Connecting to legacy OAuth providers (e.g. Twitter API v1.1). Is it possible with Quarkus?

[preslavrachev]

For one of our apps, we still use Twitter API v. 1.1., which does not support OAuth2. This means, I won't be able to rely on the OIDC configuration, but develop my authentication mechanism.

Could anyone provide me with some starting points on how to do that? Many thanks!

[sberyozkin]

It has been a long time since I was experimenting with OAuth 1.0a/1.1 but as far as the custom authentication mechanism is concerned you can register HttpAuthenticationMechanism as ApplicationScoped bean. In its authenticate method you can use Vertx Mutiny WebClient if you need to forward the incoming OAuth 1.0 headers to twitter to verify the signature

[preslavrachev]

@sberyozkin implementing HttpAuthenticationMechanism is the way to go from what I saw in the docs too. What I don't really understand in this is case is how to perform the "initial dance" - going to Twitter's authentication page, getting redirected back to a local callback endpoint, and so on. Or, should this be implemented outside the HttpAuthenticationMechanism scope? Is the mechanism only a way to do a post-signin authentication (i.e. from cookies, user session, etc.)?

[sberyozkin]

@preslavrachev I suppose you can use https://github.com/quarkusio/quarkus/blob/main/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java as a reference.

In authenticate one needs to check if it is a redirect from the provider or not. With oauth2/oidc is is based on the state query parameter and the matching state cookie.
if it is a new request - you can throw AuthenticationRedirectException redirecting the user, with the redirect URI including a callback one as a query. If it is a user returning back from the redirect then, at this point you can use Vertx Mutiny WebClient to get the temp token, and complete the flow once the temp token is returned by acquiring the access token and creating a SecurityIdentity with TokenCredential.

The time scoped session cookie can also be created once the flow completes.