-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KeyCloak jwt support #73
Comments
The current JWT impl can handle the KeyCloak tokens if you use it like: JsonObject config = new JsonObject().put("public-key", "BASE64-ENCODED-PUBLIC_KEY");
AuthProvider provider = JWTAuth.create(vertx, config); The main problem now is to tell the JWT where to look for the roles. In the default implementation if looks for a json object hash, while on KeyCloak the token has a top level set of hashes:
Once way to "fix" could be where this is used: Then instead of assuming a direct key parse it as a path, say:
However this would give you the basic roles it does not do the extra KeyCloak specific validations such as |
Took a while to get back to this issue (holidays), but I just created a PR. |
#73 Added support for roles in nested object structure
I guess this issue can be closed now after the merge? |
Scenario: A JavaScript UI that uses the KeyCloak redirect flow, and a Vert.x REST backend. The UI authenticates with the redirect and gets a token from KeyCloak. The token is added to each request to the Vert.x backend.
The KeyCloak token is, according the KeyCloak docs, "an extension of JWT". The token is self contained, meaning that user info such as the user's roles are embedded in the token. To check authorization for a specific action on the Vert.x backend, the backend would have to verify the token (using the public key), and read the roles from the token. No communication with KeyCloak is required.
Problem: The oauth2 module for Vert.x supports KeyCloak, but only the redirect flow. This is not useful in the scenario where Vert.x is only used for serving the backend. The jwt module sort of does the right thing, but doesn't seem to support KeyCloak token. This has to do with the specific format of the token, but I'm not sure about the details of this problem.
This should be supported out of the box. I did create a workaround, but this relies on an implementation class from the oauth2 module. Alternatively one of the available 3rd party JWT libraries could be used, but support in Vert.x would be a lot easier.
The following is an example of the code that I'm currently using for auth, based on the
TokenVerifier
, which is an implementation class.The
WebUser
type is just a wrapper.Once we decide on the correct solution I would be happy to work on a PR.
The text was updated successfully, but these errors were encountered: