Using Quarkus with JWT with Custom Header and Payload

[cesarjv]

Good afternoon, I am currently in a project in which it is required to configure authentication with JWT but in this case the header and payload configuration is required as follows:

Header:

{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "Telefonica"
}

Payload:

{
"iss": "02ZCqmyy_IiyQMtuDIWYRM4cc6oa", 
"aud": "https://localhost:9443/oauth2/token",
"iat": 1695913106,
"exp": 1696013906,
"jti": "10185",
"consumer_id": "aura-bot",
"channel": "novum",
"sub": "02ZCqmyy_IiyQMtuDIWYRM4cc6oa",
"scope": "openid" 
}

My question is, can I implement this in Quarkus with JWT, since until now I have seen examples but very simple, not with a custom payload and I have not found many examples like that and I don't know where to start.

I also need to implement a JWKS Endpoint to validate the token in question, ruling out the option of a private and public certificate.

[quarkus-bot[bot]]

/cc @sberyozkin (jwt)

[sberyozkin]

@cesarjv Hi, can you clarify your requirement please ? What you have shown above is a usual JWT token headers and claims in decoded form.

A rare enough case is that you have to verify tokens signed by symmetric keys, in such cases, you need to have a secret key represented as JWK key, please check the JWT RBAC guide (sorry for not linking, away from my laptop).

As far as the custom payload is concerned, do you mean you need to access token claims aftet the signature verification? Inject the token as JsonWebToken.

Also if the keys are only available remotely at the JWKS endpoint, then you configure smallrye-jwt to point to it, the only problem is that this endpoint must really be accessed securely, preferably over mTLS if the symmetric secret keys, as opposed to public keys, have to be fetched

[cesarjv]

Hi @sberyozkin thank you very much for your response. I attach the document of what they are requesting from me, to see if I understand it more clearly, since explaining it here can be complicated. Thank you very much for the help and if you can guide me how to solve
Access to OB APIs protected by OAuth from the 4Pv2.1.0-3-5.pdf

[cesarjv]

Basically it is asking me for an authenticator using JWT in which the following claims must be sent in the signed jwt:

Header:

{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "Telefonica"
}

Payload:

{
"iss": "02ZCqmyy_IiyQMtuDIWYRM4cc6oa", 
"aud": "https://localhost:9443/oauth2/token",
"iat": 1695913106,
"exp": 1696013906,
"jti": "10185",
"consumer_id": "aura-bot",
"channel": "novum",
"sub": "02ZCqmyy_IiyQMtuDIWYRM4cc6oa",
"scope": "openid" 
}

The iss, sub, jti fields that come in the signed JWT must be validated

[sberyozkin]

@cesarjv This document outlines a complete architecture, it looks like 3 distinctive steps are involved

1. You need to create a signed token which will be used as a client_credentials assertion, in order to acquire a JWT access token.
2. Once you get this token it must be forwarded to the API endpoint which must verify it
3. API endpoint propagates this token further

To address the point 1, you need to use https://quarkus.io/guides/security-jwt-build, it is very easy to use, you only need to figure which key to use, secret key (as per your example which mentions HS256), or private asymmetric key as per the doc (which mentions RS256) - then the key can be loaded programmatically, or configured to be loaded from the classpath or even from the remote location. You write a code like Jwt.issue("").jws().keyId("a").sign() etc, whatever variation you need, the token build API will support it.

Now that you have the client creadentials assertion token you can use OidcClient to exchange it for the access token.
For example, https://quarkus.io/guides/security-openid-connect-client-reference#client-credentials-grant

See also https://quarkus.io/guides/security-openid-connect-client-reference#oidc-client-authentication, client_secret_jwt option, looks like it is what you need to use ?

Steps 2, 3 can be dealt with later.

For now, please get past Step 1. Generate a token using https://quarkus.io/guides/security-jwt-build,
then try use OidcClient to acquire the access token.

[sberyozkin]

@cesarjv If it is indeed a client_secret_jwt authentication that you have to use for OidcClient client_credentials then Quarkus will do everything, will generate the token as expected, get the access token. Then you'd attach @OidcCientFilter to the REST client which will push this token to the API endpoint etc.

But in any case, please start experimenting with using OidcClient, its client_secret_jwt authentication option as described, and simply print the returned access token for now to prove it works and then further steps can be undertaken

[cesarjv]

Hi @sberyozkin I will start working on it and I will be telling you the results here, thank you very much for giving me an idea to start.