Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't work with Google Oauth2 using qaurkus-oidc #30333

Closed
pmlopes opened this issue Jan 12, 2023 · 13 comments · Fixed by #31250
Closed

Can't work with Google Oauth2 using qaurkus-oidc #30333

pmlopes opened this issue Jan 12, 2023 · 13 comments · Fixed by #31250
Assignees
Labels
area/oidc kind/bug Something isn't working
Milestone

Comments

@pmlopes
Copy link
Contributor

pmlopes commented Jan 12, 2023

Describe the bug

I'm trying to help a user secure a simple API with Google/Azure as they did with Vert.x, however we cannot start the application on our development environments as quarkus-oidc assumes that oidc is using Keycloak for some unknown reason.

2023-01-12 13:33:37,383 INFO  [io.qua.oid.dep.dev.OidcDevConsoleProcessor] (build-4) OIDC Dev Console: discovering the provider metadata at https://accounts.google.com/.well-known/openid-configuration
2023-01-12 13:33:38,257 ERROR [io.qua.run.Application] (Quarkus Main Thread) Failed to start application (with profile dev): java.lang.StringIndexOutOfBoundsException: Range [0, -1) out of bounds for length 27
	at java.base/jdk.internal.util.Preconditions$1.apply(Preconditions.java:55)
	at java.base/jdk.internal.util.Preconditions$1.apply(Preconditions.java:52)
	at java.base/jdk.internal.util.Preconditions$4.apply(Preconditions.java:213)
	at java.base/jdk.internal.util.Preconditions$4.apply(Preconditions.java:210)
	at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:98)
	at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckFromToIndex(Preconditions.java:112)
	at java.base/jdk.internal.util.Preconditions.checkFromToIndex(Preconditions.java:349)
	at java.base/java.lang.String.checkBoundsBeginEnd(String.java:4611)
	at java.base/java.lang.String.substring(String.java:2723)
	at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.createPolicyEnforcer(KeycloakPolicyEnforcerRecorder.java:70)

The setup:

# Configuration file
%prod.quarkus.oidc.auth-server-url=https://accounts.google.com
quarkus.oidc.auth-server-url=https://accounts.google.com
quarkus.oidc.client-id=my-own-client-id-long-code.apps.googleusercontent.com
quarkus.oidc.credentials.secret=my-own-client-secret-long-code

Expected behavior

It is expected that users will use other providers than Keycloak. It doesn't seem trivial to find this information on the documentation.

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

@pmlopes pmlopes added the kind/bug Something isn't working label Jan 12, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Jan 12, 2023

/cc @pedroigor (oidc), @sberyozkin (oidc)

@geoand
Copy link
Contributor

geoand commented Jan 13, 2023

I don't have any insight into this issue, but I just wanted to mention that users can do something like:

quarkus.oidc.provider=google
quarkus.oidc.client-id=<Client ID>
quarkus.oidc.credentials.secret=<Secret>

as mentioned here.

@geoand
Copy link
Contributor

geoand commented Jan 13, 2023

It would be useful for debugging purposes to either have a sample project that exhibits the problematic behavior, or at the very least, the pom.xml file of the project (I am assuming that quarkus-keycloak-authorization is being used when it probably should not be).

@pmlopes
Copy link
Contributor Author

pmlopes commented Jan 13, 2023

quarkus-google-oauth2-test.zip

@geoand I've updated the test app which is a copy and paste of the OIDC guide. I've replaced the server urls with the provider=google like you mention and the document you shared, still it doesn't seem to work:

2023-01-13 10:03:36,243 ERROR [io.qua.run.Application] (Quarkus Main Thread) Failed to start application (with profile dev): java.util.NoSuchElementException: No value present
	at java.base/java.util.Optional.get(Optional.java:143)
	at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.createPolicyEnforcer(KeycloakPolicyEnforcerRecorder.java:66)
	at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.setup(KeycloakPolicyEnforcerRecorder.java:38)
	at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup1036344509.deploy_0(Unknown Source)
	at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup1036344509.deploy(Unknown Source)
	at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
	at io.quarkus.runtime.Application.start(Application.java:101)
	at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:109)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:71)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:44)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:124)
	at io.quarkus.runner.GeneratedMain.main(Unknown Source)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
	at java.base/java.lang.reflect.Method.invoke(Method.java:578)
	at io.quarkus.runner.bootstrap.StartupActionImpl$1.run(StartupActionImpl.java:104)
	at java.base/java.lang.Thread.run(Thread.java:1588)

