How to @Inject JsonWebToken when having both quarkus-smallrye-jwt and quarkus-oidc in Quarkus application

[trunghoangminh]

In my Quarkus application, there are two types of authentication:

1. Locally => I'm using quarkus-smallrye-jwt to authen local.

<dependency>
  <groupId>io.quarkus</groupId>
  <artifactId>quarkus-smallrye-jwt</artifactId>
</dependency>

2. SSO via Keycloak => I'm using quarkus-oidc to authen with Keycloak

<dependency>
  <groupId>io.quarkus</groupId>
  <artifactId>quarkus-oidc</artifactId>
</dependency>

For the controllers are marked @Authenticated then @Inject JsonWebToken it will return DefaultJWTCallerPrincipal(proxy OidcJsonWebTokenProducer).

@Authenticated
@Path("/api/v1/oidc")
public class OIDCController {

    @Inject
    @IdToken
    JsonWebToken jwt;

    @POST
    @Path("/login")
    @Produces(MediaType.APPLICATION_JSON)
    public Uni<Response> login() {
    	...
    }
}

For normal controllers used local JWT then @Inject JsonWebToken it will return NullJsonWebToken(proxy OidcJsonWebTokenProducer) => my expected is that it will return DefaultJWTCallerPrincipal(proxy JwtPrincipalProducer) instead.

@Path("/api/v1/auth")
public class AuthenticationController {

    @Inject
    JsonWebToken jwt;

    @POST
    @Path("/login")
    @Produces(MediaType.APPLICATION_JSON)
    public Uni<Response> login() {
    	...
    }
}

So, do we have any ways to configure this one?

[quarkus-bot[bot]]

/cc @Ladicek (smallrye), @jmartisk (smallrye), @pedroigor (oidc), @phillip-kruger (smallrye), @radcortez (smallrye), @sberyozkin (jwt,oidc)

[sberyozkin]

@trunghoangminh

Can you try configuring a path based authentication:
https://quarkus.io/guides/security-authentication-mechanisms-concept#path-specific-authentication-mechanisms

bearer mechanism provided by smallrye-jwt would cover the local authentication paths, code (it is not mentioned in those docs though) provided by quarkus-oidc would cover the path requiring Keycloak authentication.

I'm not sure though it will fix the ambiguity with JsonWebToken producers, both quarkus-smallrye-jwt and quarkus-oidc provide bearer token authentication and support this injection without @IdToken qualifier.

I think the best solution should be to have SecurityIdentity injected instead for the local authentication and then cast getPrincipal() to JsonWebToken and likely complement it with the path based authentication to ensure quarkus-oidc is not trying to handle the local authentication

[trunghoangminh]

Thank for your help @sberyozkin. But it's still conflicted for the providers.

java.lang.NullPointerException: Cannot invoke "io.vertx.ext.web.RoutingContext.put(String, Object)" because "vertxContext" is null
at io.quarkus.oidc.runtime.OidcIdentityProvider.authenticate(OidcIdentityProvider.java:62)
at io.quarkus.oidc.runtime.OidcIdentityProvider_Subclass.authenticate$$superforward1(Unknown Source)
at io.quarkus.oidc.runtime.OidcIdentityProvider_Subclass$$function$$10.apply(Unknown Source)
at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:54)
at io.quarkus.arc.runtime.devconsole.InvocationInterceptor.proceed(InvocationInterceptor.java:62)
at io.quarkus.arc.runtime.devconsole.InvocationInterceptor.monitor(InvocationInterceptor.java:51)
at io.quarkus.arc.runtime.devconsole.InvocationInterceptor_Bean.intercept(Unknown Source)
at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:41)
at io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:41)
at io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:32)
at io.quarkus.oidc.runtime.OidcIdentityProvider_Subclass.authenticate(Unknown Source)
at io.quarkus.oidc.runtime.OidcIdentityProvider.authenticate(OidcIdentityProvider.java:36)
at io.quarkus.oidc.runtime.OidcIdentityProvider_ClientProxy.authenticate(Unknown Source)
at io.quarkus.security.runtime.QuarkusIdentityProviderManagerImpl.handleProvider(QuarkusIdentityProviderManagerImpl.java:143)
at io.quarkus.security.runtime.QuarkusIdentityProviderManagerImpl.authenticate(QuarkusIdentityProviderManagerImpl.java:98)
at io.quarkus.security.identity.IdentityProviderManagerCreator_ProducerMethod_ipm_91f102be1b2a781216db8a81e6ab4b9b1a84f03c_ClientProxy.authenticate(Unknown Source)
at io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism.authenticate(JWTAuthMechanism.java:46)
at io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism_Subclass.authenticate$$superforward1(Unknown Source)
at io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism_Subclass$$function$$3.apply(Unknown Source)
at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:54)
at io.quarkus.arc.runtime.devconsole.InvocationInterceptor.proceed(InvocationInterceptor.java:62)
at io.quarkus.arc.runtime.devconsole.InvocationInterceptor.monitor(InvocationInterceptor.java:51)
at io.quarkus.arc.runtime.devconsole.InvocationInterceptor_Bean.intercept(Unknown Source)
at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:41)
at io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:41)
at io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:32)
at io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism_Subclass.authenticate(Unknown Source)
at io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism_ClientProxy.authenticate(Unknown Source)

