Manually implementing OIDC validation

[ctron]

I am trying to create a WebSocket endpoint authenticated using the same OIDC setup as I have in the other parts of my application.

Unfortunately, from the browser, it is not possible to add a bearer token to the websocket open call. Also, when the token expires, I would like the user to resubmit a new one, without closing the websocket connection. So instead of authenticating during the GET part of the HTTP request, the endpoint is unsecured, but the session must be initiated by the user by sending a WS message with the access token. The user also must re-send this message with a new token before it expires. As long as the server side has a valid token, the session remains open.

So my question is: how do I manually validate the OIDC access token, re-using the same configuration as with the rest of the application? I was basically following this tutorial: https://quarkus.io/guides/security-openid-connect

[quarkus-bot[bot]]

/cc @pedroigor, @sberyozkin

[sberyozkin]

Hi @ctron I think #24069 would help in this case, since with a WS message, the token is provided out of band. Unfortunately I can't commit to addressing #24069, but if we now have 2 use cases supporting fixing #24069 then it certainly makes sense to consider prioritizing on it

[ctron]

Ah sorry, just submitted an update at the same time :)

[ctron]

I think I have something that works, however I am not sure I do it the right way, and I do believe there is some room for improvement:

import io.quarkus.security.identity.IdentityProviderManager;

class MyWebSocketStuff {

    @Inject
    IdentityProviderManager identityProviderManager;

    private void handleAccessToken(Session session, String accessToken) throws Exception {
        var request = new TokenAuthenticationRequest(new AccessTokenCredential(accessToken));
        HttpSecurityUtils.setRoutingContextAttribute(request, new DummyRoutingContext());
        this.identityProviderManager
                .authenticate(request)
                .subscribe()
                .with(this::setIdentity, (error) -> {
                    logger.warn("Failed to validate token", error);
                    session.close(new CloseReason(CloseReason.CloseCodes.UNEXPECTED_CONDITION, String.format("Failed to validate token: %s", error.getMessage())));
                });
    }
}

I need to set a DummyRoutingContext (which is just an empty implementation of RoutingContext, as otherwise the coder fails internally with an NPE.

[sberyozkin]

Yeah, it does look like #24069 is the way forward :-)