2023-01-13 10:03:36,243 ERROR [io.qua.run.Application] (Quarkus Main Thread) Failed to start application (with profile dev): java.util.NoSuchElementException: No value present
	at java.base/java.util.Optional.get(Optional.java:143)
	at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.createPolicyEnforcer(KeycloakPolicyEnforcerRecorder.java:66)
	at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.setup(KeycloakPolicyEnforcerRecorder.java:38)
	at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup1036344509.deploy_0(Unknown Source)
	at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup1036344509.deploy(Unknown Source)
	at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
	at io.quarkus.runtime.Application.start(Application.java:101)
	at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:109)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:71)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:44)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:124)
	at io.quarkus.runner.GeneratedMain.main(Unknown Source)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
	at java.base/java.lang.reflect.Method.invoke(Method.java:578)
	at io.quarkus.runner.bootstrap.StartupActionImpl$1.run(StartupActionImpl.java:104)
	at java.base/java.lang.Thread.run(Thread.java:1588)

2023-01-13 10:03:36,245 INFO  [io.qua.dep.dev.IsolatedDevModeMain] (main) Attempting to start live reload endpoint to recover from previous Quarkus startup failure

@geoand
Copy link
Contributor

geoand commented Jan 13, 2023

Thanks @pmlopes.

What happens if you remove

        <dependency>
            <groupId>io.quarkus</groupId>
            <artifactId>quarkus-keycloak-authorization</artifactId>
        </dependency>

?

Do things work as expected?

@pmlopes
Copy link
Contributor Author

pmlopes commented Jan 13, 2023

@geoand yes and no. I'll take it offline for a moment.

@sberyozkin
Copy link
Member

sberyozkin commented Jan 15, 2023

Hi @pmlopes @geoand sorry for a delay, I was totally disconnected all last week.

I agree this issue shows that the OIDC documentation will need to clarify a few details.
Let me summarize why it does not work:

  • by default, provider=google means it is a quarkus.oidc.application-type=web-app meaning that it only deals with the authorization code flow, therefore the bearer access token verification can not be done. This can be customized as quarkus.oidc.application-type=service (or hybrid), but like you said Paulo, Google does not have a token introspection endpoint. Note, starting from 2.16, users can choose to verify such binary access tokens (from Google, Github, etc which have no introspection) indirectly by requesting a user info access - since it involves Google/etc verifying such tokens themselves when returning UserInfo
  • Next, AdminResource is public - it has no @Authenticated or @RolesAllowed.
  • Having keycloak-authorization does not make sense with non-Keycloak providers, that said, why does an apparently public AdminResource is protected with keycloak-authorization in the keycloak-authorization quickstart but not here ? The reason is that in the keycloak-authorization quickstart, you have a real bearer access token verification ( quarkus.oidc.application-type=service is a default, and with proactive authentication is on by default, the bearer token is verified even if AdminResource is public, with quarkus-oidc creating SecurityIdentity and KeycloakAuthorization policy check reacting to it by sending the token further to Keycloak) - while with provider=google, Quarkus Security thinks it is an anonymous identity because quarkus-oidc CodeAuthenicationMechanism has nothing to verify and does not get an opportunity to challenge because AdminResource is public and KeycloakAuthorization does not need to check anonymous identities.
  • To have a bearer token verification failing with this setup, simply add @Authenticated (=> you will get 302 reaction from quarkus-oidc code flow support), or, alternatively, just add quarkus.oidc.application-type=service (=> you will get 401)

I'll assign to myself to review what can be improved in the docs.

@sberyozkin sberyozkin self-assigned this Jan 15, 2023
@ghost
Copy link

ghost commented Jan 16, 2023

I'm trying to setup bearer access token verification for my Quarkus Rest API with Auth0.
I also got 401, because Auth0 does not have introspection endpoint. @sberyozkin, if I understand, I'll have to wait for 2.16 to make it work?

@pmlopes
Copy link
Contributor Author

pmlopes commented Jan 16, 2023

Just my 2cts:

Indeed, Google has no token introspection, but it is a OIDC-compliant service. I can discover the configuration here:

https://accounts.google.com/.well-known/openid-configuration

From that json we can extract the well-known claim jwks_uri: https://www.googleapis.com/oauth2/v3/certs

And with this information, any JWT issued by Google can be validated at the application side (like it happens for Keycloak).

The use of the userinfo_endpoint claim works for opaque tokens, with the extra penalty of an HTTP request to Google for each interaction at the Quarkus application side, but I'm uncertain if it will for service accounts https://cloud.google.com/iam/docs/service-accounts

Service accounts are used mostly for machine to machine identity, like in a microservice environment and this isn't a Google-specific thing, for example Azure has a similar concept: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-introduction-azure

Looking at the following question by @jderuere, Auth0 also does OIDC, and we can get the configuration from:

https://${tenant}.okta.com/oauth2/default/.well-known/openid-configuration

My take here is that the documentation should clarify the meaning of OIDC as users like me may be doing wrong assumptions, while it seems that OIDC here means Keycloak OIDC support.

