Quarkus - Keycloak - JWT Token

[rajesh-ryse]

Hi,
I am a bit new to Quarkus.

I am working on authenticating users with Keycloak.

It seems to be that Quarkus is encrypting the JWT Token and setting it in the cookie. This is because the subsequent call from the client to role restricted endpoints seems to be working for the right users, without the client knowing anything about the JWT Token of user roles.
Is my assumption correct?

The scenario where one microservice need to invoke a role restricted endpoint in another microservice:
How should we pass the user JWT Token on the HttpRequest between these microservices? Will Quarkus implicitly take care of it?

Please advise.

Thanks

[sberyozkin]

Hi @rajesh-ryse

If your SPA does not do the authorization code flow itself and relies on Quarkus to manage it, then indeed, after the user has been authenticated, the tokens acquired from the authorization code grant response are kept in the encrypted session cookie, and are analyzed when the authenticated user returns.
If you prefer you can have the tokens kept in in the server state.
See https://quarkus.io/guides/security-oidc-code-flow-authentication#handling-and-controlling-the-lifetime-of-authentication for more info