How to implement a custom authentication mechanism

[danilopiazza]

Hi,

In my Quarkus application, I am interacting with a legacy service with requires a stateful authentication mechanism (an old-fashioned session ID).

The legacy service exposes a login endpoint, which opens a session (returning the session ID) given a JWT token.

So far, I have manually implemented this authentication workflow for each API:

1. Get the JWT token (from the Authorization header, using @HeaderParam).
2. Call the login endpoint (as a @RestClient) to get the session ID.
3. Finally, call the legacy service with the session ID (in a custom HTTP header).

Pseudo-code example:

@RestClient
LoginService loginService;
@RestClient
AwesomeService awesomeService;

@GET
public AwesomeResponse doSomething(@HeaderParam("Authorization") token, ...) {
    var sessionId = loginService(token); // This line should be automated
    return awesomeService.doAwesomeThing(sessionId, ...);
}

How can I automate my custom authentication workflow? I thought about:

1. Using (or abusing) JWTCallerPrincipalFactory from quarkus-smallrye-jwt to call the login endpoint and store the session ID in a custom JWTCallerPrincipal subclass.
2. Implementing a HttpAuthenticationMechanism, using OAuth2AuthMechanism from `quarkus-elytron-security-oauth2 as a guiding example.

Am I on the right track with any of these solutions?

[sberyozkin]

Hi @danilopiazza

Doing a custom HttpAuthenticationMechanism would give you more flexibility, though the authentication is really about securing an access to doSomething, while your task is to facilitate an access to the AwesomeService via an intermediate state id acquisition.

May be you can push this state id acquisition to the container request filter and then access the prepared state id in the endpoint method ? See #41770 for a general idea of how it might be done

[danilopiazza]

Thanks! @NameBinding works very well for this use case.

[danilopiazza]

After some more experimentation, I am relying on JWTAuthMechanism from quarkus-smallrye-jwt to extract the bearer token from the Authorization header and perform some sanity checks (is the header present, does its value start with "Bearer", etc.), and I just needed to implement my own IdentityProvider<TokenAuthenticationRequest>:

@Alternative
@Priority(1)
@ApplicationScoped
public class MyIdentityProvider implements IdentityProvider<TokenAuthenticationRequest> {
    @RestClient
    LoginService loginService;

    @Override
    public Class<TokenAuthenticationRequest> getRequestType() {
        return TokenAuthenticationRequest.class;
    }

    @Override
    public Uni<SecurityIdentity> authenticate(TokenAuthenticationRequest request, AuthenticationRequestContext context) {
        return context.runBlocking(() -> {
            var sessionId = loginService.login(request.getToken().getToken()); // Obtains the state ID from the JWT token
            return QuarkusSecurityIdentity.builder()
                    .setPrincipal(...)
                    .addCredential(new SessionIdCredential(sessionId))
                    .build();
        });
    }
}

The @Alternative and @Priority(1) annotations should not be required: see #42126.

Given this identity provider implementation, I can annotate my endpoints with @Authenticated and inject SecurityIdentity:

@Inject
SecurityIdentity identity;

using it to retrieve the state ID, stored as a credential:

var sessionCredential = identity.getCredential(SessionIdCredential.class);

[sberyozkin]

@danilopiazza, sure, thanks for the update