Custom Jose4J validators don't propagate step-up authentication challenge details to WWW-Authenticate header #50707
Description
Describe the bug
When using custom Jose4J validators with OIDC bearer token authentication, the WWW-Authenticate response header doesn't include the step-up authentication challenge details (error, error_description, acr_values) as it does when using @AuthenticationContext annotation.
Expected behavior
The response should contain the full step-up authentication challenge:
WWW-Authenticate: Bearer error="insufficient_user_authentication", error_description="Token missing ACR claim", acr_values="gold,platinum"
Actual behavior
When a custom Jose4J validator throws an AuthenticationFailedException with ACR values:
throw new AuthenticationFailedException( "Token missing ACR claim", Map.of(OidcConstants.ACR_VALUES, "gold,platinum") );
The response only contains:
WWW-Authenticate: Bearer
How to Reproduce?
You can go through our quarkus-test-suite repo in my branch here: quarkus-qe/quarkus-test-suite@main...jcarranzan:quarkus-test-suite:feat/oidc-step-up-auth
And enable the test disabled: testCustomJose4jValidatorRequiresMultipleAcr
Then you will see the error:
[ERROR] io.quarkus.ts.security.keycloak.oidcclient.extended.restclient.OidcStepUpAuthenticationIT.testCustomJose4jValidatorRequiresMultipleAcr -- Time elapsed: 0.187 s <<< FAILURE!
java.lang.AssertionError:
1 expectation failed.
Expected header "WWW-Authenticate" was not (a string containing "insufficient_user_authentication" and a string containing "acr_values" and a string containing "gold" and a string containing "platinum"), was "Bearer". Headers are:
www-authenticate=Bearer
content-length=0
Output of uname -a or ver
No response
Output of java -version
No response
Quarkus version or git rev
No response
Build tool (ie. output of mvnw --version or gradlew --version)
No response
Additional information
No response