From 51834c5559995f69936c458acd902f4788d7e9fa Mon Sep 17 00:00:00 2001
From: Guillaume Smet <guillaume.smet@gmail.com>
Date: Fri, 16 Aug 2024 16:51:02 +0200
Subject: [PATCH 1/2] Properly check header before extracting the bearer token

Fixes #42591
---
 .../runtime/auth/OAuth2AuthMechanism.java      | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/extensions/elytron-security-oauth2/runtime/src/main/java/io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.java b/extensions/elytron-security-oauth2/runtime/src/main/java/io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.java
index c61b680c29706..ef644ce1007b8 100644
--- a/extensions/elytron-security-oauth2/runtime/src/main/java/io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.java
+++ b/extensions/elytron-security-oauth2/runtime/src/main/java/io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.java
@@ -24,6 +24,8 @@
 @ApplicationScoped
 public class OAuth2AuthMechanism implements HttpAuthenticationMechanism {
 
+    private static final String BEARER_PREFIX = "Bearer ";
+
     protected static final ChallengeData CHALLENGE_DATA = new ChallengeData(
             HttpResponseStatus.UNAUTHORIZED.code(),
             HttpHeaderNames.WWW_AUTHENTICATE,
@@ -42,15 +44,17 @@ public class OAuth2AuthMechanism implements HttpAuthenticationMechanism {
     public Uni<SecurityIdentity> authenticate(RoutingContext context,
             IdentityProviderManager identityProviderManager) {
         String authHeader = context.request().headers().get("Authorization");
-        String bearerToken = authHeader != null ? authHeader.substring(7) : null;
-        if (bearerToken != null) {
-            // Install the OAuth2 principal as the caller
-            return identityProviderManager
-                    .authenticate(new TokenAuthenticationRequest(new TokenCredential(bearerToken, "bearer")));
 
+        if (authHeader == null || !authHeader.startsWith(BEARER_PREFIX)) {
+            // No suitable bearer token has been found in this request,
+            return Uni.createFrom().nullItem();
         }
-        // No suitable header has been found in this request,
-        return Uni.createFrom().nullItem();
+
+        String bearerToken = authHeader.substring(BEARER_PREFIX.length());
+
+        // Install the OAuth2 principal as the caller
+        return identityProviderManager
+                .authenticate(new TokenAuthenticationRequest(new TokenCredential(bearerToken, "bearer")));
     }
 
     @Override

From cd12e4ca79ad6d4be5ce31409debf2a2be0458be Mon Sep 17 00:00:00 2001
From: Guillaume Smet <guillaume.smet@gmail.com>
Date: Fri, 16 Aug 2024 17:59:59 +0200
Subject: [PATCH 2/2] Fix ElytronOauth2ExtensionResourceTestCase

The header should be:
Authorization: Bearer <token>
and not
Authorization: Bearer: <token>
---
 .../oauth2/ElytronOauth2ExtensionResourceTestCase.java    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/integration-tests/elytron-security-oauth2/src/test/java/io/quarkus/it/elytron/oauth2/ElytronOauth2ExtensionResourceTestCase.java b/integration-tests/elytron-security-oauth2/src/test/java/io/quarkus/it/elytron/oauth2/ElytronOauth2ExtensionResourceTestCase.java
index 496863baf8204..3a3797eabb130 100644
--- a/integration-tests/elytron-security-oauth2/src/test/java/io/quarkus/it/elytron/oauth2/ElytronOauth2ExtensionResourceTestCase.java
+++ b/integration-tests/elytron-security-oauth2/src/test/java/io/quarkus/it/elytron/oauth2/ElytronOauth2ExtensionResourceTestCase.java
@@ -56,7 +56,7 @@ public void authenticated() {
         ensureStarted();
         RestAssured.given()
                 .when()
-                .header("Authorization", "Bearer: " + BEARER_TOKEN)
+                .header("Authorization", "Bearer " + BEARER_TOKEN)
                 .get("/api/authenticated")
                 .then()
                 .statusCode(200)
@@ -78,7 +78,7 @@ public void forbidden() {
         ensureStarted();
         RestAssured.given()
                 .when()
-                .header("Authorization", "Bearer: " + BEARER_TOKEN)
+                .header("Authorization", "Bearer " + BEARER_TOKEN)
                 .get("/api/forbidden")
                 .then()
                 .statusCode(403);
@@ -99,13 +99,13 @@ public void testGrpcAuthorization() {
         ensureStarted();
         RestAssured.given()
                 .when()
-                .header("Authorization", "Bearer: " + BEARER_TOKEN)
+                .header("Authorization", "Bearer " + BEARER_TOKEN)
                 .get("/api/grpc-writer")
                 .then()
                 .statusCode(500);
         RestAssured.given()
                 .when()
-                .header("Authorization", "Bearer: " + BEARER_TOKEN)
+                .header("Authorization", "Bearer " + BEARER_TOKEN)
                 .get("/api/grpc-reader")
                 .then()
                 .statusCode(200)