Rest service authentication via Api-Key

[mickroll]

Hey there!
I am implementing a http rest service right now and I am looking for an example of using an api-key http-header for authentication.
So far i have reached my goal with a custom javax.ws.rs.container.ContainerRequestFilter, but a solution provided by quarkus would be favorable.
io.vertx.ext.web.handler.APIKeyHandler looked promising, but i have found no way of using it by configuration only.
FYI @sberyozkin

[sberyozkin]

Hi @mickroll Well, converting an API key into a security identity is an application specific task, I'm not sure it can be generalized, This key is just some value which Quarkus can't itself introspect in order to figure out how to map it to SecurityIdentity.

Unless it is a JWT token - in this case quarkus-smallrye-jwt is a Quarkus specific solution which can get these tokens from Authorization, custom headers and cookies, verify these tokens and map them to SecurityIdentity. quarkus-oidc for service applications can do it too (cookies are not supported though, only custom headers)

[mickroll]

Thanks for replying so fast.

No, it is not a JWT Token.

I imagined some simple config like:

quarkus.http.auth.static.type=[header|query|cookie]  # options like in io.vertx.ext.web.handler.APIKeyHandler
quarkus.http.auth.static.key=X-API-KEY       # could also be 'Authorization' for basic auth
quarkus.http.auth.static.value=our secret    # could be 'Basic [base64(name:pw)]' for basic auth

...but the more i am writing about it, the less generic it feels.

[brunobastosg]

I have the same requirement and have been using ContainerRequestFilter as well. But it would be nice if Quarkus supported it out of the box.