1. If login with the controller local JWT first then MpJwtValidator will be used as picture below:
   Here is code in the fw QuarkusIdentityProviderManagerImpl when debugging:

private <T extends AuthenticationRequest> Uni<SecurityIdentity> handleProvider(int pos,
        List<IdentityProvider<T>> providers, T request, AuthenticationRequestContext context) {
    if (pos == providers.size()) {
        //we failed to authentication
        log.debug("Authentication failed as providers would authenticate the request");
        return Uni.createFrom().failure(new AuthenticationFailedException());
    }
    IdentityProvider<T> current = providers.get(pos);
    Uni<SecurityIdentity> cs = current.authenticate(request, context)
            .onItem().transformToUni(new Function<SecurityIdentity, Uni<? extends SecurityIdentity>>() {
                @Override
                public Uni<SecurityIdentity> apply(SecurityIdentity securityIdentity) {
                    if (securityIdentity != null) {
                        return Uni.createFrom().item(securityIdentity);
                    }
                    return handleProvider(pos + 1, providers, request, context);
                }
            });
    return cs.onItem().transformToUni(new Function<SecurityIdentity, Uni<? extends SecurityIdentity>>() {
        @Override
        public Uni<? extends SecurityIdentity> apply(SecurityIdentity securityIdentity) {
            return handleIdentityFromProvider(0, securityIdentity, context);
        }
    });
} 

=> So, this provider will be used for OIDC controllers as well since I saw that local JWT and OIDC used the same TokenAuthenticationRequest. That causes an exception above.

2. If login with OIDC controller first then OidcIdentityProvider will be used as picture below:
   

=> So, this provider will be used for normal controllers as well
Can we custom if path for OIDC then use OidcIdentityProvider and normal path then use MpJwtValidator?

[sberyozkin]

@trunghoangminh Have you applied a path-based boundary ? That should help, can I have a look at the current controller code (just the one related to the injection) and application.properties ?

[trunghoangminh]

@sberyozkin
The error here is coming from when trying to authen local JWT after already login to Keycloak

@Authenticated
@Tag(name = "OIDC", description = "OIDC API")
@Path("/api/v1/oidc")
@SecurityRequirement(name = AuthenticationController.AUTH_SCHEME_NAME)
public class OIDCController {

    @Inject
    @IdToken
    JsonWebToken jwt;

    /**
     * Dummy controller for redirect to Keycloak server
     *
     * @return
     */
    @GET
    @Path("/login")
    @Produces(MediaType.APPLICATION_JSON)
    @NoCache
    public Uni<Response> login() {
        return Uni.createFrom().voidItem().map(ignore -> {
            return Response.status(Response.Status.MOVED_PERMANENTLY)
                .location(URI.create(String.format("%s/auth/oidc/callback", address)))
                .build();
        });
    }

@Path("/api/v1/auth")
@SecurityScheme(
        securitySchemeName = AuthenticationController.AUTH_SCHEME_NAME,
        type = SecuritySchemeType.HTTP,
        scheme = "bearer",
        bearerFormat = "JWT"
)
public class AuthenticationController {
    public static final String AUTH_SCHEME_NAME = "bearerAuth";

    @Inject
    AuthenticationService service;

    @Inject
    SecurityIdentity securityIdentity;
.....
}

I already moved @Inject JsonWebToken to (JsonWebToken) securityIdentity.getPrincipal()

These are all about JWT configs and OIDC configs.

quarkus.oidc.application-type=web-app
quarkus.oidc.auth-server-url=http://localhost:8080/realms/demo
quarkus.oidc.client-id=demo
quarkus.oidc.credentials.secret=gJwTFAy5TZWo6WNHIsbdo352GfIxkj4b

JWT_KEY=${AP{APP_JWT_KEY:OQ_L7ErRsE1qGwFmkog_Mdper2D4cocBppAFuRukZP8}
JWT_ALG=${APP_JWT_ALG:HS256}
APP_JWK={"kty":"oct","kid":"app-jwt-key","alg":"${JWT_ALG}","k":"${JWT_KEY}"}
mp.jwt.verify.publickey=${APP_JWK}
mp.jwt.verify.publickey.algorithm=${JWT_ALG}
smallrye.jwt.sign.key=${APP_JWK}
smallrye.jwt.new-token.signature-algorithm=${JWT_ALG}

For path-based boundary, I already though about this one. But the smallrye-jwt and OIDC token are "Bearer". So, do we have any ways to config them?
My quarkus version I used that is 2.7.3.Final

[sberyozkin]

@trunghoangminh 2.7.3.Final is the very old version, please try to update to the newer one if you can.

Right, the problem is, you are trying to combine 2 conflicting mechanisms, oidc and jwt, both of them can support the token authentication.
I recommend to move to the latest version either in the 3.x or if not possible in 2.16.x streams first, in latest versions, OidcIdentityProvider will only work with requests coming from quarkus-oidc: https://github.com/quarkusio/quarkus/blob/main/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcIdentityProvider.java#L66

So if smallrye-jwt creates an authentication request then the OIDC identity provider will ignore it and the one provided by smallrye-jwt will be tried

Give it a try please

[trunghoangminh]

Thank for your help @sberyozkin

[sberyozkin]

Np at all @trunghoangminh, hope you will make it work