Support for OIDC SPIFFE Client Authentication by sberyozkin · Pull Request #53773 · quarkusio/quarkus

sberyozkin · 2026-04-23T13:04:33Z

This PR adds support for using SPIFFE JWT tokens for the client authentication between Quarkus OIDC and providers such as Keycloak.

It builds upon the work done by @michalvavrik, with the demo work from @sabre1041 and @maia-iyer at https://github.com/sabre1041/keycloakcon-spiffe/ clarifying a typical pattern for using such tokens for the client authentication.

This PR will fix the linked issue.

As far as X509 client authentication is concerned, it is expected to work out of the box where the OIDC client certificate is located in the file, though I think we'll need to figure out how to handle the dynamism associated with such certificates being regularly refreshed. It will be another enhancement request

sberyozkin · 2026-04-23T14:16:15Z

I forgot to add a test resource, it caused the compilation failure.
Also, dismissed alerts as false postives, no actual token is logged, only its type

github-actions · 2026-04-23T14:50:45Z

🙈 The PR is closed and the preview is expired.

michalvavrik · 2026-04-23T16:07:50Z

I'll review sometimes tomorrow.

michalvavrik

I only run quickly through it + asked Claude to check it. I'll read it properly again when you address my comments. I already did a lot of unrelated reading today, so I need to check tonight. But I presume it will be fine. Thanks

sberyozkin · 2026-04-24T18:15:49Z

Thanks @michalvavrik , I'll have a look

michalvavrik

I checked again, looks fine. Let's address at least some of my comments and then we can ask George to review.

sberyozkin · 2026-04-27T12:03:24Z

@michalvavrik Please have another quick check when you get a chance, I updated the code to log and return null, no actual log statements are checks but null is checked. Did a few field name updates, for ex, jwtAssertionProvided is a flag that indicates that it is not generated but provided...

quarkus-bot · 2026-04-27T12:38:37Z

Status for workflow `Quarkus Documentation CI`

This is the status report for running Quarkus Documentation CI on commit dca417c.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

quarkus-bot · 2026-04-27T12:55:55Z

Status for workflow `Quarkus CI`

This is the status report for running Quarkus CI on commit dca417c.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

michalvavrik

LGTM, thanks

sberyozkin · 2026-04-27T13:39:48Z

Thanks @michalvavrik @gastaldi, I had to dismiss a few more false positive alerts related to a possible logging of the token, as no actual token is logged

sberyozkin requested a review from michalvavrik April 23, 2026 13:04

sberyozkin temporarily deployed to ci April 23, 2026 13:04 — with GitHub Actions Inactive

sberyozkin added the release/noteworthy-feature label Apr 23, 2026

quarkus-bot Bot added area/docstyle issues related for manual docstyle review area/documentation area/oidc labels Apr 23, 2026

This comment has been minimized.

Sign in to view

github-advanced-security AI found potential problems Apr 23, 2026

View reviewed changes

sberyozkin force-pushed the spiffe_client_authentication branch from 8998167 to 1e43f3b Compare April 23, 2026 14:15

sberyozkin temporarily deployed to ci April 23, 2026 14:15 — with GitHub Actions Inactive

This comment has been minimized.

Sign in to view