@sberyozkin
Copy link
Member

@pmlopes Paulo, sorry, not sure what you meant.

As far as OIDC code flow is concerned, the access token, be it binary or JWT token, is meant for the confidential OIDC client like Quarkus endpoint to request something from Google on behalf of this endpoint, specifically requesting UserInfo is a typical operation.
Verifying the binary token is not possible with the public keys available from the JWK endpoint. May be we can have a call or chat on Zulip/Google chat.
What Quarkus now can do with 2.16, verifying binary bearer access tokens indirectly with the UserInfo acquisition is the only realistic option for accepting such binary tokens as bearer tokens.
If it is a code flow, these binary access tokens are not even verified in Quarkus because they are not used by Quarkus itself in this flow, IdToken is the primary token which is used in the code flow to create a SecurityIdentity.

@sberyozkin
Copy link
Member

sberyozkin commented Jan 16, 2023

@jderuere Hi, right, it is not possible to verify an opaque binary token locally, one would need to have a provider secret key available, but if it is just a DB pointer in the provider's database then it won't work either. So if verifying the binary token is necessary with the provider having no introspection endpoint then the only option is to verify it indirectly by requesting a UserInfo from the provider, it will be possible with 2.16, actually you can try CR1, see
https://quarkus.io/version/main/guides/security-openid-connect-web-authentication#quarkus-oidc_quarkus.oidc.token.verify-access-token-with-user-info, use it alongside quarkus.oidc.authentication.user-info-required=true

@sberyozkin
Copy link
Member

sberyozkin commented Jan 16, 2023

@pmlopes Thanks for some extra explanations, just having

quarkus.oidc.provider=google
quarkus.oidc.application-type=service

for the endpoint receiving a bearer token in JWT format will do.

The confusion has been for me that when someone says opaque token then it means to me binary (non-JWT) token :-).
So all of my typing above was about trying to explain how Quarkus can help with verifying such binary tokens which can't be introspected.
Also, in case you'll try to exchange the access tokens with the jwt bearer grant, then see https://github.com/quarkusio/quarkus/pull/29130/files (oidc-token-propagation-reactive/deployment/test), for Azure you'd need to have something like

#oidc client config is enough if you need to use the injected OidcClient directly
quarkus.oidc-client.auth-server-url=${azure.url}
quarkus.oidc-client.client-id=client_id
quarkus.oidc-client.credentials.client-secret.value=client_secret
quarkus.oidc-client.credentials.client-secret.method=post
quarkus.oidc-client.grant.type=jwt
quarkus.oidc-client.scopes=https://graph.microsoft.com/user.read,offline_access
quarkus.oidc-client.grant-options.jwt.requested_token_use=on_behalf_of

# this enables OIDC token propagation client filter to use OidcClient to exchange the access token using a jwt-bearer grant and propagate the new token as Authorization: Bearer new_token
quarkus.oidc-token-propagation-reactive.exchange-token=true

@sberyozkin
Copy link
Member

TODO: also highlight in the docs the importance of the aud validation

@quarkus-bot quarkus-bot bot added this to the 3.0 - main milestone Feb 17, 2023
@gsmet gsmet modified the milestones: 3.0 - main, 2.16.4.Final Feb 22, 2023
benkard pushed a commit to benkard/mulkcms2 that referenced this issue Apr 2, 2023
This MR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.200.0` -> `^0.201.0`](https://renovatebot.com/diffs/npm/flow-bin/0.200.0/0.201.0) |
| [org.liquibase:liquibase-maven-plugin](http://www.liquibase.org/liquibase-maven-plugin) ([source](https://github.com/liquibase/liquibase)) | build | patch | `4.19.0` -> `4.19.1` |
| [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | build | minor | `2.33.0` -> `2.34.0` |
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.16.3.Final` -> `2.16.4.Final` |
| [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.16.3.Final` -> `2.16.4.Final` |
| [org.apache.maven.plugins:maven-compiler-plugin](https://maven.apache.org/plugins/) | build | minor | `3.10.1` -> `3.11.0` |

---

### Release Notes

<details>
<summary>flowtype/flow-bin</summary>

### [`v0.201.0`](flow/flow-bin@d54e283...86aea9c)

[Compare Source](flow/flow-bin@d54e283...86aea9c)

### [`v0.200.1`](flow/flow-bin@b6c1eb0...d54e283)

[Compare Source](flow/flow-bin@b6c1eb0...d54e283)

