Quarkus jwt-authentication-with-http-only-cookie #47200
Replies: 2 comments 4 replies
-
|
/cc @sberyozkin (jwt) |
Beta Was this translation helpful? Give feedback.
-
|
Hi @Nikhil12894, I commented at https://stackoverflow.com/questions/79558948/quarkus-jwt-authentication-with-http-only-cookie |
Beta Was this translation helpful? Give feedback.
-
|
now I am using this only quarkus:
http:
port: 8080
cors:
enabled: true
origins: /.*/
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
# Keycloak configuration
oidc:
auth-server-url: http://localhost:8180/realms/quarkus # Replace with your Keycloak URL
client-id: frontend # Replace with your Keycloak client ID
credentials:
secret: secret # Replace with your Keycloak client secret
application-type: service # Or 'web-app' if BFF handles UI redirects directly
authentication:
session-age: 3600
cookie-path: /
cookie-secure: false
scopes: openid, profile, emailI'm trying to authenticate a request to my secured API by sending the access_token in a cookie, but I'm receiving a 401 error. I also attempted to use a filter to set the Authorization in the header, but I'm still getting a 401 response. How can I resolve this issue? @Provider
@Priority(Priorities.AUTHENTICATION-1)
@Slf4j
public class CookieTokenFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
Cookie cookie = requestContext.getCookies().get("access_token");
if (cookie != null) {
String token = cookie.getValue();
log.debug("Token cookie value: {}", token); // this is printing <--
if (token != null && !token.isEmpty()) {
// requestContext.getHeaders().putSingle("Authorization", "Bearer " + token);
requestContext.getHeaders().add("Authorization", "Bearer " + token);
}
}
}
} |
Beta Was this translation helpful? Give feedback.
-
|
@Nikhil12894 I'd recommend using a |
Beta Was this translation helpful? Give feedback.
-
|
@sberyozkin but when I am using web-app, the my SAP app calls this for login const login = () => {
const currentPage = encodeURIComponent(window.location.href); // Get current page
localStorage.setItem("postLoginRedirect", currentPage); // Store it for safety
const domain = encodeURIComponent(window.location.hostname); // Get the domain (e.g., "app.example.com")
// When the user wants to log in, redirect to the backend login endpoint
// The backend will handle the Keycloak login flow and redirect back
window.location.href = `${API_URL}/api/auth/login?state=${currentPage}&domain=${domain}`;
};and then calling this to check if the user is logged in? const isUserLoggedIn = async () => {
try {
const response = await fetch("http://localhost:8080/api/auth/secure/check-login", {
method: "GET",
credentials: 'include', // 🔥 This sends the cookie
});
if (response.status === 401) {
setIsLogin(false);
} else {
console.log(response);
setIsLogin(true);
}
} catch (error) {
console.error("Authentication failed", error);
setIsLogin(false);
}finally{
setAuthChecked(true); // ✅ mark auth check complete
}
};corresponding java code: LOGIN: @GET
@Path("/login")
public Response login(@QueryParam(STATE) String redirectUri,@QueryParam(DOMAIN) String domain) {
// For 'web-app' type, this would typically trigger a redirect to Keycloak.
// For 'service' type, you'd handle token exchange manually.
// This example assumes 'web-app' for simplicity of initial login.
String scope = URLEncoder.encode("openid profile email", StandardCharsets.UTF_8);
String stateParam = (redirectUri != null && !redirectUri.isEmpty()) ? STATE_PARAM + redirectUri : "";
String authUrl = authServerUrl + PROTOCOL_OPENID_CONNECT_AUTH +
RESPONSE_TYPE_CODE_PARAM +
CLIENT_ID_PARAM + clientId +
REDIRECT_URI_PARAM + URLEncoder.encode(callbackUrl, StandardCharsets.UTF_8) + // Configure your callback URI
SCOPE_PARAM + scope + "&domain=" + domain +
stateParam;
log.info("Redirecting to Keycloak Auth URL: {}", authUrl);
return Response.seeOther(java.net.URI.create(authUrl)).build();
}Callback: @GET
@Path("/callback")
public Response callback(@QueryParam(CODE) String code, @QueryParam(STATE) String state,@QueryParam(DOMAIN) String domain) {
if (code == null || code.isEmpty()) {
return Response.status(Response.Status.BAD_REQUEST).entity("Authorization code missing.").build();
}
log.info("Received authorization code: {}", code);
log.info("Received state: {}", state);
log.info("Received domain: {}", domain);
try {
Form form = new Form()
.param(GRANT_TYPE, AUTHORIZATION_CODE)
.param(CODE, code)
.param(REDIRECT_URI, callbackUrl)
.param(CLIENT_ID, clientId)
.param(CLIENT_SECRET, clientSecret); // Only if your client is confidential
Response tokenResponse = ClientBuilder.newClient()
.target(authServerUrl + PROTOCOL_OPENID_CONNECT_TOKEN)
.request(MediaType.APPLICATION_FORM_URLENCODED)
.post(Entity.form(form));
log.info("Token response status: " + tokenResponse);
log.info("Token response status code: {}", tokenResponse.getStatus());
if (tokenResponse.getStatusInfo().getFamily() == Response.Status.Family.SUCCESSFUL) {
Map<String, Object> tokens = tokenResponse.readEntity(Map.class);
String accessToken = (String) tokens.get(ACCESS_TOKEN);
String idToken = (String) tokens.get(ID_TOKEN);
String refreshToken = (String) tokens.get(REFRESH_TOKEN);
// Redirect user to the stored path or default to dashboard
String redirectUrl = (state != null ? state : ""); //+ "?token=" + accessToken;ß
return Response.seeOther(java.net.URI.create(redirectUrl))
.cookie(
new NewCookie.Builder(ACCESS_TOKEN).value( accessToken).domain(domain).path("/").maxAge(60*5).httpOnly(true).sameSite(NewCookie.SameSite.STRICT).build(),
new NewCookie.Builder(REFRESH_TOKEN).value( refreshToken).domain(domain).path("/").maxAge(60*60*24*7).httpOnly(true).sameSite(NewCookie.SameSite.STRICT).build(),
new NewCookie.Builder("q_token").value( accessToken).domain(domain).path("/").maxAge(60*5).httpOnly(true).sameSite(NewCookie.SameSite.STRICT).comment("q_token").build()
)
.build();
} else {
String error = tokenResponse.readEntity(String.class);
log.error("Error during token exchange: {} - {}", tokenResponse.getStatus(), error);
return Response.status(Response.Status.BAD_REQUEST).entity("Token exchange failed: " + error).build();
}
} catch (Exception e) {
log.error("Exception during callback processing: {}", e.getMessage());
return Response.serverError().entity("Callback processing error.").build();
} finally {
// Ensure the tokenResponse is closed
}
}getting 401 now My motto is to develop an auth-bff where the login, logout, and registration should happen through the Quarkus App, i.e I don't want any keycloak config in the SAP app |
Beta Was this translation helpful? Give feedback.
-
|
@Nikhil12894, I'm finding it difficult to follow all this code. If you would like to work with quarkus oidc then you should not be required to write any Java code. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I am using OIDC with Quarkus and logging in through the backend API only. Once the login callback is called, I set the access token in a cookie. However, when I attempt to use that cookie to authenticate my requests, I always receive a 403 Forbidden error.
Login Api:
Callback APi:
Application.yaml:
JS Code:
Beta Was this translation helpful? Give feedback.
All reactions