Is there a way to manually verify bearer token and get SecurityIdentity, UserInfo and JsonWebToken? #30888

SetoKaiba · 2023-02-04T18:39:57Z

SetoKaiba
Feb 4, 2023

Is there a way to manually verify and get SecurityIdentity, UserInfo and JsonWebToken?
Websocket doesn't support custom header.

I know that there's a one time token way to match the rest and the websocket like the issue below.
#7414

But I'd like to know whether there's a direct way to get SecurityIdenity, UserInfo and JsonWebToken by bearer token? Because I'd like to pass the bearer token directly by websocket message.

Answered by SetoKaiba

Feb 5, 2023

Thank you. I'm using the workaround from #27754 to get the JWT now. It does meet my need currently.

View full answer

@sberyozkin · 2023-02-04T18:40:00Z

quarkus-bot[bot]
bot Feb 4, 2023

/cc @sberyozkin (security)

0 replies

SetoKaiba · 2023-02-04T18:49:22Z

SetoKaiba
Feb 4, 2023
Author

It seems that there's a workaround here.
#27754

        var request = new TokenAuthenticationRequest(new AccessTokenCredential(accessToken));
        HttpSecurityUtils.setRoutingContextAttribute(request, new DummyRoutingContext());
        identityProviderManager
                .authenticate(request)
                .subscribe()
                .with(securityIdentity1 -> {
                    logger.info(securityIdentity1.getPrincipal());
                    logger.info(((JsonWebToken) securityIdentity1.getPrincipal()).getRawToken());
                    for (String role : securityIdentity1.getRoles()) {
                        logger.info(securityIdentity1.getRoles());
                    }
                }, (error) -> {
                    logger.warn("Failed to validate token", error);
                });

This issue is reported. But it seems there's no update for the injectable service.
#24069

OK. I can get UserInfo like this. But it uses reflection and it's a bit ugly. And also, it doesn't solve the multiple tenant problem.

        var field = TenantConfigContext.class.getDeclaredField("provider");
        field.setAccessible(true);
        ((OidcProvider) field.get(defaultTenantConfigResolver.getTenantConfigBean().getDefaultTenant())).
                getUserInfo(accessToken).subscribe().with(userInfo1 -> logger.info(userInfo1.getUserInfoString()));

0 replies

sberyozkin · 2023-02-05T17:27:36Z

sberyozkin
Feb 5, 2023
Collaborator

@SetoKaiba, smallrye-jwt and JWT parser can help with simple manual verification returning JsonWebToken: https://quarkus.io/guides/security-jwt#jwt-parser

But with quarkus-oidc it is not currently possible, looks like #24069 is what is needed to be fixed to support such cases

0 replies

SetoKaiba · 2023-02-05T17:36:42Z

SetoKaiba
Feb 5, 2023
Author

Thank you. I'm using the workaround from #27754 to get the JWT now. It does meet my need currently.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Is there a way to manually verify bearer token and get SecurityIdentity, UserInfo and JsonWebToken? #30888

Uh oh!

{{title}}

Uh oh!

Replies: 4 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Is there a way to manually verify bearer token and get SecurityIdentity, UserInfo and JsonWebToken? #30888

Uh oh!

SetoKaiba Feb 4, 2023

Replies: 4 comments

Uh oh!

quarkus-bot[bot] bot Feb 4, 2023

Uh oh!

Uh oh!

SetoKaiba Feb 4, 2023 Author

Uh oh!

sberyozkin Feb 5, 2023 Collaborator

Uh oh!

Uh oh!

SetoKaiba Feb 5, 2023 Author

SetoKaiba
Feb 4, 2023

quarkus-bot[bot]
bot Feb 4, 2023

SetoKaiba
Feb 4, 2023
Author

sberyozkin
Feb 5, 2023
Collaborator

SetoKaiba
Feb 5, 2023
Author