</details>

<details>
<summary>liquibase/liquibase</summary>

### [`v4.19.1`](https://github.com/liquibase/liquibase/releases/tag/v4.19.1)

[Compare Source](liquibase/liquibase@v4.19.0...v4.19.1)

##### Liquibase v4.19.1 is a patch release

#### Enhancements

-   Publish liquibase-extension-testing to github packages (DAT-12833) by [@&#8203;abrackx](https://github.com/abrackx) in liquibase/liquibase#3697
-   Add support for multiple schemas to dbDoc command by [@&#8203;zpanderson](https://github.com/zpanderson) in liquibase/liquibase#1834
-   No need redundant conditions. by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3553
-   Replace expressions with type arguments with diamond type <>. by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3591
-   Remove duplicate conditions in expressions and branches of if statements. They are used due to oversight. by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3548
-   Replace constant charset String literal with the predefined StandardC… by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3568
-   Normalize path of SQL changelog file when parsing (DAT-11891) by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3664
-   Delegate change set equality tests by [@&#8203;droy-sandbox](https://github.com/droy-sandbox) in liquibase/liquibase#3550
-   (DAT-6636)Refactor of TagExistsCommandStep and extraction of code to new LockServiceCommandStep  by [@&#8203;filipelautert](https://github.com/filipelautert) in liquibase/liquibase#3667
-   Refactors CalculateChecksumCommandStep  by [@&#8203;filipelautert](https://github.com/filipelautert) in liquibase/liquibase#3696
-   CORE-3044 avoid locking if no updates pending by [@&#8203;RichardBradley](https://github.com/RichardBradley) in liquibase/liquibase#2190
-   Warning in case of missing liquibase files instead of throwing an exception by [@&#8203;mhewedy](https://github.com/mhewedy) in liquibase/liquibase#3081
-   Remove redundant modifiers. by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3594
-   Update maven-bundle-plugin instructions to export package containing XSD files by [@&#8203;GeertZondervan](https://github.com/GeertZondervan) in liquibase/liquibase#3597
-   Remove redundant conditions that covered by a subsequent condition. by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3590
-   Add support for db2 view comments (DAT-12529) by [@&#8203;abrackx](https://github.com/abrackx) in liquibase/liquibase#3723
-   Remove unnecessary cast expressions. by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3670
-   Performance improvements by [@&#8203;filipelautert](https://github.com/filipelautert) in liquibase/liquibase#3588
-   Implemented a summary of change sets which get filtered out during update (DAT-12068) by [@&#8203;wwillard7800](https://github.com/wwillard7800) in liquibase/liquibase#3730
-   Support tabular format for history command by [@&#8203;fbiville](https://github.com/fbiville) in liquibase/liquibase#3541
-   Remove Unnecessary operation/modifier: by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3657
-   Update and rename bug_report.md to bug_report.yaml by [@&#8203;kevin-atx](https://github.com/kevin-atx) in liquibase/liquibase#3728
-   Improve command line help message format by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3829
-   Use StandardCharsets constant instead. (DAT-12853) by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3725
-   Update SnakeYAML usage - do not call deprecated methods by [@&#8203;asomov](https://github.com/asomov) in liquibase/liquibase#3632
-   Avoid global mutable state of Non-final fields in enumeration types. by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3727
-   Use constants instead of arrays with known lengths of zero by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3716
-   Simplify lambda expressions when possible by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3736
-   \[MRO] Added new modifyChangeSets tag to support specification of `runWith` attribute for all change sets in `include` or `includeAll`
-   \[MRO] DAT-7922  Implement a check for one change per changeset by [@&#8203;wwillard7800](https://github.com/wwillard7800) in https://github.com/liquibase/liquibase-pro/pull/790
-   \[MRO] DAT-11915 Correctly escape SQL to enable and disable triggers on PostgreSQL by [@&#8203;wwillard7800](https://github.com/wwillard7800) in https://github.com/liquibase/liquibase-pro/pull/799
-   \[MRO] DAT-10157: add database scope for reserved words checks by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in https://github.com/liquibase/liquibase-pro/pull/802
-   \[MRO] DAT-13189 safely set code point limit for SnakeYaml by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in https://github.com/liquibase/liquibase-pro/pull/827
-   \[MRO] DAT-13440: show changesetsRolledback only after rollback is complete by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in https://github.com/liquibase/liquibase-pro/pull/838
-   \[MRO] DAT-12568 by [@&#8203;jnewton03](https://github.com/jnewton03) in https://github.com/liquibase/liquibase-pro/pull/844

