You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I tried to write a SecurityIdentityAugmentor that reuses the JWT to check with another service for a set of roles, since the JWT doesn't have the complete set of roles in this envrionment.
Initially, I tried to write a simple Quarkus REST client that used the AccessTokenRequestReactiveFilter and would get the JWT injected into the HTTP Bearer header, but that filter was unable to see a token in the context.
I found some StackOverflow hints that suggested I could strip the raw token from the identity and then wire up the REST client to just toss the token in the HTTP Bearer header, but this feels wrong. It seems like I should be able to wire up Quarkus to do this for me.
This is the code I've come up with, where I'm doing the work of @RegisterProvider(AccessTokenRequestReactiveFilter.class):
@OverridepublicUni<SecurityIdentity> augment(SecurityIdentityidentity, AuthenticationRequestContextcontext) {
returncontext.runBlocking(build(identity));
}
@Inject@RestClientprotectedAuthServiceClientauthServiceClient;
protectedSupplier<SecurityIdentity> build(SecurityIdentityidentity) {
if(identity.isAnonymous()) {
return () -> identity;
} else {
return () -> {
QuarkusSecurityIdentity.Builderbuilder = QuarkusSecurityIdentity.builder(identity);
// TODO: way to do this that doesn't involve handling the raw JWT?Principalprincipal = identity.getPrincipal();
if (principalinstanceofJsonWebToken) {
JsonWebTokenjwtToken = (JsonWebToken) principal;
List<String> roles = authServiceClient.getRoles(jwtToken.getRawToken());
roles.forEach(builder::addRole);
}
returnbuilder.build();
};
}
}
And then the snippet from the REST client:
@GET@Path("/roles")
@ClientHeaderParam(name = "Authorization", value = "Bearer {jwtToken}")
Uni<List<String>> getRoles(@NotBodyStringjwtToken)
@sberyozkin suggested that it may be possible "the token CDI producers can be tweaked a bit not to rely on the injected security identity" and asked me to open this issue.
Implementation ideas
No response
The text was updated successfully, but these errors were encountered:
IMHO it can't be done without CDI or ugly hack because we need to propagate original context with token somehow and OIDC token propagation reactive does not depend on Vert.X web. But it can't be done with injecting access token as it works now. I'll have a look.
Description
I tried to write a SecurityIdentityAugmentor that reuses the JWT to check with another service for a set of roles, since the JWT doesn't have the complete set of roles in this envrionment.
Initially, I tried to write a simple Quarkus REST client that used the
AccessTokenRequestReactiveFilter
and would get the JWT injected into the HTTP Bearer header, but that filter was unable to see a token in the context.I found some StackOverflow hints that suggested I could strip the raw token from the identity and then wire up the REST client to just toss the token in the HTTP Bearer header, but this feels wrong. It seems like I should be able to wire up Quarkus to do this for me.
This is the code I've come up with, where I'm doing the work of
@RegisterProvider(AccessTokenRequestReactiveFilter.class)
:And then the snippet from the REST client:
@sberyozkin suggested that it may be possible "the token CDI producers can be tweaked a bit not to rely on the injected security identity" and asked me to open this issue.
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: