SecurityIdentity#attribute (test) vs JsonWebToken#claim (dev, prod) ?

[col-panic]

I have a quarkus-oidc setup, connected to Keycloak. Now in the access-token I receive during prod and dev i have a claim called associated-contact-id. I can fetch this claim using

    @Inject
    JsonWebToken jwt;
    
    jwt.<String>getClaim("associated-contact-id");

Running tests in test with an annotation like

@TestSecurity(user = "testuser", roles = { "medical-user", "eraser" }, attributes = {
  @SecurityAttribute(key = "associated-contact-id", value = "256c82a7d5df4c67b5c60fb32") })
public someTest() {}

renders this associated-contact-id only available via SecurityIdentity.getAttribute("associated-contact-id")

Now what is my problem of thinking here? How to unify this? Do I have to

a) Somehow modify the settings, such that the jwt#claim goes to securityidentity#attribute OR
b) Somehow modify my test such that I set the jwt#claim insted of the securityidentity#attribute

🤔

[quarkus-bot[bot]]

/cc @sberyozkin (security)

[sberyozkin]

@col-panic You can use @OidcSecurity to set claim expectations: https://quarkus.io/guides/security-oidc-bearer-token-authentication#bearer-token-integration-testing-security-annotation

[col-panic]

@sberyozkin oh so its b) thanks a lot for the feedback! 👍 💪

For the sake of understanding - is there an approach to map JWT claims into securityidentity#attributes or would this be working against the specification/framework? Are securityidentity#attributes only meant for the framework to contain technical objects?

[sberyozkin]

Np.
Attributes are meant to keep whatever is necessary for the application but not supported directly at the identity api level.
OIDC keeps some technical objects there, but custom augmentors can add something else