#### Fixes

-   Fixes generate-changelog table/view comment and table/view column comment generation for MSSQL (DAT-12045) by [@&#8203;abrackx](https://github.com/abrackx) in liquibase/liquibase#3563
-   Fully qualified path to the changelog or snapshot in S3 is not allowed, so needs better msg (DAT-11478) by [@&#8203;diadiushko](https://github.com/diadiushko) in liquibase/liquibase#3564
-   (DAT-12039) :detect circular references in includeAll statement by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3695
-   improve logging around paths that do not exist (DAT-12038) by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3669
-   normalize path of json and yaml changelogs when parsing (DAT-11891)  by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3711
-   deprecate DefaultLoggerConfiguration (DAT-11970) by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3706
-   Rework dropProcedure for Snowflake Log message when dropAll fails (DAT-12916) by [@&#8203;wwillard7800](https://github.com/wwillard7800) in liquibase/liquibase#3702
-   fix: snowflake has wrong priority by [@&#8203;Yogurt-lei](https://github.com/Yogurt-lei) in liquibase/liquibase#3572
-   Do not add default schema name to getSchemas method to avoid one schema by [@&#8203;LonwoLonwo](https://github.com/LonwoLonwo) in liquibase/liquibase#3704
-   [#&#8203;3035](liquibase/liquibase#3035) add Double data type class to avoid incorrect double(0) database by [@&#8203;LonwoLonwo](https://github.com/LonwoLonwo) in liquibase/liquibase#3703
-   Stop publishing liquibase-extension-testing to Github on branch builds (DAT-13038) by [@&#8203;abrackx](https://github.com/abrackx) in liquibase/liquibase#3726
-   do not support setting column comments on a view in Snowflake (DAT-12530) by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3710
-   Fix NullPointerException for case sensitive collations by [@&#8203;ivan909020](https://github.com/ivan909020) in liquibase/liquibase#3699
-   (DAT-13269) pass proper branch name and add required field by [@&#8203;jnewton03](https://github.com/jnewton03) in liquibase/liquibase#3765
-   Consistent ARG-suffix for 'defaultSchemaName'-Parameter by [@&#8203;SIEDA-EliasHeydrich](https://github.com/SIEDA-EliasHeydrich) in liquibase/liquibase#3662
-   Removing explicit LiquibaseServletListener references by [@&#8203;Thunderforge](https://github.com/Thunderforge) in liquibase/liquibase#3677
-   Add Snowflake structured data types to unmodifiable Data Types by [@&#8203;LonwoLonwo](https://github.com/LonwoLonwo) in liquibase/liquibase#3752
-   Fix [#&#8203;3690](liquibase/liquibase#3690) primaryKeyExists does not work on DB2z by [@&#8203;MichaelKern-IVV](https://github.com/MichaelKern-IVV) in liquibase/liquibase#3691
-   Replace old stream creation with java.nio. by [@&#8203;arturobernalg](https://github.com/arturobernalg) in liquibase/liquibase#3686
-   github-action (DAT-13527) by [@&#8203;jnewton03](https://github.com/jnewton03) in liquibase/liquibase#3827
-   Do not duplicate clearCheckSums logic by [@&#8203;fbiville](https://github.com/fbiville) in liquibase/liquibase#3628
-   Fixing [#&#8203;3708](liquibase/liquibase#3708) - AddColumn fix for H2 version 1.4.200 by [@&#8203;KarolyNevelos](https://github.com/KarolyNevelos) in liquibase/liquibase#3709
-   Added default values to private Scope constructor by [@&#8203;MarkTJohnson](https://github.com/MarkTJohnson) in liquibase/liquibase#3756
-   Improved concurrency support by using ConcurrentHashMaps by [@&#8203;jurgenkleverwal](https://github.com/jurgenkleverwal) in liquibase/liquibase#3799
-   fixing lookahead for last line comment method by [@&#8203;mwiede](https://github.com/mwiede) in liquibase/liquibase#3717
-   Do not calculate checksum when loading changelogs by [@&#8203;filipelautert](https://github.com/filipelautert) in liquibase/liquibase#3790
-   set up maven using simpler GitHub action by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3835
-   safely set code point limit for SnakeYaml (DAT-13189) by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3807
-   Fix failing EnvironmentValueProviderTest by [@&#8203;nvoxland](https://github.com/nvoxland) in liquibase/liquibase#3783
-   show changesetsRolledback only after rollback is complete (DAT-13440) by [@&#8203;StevenMassaro](https://github.com/StevenMassaro) in liquibase/liquibase#3846

