Skip to content

feat(sda-commons-client-jersey): add oidc startup validation toggle#4491

Merged
JoergSiebahn merged 1 commit into
SDA-SE:mainfrom
sabkuehn:feat/oidc-valid
Jul 3, 2026
Merged

feat(sda-commons-client-jersey): add oidc startup validation toggle#4491
JoergSiebahn merged 1 commit into
SDA-SE:mainfrom
sabkuehn:feat/oidc-valid

Conversation

@sabkuehn

@sabkuehn sabkuehn commented Jul 2, 2026

Copy link
Copy Markdown

Add OIDC_STARTUP_VALIDATION_DISABLED to control startup-time validation of OIDC token retrieval. The default keeps validation disabled for backward compatibility.

Motivation: error message was previously lost in the business request
Before this change, there was no startup validation for the OIDC configuration. When the token endpoint was misconfigured or unreachable, the failure only surfaced during an actual business request and even then, only as a missing Authorization header with a warning log, making the root cause hard to diagnose.
This PR adds startup validation (startupValidationDisabled = false) so that a misconfigured OIDC setup fails fast and loudly at application startup.

@sabkuehn sabkuehn requested a review from a team as a code owner July 2, 2026 11:20

@JoergSiebahn JoergSiebahn left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @sabkuehn,

thanks for the contribution. It makes sense to have the option to validate the token retrieval on startup. There are some minor things I'm struggling with. Could you have a look at the comments below?

Comment thread docs/client-jersey.md Outdated
* Disable retrieving a new token completely. Not meant for production!
* Example: `false`

- _OIDC_STARTUP_VALIDATION_DISABLED_

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion it's more intuitive when booleans have a default of false. What do you think about enableStartupValidation? I'm open for other suggestions.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. Changed to OIDC_ENABLE_STARTUP_VALIDATION.

OidcResult oidcResult;
try {
oidcResult = oidcClient.createAccessToken();
} catch (Exception e) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

createAccessToken does not declare any exception. So we could catch RuntimeException here.

Suggested change
} catch (Exception e) {
} catch (RuntimeException e) {

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated


private String scope;

private boolean startupValidationDisabled = true;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So above:

Suggested change
private boolean startupValidationDisabled = true;
private boolean enableStartupValidation;

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

Comment thread docs/client-jersey.md Outdated

- _OIDC_STARTUP_VALIDATION_DISABLED_
* Disables startup validation of the OIDC configuration by skipping an initial access-token retrieval.
* Set to `false` to fail fast during startup if the OIDC provider is unreachable or misconfigured.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it worth to mention, that this validation only validates token retrieval but not if the token is suitable to access the resource server?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

* initialized, the token endpoint cannot be reached, or no valid access token can be
* retrieved
*/
public void validateOidcConfig() {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this method need to be public? I only can see it's called within the class. If it's private we don't need to keep the configuration as a member and we would not have another method that is bound to SemVer rules regarding breaking changes.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed to private.

Comment on lines +94 to +100
return "OIDC startup validation failed. "
+ detail
+ " Configuration: issuerUrl='"
+ oidcConfiguration.getIssuerUrl()
+ "', grantType='"
+ oidcConfiguration.getGrantType()
+ "'. Check OIDC provider settings.";

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: This may use String format:

Suggested change
return "OIDC startup validation failed. "
+ detail
+ " Configuration: issuerUrl='"
+ oidcConfiguration.getIssuerUrl()
+ "', grantType='"
+ oidcConfiguration.getGrantType()
+ "'. Check OIDC provider settings.";
return "OIDC startup validation failed. %s Configuration: issuerUrl='%s', grantType='%s'. Check OIDC provider settings."
.format(detail, oidcConfiguration.getIssuerUrl(), oidcConfiguration.getGrantType());

(The suggestion may not pass the code format requirement)

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

buildOidcConfigValidationErrorMessage("Token retrieval failed."), e);
}

if (oidcResult == null || oidcResult.getState() != OidcState.OK) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this check only for ERROR? The state SKIPPED indicates that OIDC is disabled. That should be a valid case for validation.

Suggested change
if (oidcResult == null || oidcResult.getState() != OidcState.OK) {
if (oidcResult == null || oidcResult.getState() == OidcState.ERROR) {

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

Add OIDC_ENABLE_STARTUP_VALIDATION to control startup-time validation of OIDC token retrieval. The default keeps validation disabled for backward compatibility.

@JoergSiebahn JoergSiebahn left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @sabkuehn

@JoergSiebahn JoergSiebahn merged commit 298669b into SDA-SE:main Jul 3, 2026
17 checks passed
@SDABot

SDABot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 9.2.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@SDABot SDABot added the released label Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants