cert chain public key resolver thumbprints about quarkus HOT 4 CLOSED

/cc @pedroigor (bearer-token,oidc)

from quarkus.

@calvernaz As far as I recall it is a root cert thumbprint, will look next week, thanks

from quarkus.

Correction: it is a subject certificate one, at least in the test

from quarkus.

So, in prod, the truststores may not have the leaf/subject certificates, but only the root certificates.

Right now, Quarkus OIDC expects the leaf certificate be in the store as it must trust the leaf certificate itself - as per the x5c claim specification it is this certificate that must be used to verify the signature.

If we have a situation where the truststore only has a root certificate there must be a way to identify at the quarkus-oidc level the leaf certificate which is a signature verification certificate - using CName is what has to be done in such cases.

For example: quarkus.oidc.certificate-chain.cname. Adding this CName will help to assert that this is indeed the expected leaf certificate. And if this property is set then Quarkus will expect the root certificate in the x5c chain match the keystore certificate thumbprint.

It can be made more configurable later but for now lets try to stay quite strict with respect to accepting such chains.

from quarkus.