#### Security, Driver and other updates

**OWASP Dependency Check: Reported Vulnerabilities**
`snakeyaml.jar` - This is a "critical" vulnerability reported against the snakeyaml library. Note: Liquibase code is not vulnerable to this attack, but users can manually upgrade to the newest version of snakeyaml library, and will be upgraded to the unaffected snakeyaml 2.0 version in the next release. If you are interested, you can track the MR at liquibase/liquibase#3865

-   Bump junit-jupiter-params from 5.9.1 to 5.9.2 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3673
-   Bump ant from 1.10.11 to 1.10.13 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3672
-   Bump firebird-testcontainers-java from 1.2.0 to 1.3.0 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3653
-   Bump actions/delete-package-versions from 3 to 4 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3649
-   Bump maven-plugin-plugin from 3.7.0 to 3.7.1 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3698
-   Bump assertj-core from 3.23.1 to 3.24.2 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3705
-   Bump jaybird from 4.0.8.java8 to 5.0.0.java8 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3659
-   Bump mariadb-java-client from 3.1.0 to 3.1.2 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3729
-   Bump snowflake-jdbc from 3.13.26 to 3.13.27 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3751
-   Bump picocli from 4.7.0 to 4.7.1 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3742
-   Bump actions/cache from 3.2.3 to 3.2.4 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3750
-   Bump actions/cache from 3.2.4 to 3.2.5 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3809
-   Bump maven-deploy-plugin from 3.0.0 to 3.1.0 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3802
-   Bump maven-shade-merge-manifest-transformer from 0.0.2 to 0.0.3 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3779
-   Bump postgresql from 42.5.1 to 42.5.3 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3778
-   Bump jaxb-runtime from 4.0.1 to 4.0.2 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3786
-   Bump jaxb-core from 4.0.1 to 4.0.2 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3787
-   Bump sqlite-jdbc from 3.40.0.0 to 3.40.1.0 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3772
-   Bump maven-enforcer-plugin from 3.1.0 to 3.2.1 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3759
-   Bump jaybird from 5.0.0.java8 to 5.0.1.java8 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3760
-   Bump mssql-jdbc from 11.2.1.jre8 to 12.2.0.jre8 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3761
-   Bump ojdbc8 from 21.8.0.0 to 21.9.0.0 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3808
-   Bump postgresql from 42.5.3 to 42.5.4 by [@&#8203;dependabot](https://github.com/dependabot) in liquibase/liquibase#3831
-   Migrate setup-java action to use Temurin by [@&#8203;gdams](https://github.com/gdams) in liquibase/liquibase#3607

#### New Contributors

-   [@&#8203;zpanderson](https://github.com/zpanderson) made their first contribution in liquibase/liquibase#1834
-   [@&#8203;droy-sandbox](https://github.com/droy-sandbox) made their first contribution in liquibase/liquibase#3550
-   [@&#8203;mhewedy](https://github.com/mhewedy) made their first contribution in liquibase/liquibase#3081
-   [@&#8203;GeertZondervan](https://github.com/GeertZondervan) made their first contribution in liquibase/liquibase#3597
-   [@&#8203;Yogurt-lei](https://github.com/Yogurt-lei) made their first contribution in liquibase/liquibase#3572
-   [@&#8203;gdams](https://github.com/gdams) made their first contribution in liquibase/liquibase#3607
-   [@&#8203;ivan909020](https://github.com/ivan909020) made their first contribution in liquibase/liquibase#3699
-   [@&#8203;SIEDA-EliasHeydrich](https://github.com/SIEDA-EliasHeydrich) made their first contribution in liquibase/liquibase#3662
-   [@&#8203;Thunderforge](https://github.com/Thunderforge) made their first contribution in liquibase/liquibase#3677
-   [@&#8203;KarolyNevelos](https://github.com/KarolyNevelos) made their first contribution in liquibase/liquibase#3709
-   [@&#8203;MarkTJohnson](https://github.com/MarkTJohnson) made their first contribution in liquibase/liquibase#3756
-   [@&#8203;jurgenkleverwal](https://github.com/jurgenkleverwal) made their first contribution in liquibase/liquibase#3799
-   [@&#8203;mwiede](https://github.com/mwiede) made their first contribution in liquibase/liquibase#3717

**Full Changelog**: liquibase/liquibase@v4.17.2...v4.19.1

##### Get Certified

Learn all the Liquibase fundamentals from free online courses by Liquibase experts and see how to apply them in the real world at https://learn.liquibase.com/.

##### Read the Documentation

Please check out and contribute to the continually improving docs, now at https://docs.liquibase.com/.

##### Meet the Community

Our community has built a lot. From extensions to integrations, you’ve helped make Liquibase the amazing open source project that it is today. Keep contributing to making it stronger:

[Contribute code](https://www.liquibase.org/development/contribute.html)
[Make doc updates](https://github.com/Datical/liquibase-docs)
[Help by asking and answering questions](https://forum.liquibase.org/)
[Set up a chat with the Product team](https://calendly.com/liquibase-outreach/product-feedback)

Thanks to everyone who helps make the Liquibase community strong!

#### File Descriptions

-   **Liquibase CLI** -- Includes open source + commercial functionality
-   **liquibase-x.y.z.tar.gz** -- Archive in tar.gz format
-   **liquibase-x.y.z.zip** -- Archive in zip format
-   **liquibase-windows-x64-installer-x.y.z.exe** -- Installer for Windows
-   **liquibase-macos-installer-x.y.z.dmg** -- Installer for MacOS
-   **Primary Libraries** - For embedding in other software
    -   **liquibase-core-x.y.z.jar** – Base Liquibase library (open source)
    -   **liquibase-commerical-x.y.z.jar** – Additional commercial functionality
-   **liquibase-additional-x.y.z.zip** – Contains additional, less commonly used files
    -   Additional libraries such as liquibase-maven-plugin.jar and liquibase-cdi.jar
    -   Javadocs for all the libraries
    -   Source archives for all the open source libraries
    -   ASC/MD5/SHA1 verification hashes for all files

**Full Changelog**: liquibase/liquibase@v4.19.0...v4.19.1

</details>

<details>
<summary>diffplug/spotless</summary>

### [`v2.34.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#&#8203;2340---2023-01-26)

##### Added

-   `Formatter` now has a field `public static final File NO_FILE_SENTINEL` which can be used to pass string content to a Formatter or FormatterStep when there is no actual File to format. ([#&#8203;1525](diffplug/spotless#1525))

</details>

<details>
<summary>quarkusio/quarkus</summary>

### [`v2.16.4.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.4.Final)

[Compare Source](quarkusio/quarkus@2.16.3.Final...2.16.4.Final)

##### Complete changelog

-   [#&#8203;31510](quarkusio/quarkus#31510) - Add logging to CompiledJavaVersionBuildStep
-   [#&#8203;31507](quarkusio/quarkus#31507) - Adjust API in transaction.adoc code snippet
-   [#&#8203;31498](quarkusio/quarkus#31498) - Added a note to get correct OpenAPI documentation
-   [#&#8203;31486](quarkusio/quarkus#31486) - smallrye-openapi generates wrong definition for grouped parameters
-   [#&#8203;31483](quarkusio/quarkus#31483) - Fix documentation for quarkus.hibernate-orm.enabled
-   [#&#8203;31477](quarkusio/quarkus#31477) - Qute generated value resolvers - fix varArgs methods with 1 argument
-   [#&#8203;31471](quarkusio/quarkus#31471) - \[2.16] Make sure parent modules are loaded into workspace before those that depend on them
-   [#&#8203;31467](quarkusio/quarkus#31467) - Don't run kubernetes-client Dev Services transitively
-   [#&#8203;31465](quarkusio/quarkus#31465) - Propagate Quarkus related failsafe system properties
-   [#&#8203;31462](quarkusio/quarkus#31462) - Do not append single '&' with empty query params  in Resteasy Reactive
-   [#&#8203;31449](quarkusio/quarkus#31449) - Qute: VarArgs processing error with 1 element
-   [#&#8203;31447](quarkusio/quarkus#31447) - SmallRye GraphQL 1.9.3, test for Deprecated annotation
-   [#&#8203;31422](quarkusio/quarkus#31422) - Fix client jackson body writer to propagate the client context
-   [#&#8203;31418](quarkusio/quarkus#31418) - Fix doc generation for quarkus.hibernate-orm.enabled
-   [#&#8203;31416](quarkusio/quarkus#31416) - Fix copy paste error in qute docs
-   [#&#8203;31405](quarkusio/quarkus#31405) - Propagate SystemProperties set in Failsafe plugin to the Test launcher
-   [#&#8203;31394](quarkusio/quarkus#31394) - Fix afterEach callback for integration tests
-   [#&#8203;31393](quarkusio/quarkus#31393) - Integration Test AfterEach callbacks are not called
-   [#&#8203;31355](quarkusio/quarkus#31355) - \[Regression] Very slow startup in dev mode when the Kubernetes extension is present
-   [#&#8203;31350](quarkusio/quarkus#31350) - Also set io.netty.noUnsafe at runtime when set at build time
-   [#&#8203;31349](quarkusio/quarkus#31349) - Netty complaining about access to heap buffer in native
-   [#&#8203;31347](quarkusio/quarkus#31347) - Adjust image name substitution for Elasticsearch Dev Services
-   [#&#8203;31339](quarkusio/quarkus#31339) - Improve logging in DevServicesKubernetesProcessor
-   [#&#8203;31336](quarkusio/quarkus#31336) - Pass `--userns=keep-id` to podman only when in rootless mode
-   [#&#8203;31331](quarkusio/quarkus#31331) - Use idiomatic RESTEasy Reactive filter declaration for OpenTelemetry
-   [#&#8203;31316](quarkusio/quarkus#31316) - Improve CSRF documentation
-   [#&#8203;31302](quarkusio/quarkus#31302) - Updated OpenAPI `mp.openapi.extensions.smallrye.openapi` key mapping
-   [#&#8203;31300](quarkusio/quarkus#31300) - Support UUID serialization in REST Client multipart bodies
-   [#&#8203;31298](quarkusio/quarkus#31298) - RESTEasy Reactive doesn't support `java.util.UUID`
-   [#&#8203;31291](quarkusio/quarkus#31291) - Bump `org.jetbrains.annotations` from `17.0.0` to the latest(`24.0.0`)
-   [#&#8203;31289](quarkusio/quarkus#31289) - Return a null InputStream from REST Client when response is 204
-   [#&#8203;31280](quarkusio/quarkus#31280) - Bump SQL Server JDBC driver to 12.2.0
-   [#&#8203;31276](quarkusio/quarkus#31276) - Bump protobuf from 3.21.9 to 3.22.0
-   [#&#8203;31274](quarkusio/quarkus#31274) - Try to solve disk space issues on GitHub Actions
-   [#&#8203;31261](quarkusio/quarkus#31261) - Bump Microsoft SQL Server JDBC driver to 12.2.0
-   [#&#8203;31260](quarkusio/quarkus#31260) - Make OIDC connection error log messages more visible
-   [#&#8203;31250](quarkusio/quarkus#31250) - Clarify in keycloak-authorization doc when it should be used
-   [#&#8203;31249](quarkusio/quarkus#31249) - Empty array of values in WebTargetImpl.queryParam method is added to the final URI as an `&`
-   [#&#8203;31245](quarkusio/quarkus#31245) - \[Regression in 2.16.3] `NullPointerException: Cannot invoke "org.jboss.resteasy.reactive.server.SimpleResourceInfo.getResourceClass()" because "this.resourceInfo" is null`
-   [#&#8203;31240](quarkusio/quarkus#31240) - protobuf code generated w/ 3.22.0 broken w/ Quarkus
-   [#&#8203;31236](quarkusio/quarkus#31236) - Bump postgresql from 42.5.3 to 42.5.4
-   [#&#8203;31234](quarkusio/quarkus#31234) - Bump mermaid from 9.1.1 to 9.4.0
-   [#&#8203;31231](quarkusio/quarkus#31231) - RESTEasy reactive returns an empty InputStream instead of null on 204 - No Content response
-   [#&#8203;31211](quarkusio/quarkus#31211) - Fix the non-default constructor mechanism of bytecode recording \[2.16]
-   [#&#8203;31209](quarkusio/quarkus#31209) - Another fix for the Redis Search aggregation test
-   [#&#8203;31186](quarkusio/quarkus#31186) - Show how to enable all origins in HTTP CORS section
-   [#&#8203;31150](quarkusio/quarkus#31150) - Add keycloak authorization capability
-   [#&#8203;31127](quarkusio/quarkus#31127) - Enhancements to instructions for contributing to the Quarkus docs
-   [#&#8203;31334](quarkusio/quarkus#31334) - podman4 can't build any code with quarkus builder
-   [#&#8203;30601](quarkusio/quarkus#30601) - Generate a preview website for documentation MRs
-   [#&#8203;30549](quarkusio/quarkus#30549) - Enhancements and fixes for the Authorization of Web Endpoints section
-   [#&#8203;30419](quarkusio/quarkus#30419) - Enhancing the Authorization of Web endpoints guide
-   [#&#8203;30333](quarkusio/quarkus#30333) - Can't work with Google Oauth2 using qaurkus-oidc
-   [#&#8203;29427](quarkusio/quarkus#29427) - quarkus.oidc.auth-server-url causing weird start-up failure
-   [#&#8203;26152](quarkusio/quarkus#26152) - Resteasy Reactive: ContextResolver<ObjectMapper> not used

</details>

<details>
<summary>quarkusio/quarkus-platform</summary>

### [`v2.16.4.Final`](quarkusio/quarkus-platform@2.16.3.Final...2.16.4.Final)

[Compare Source](quarkusio/quarkus-platform@2.16.3.Final...2.16.4.Final)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants