Processing JWT groups in OIDC provider

[mattjlewis]

Using Helidon 2.0-SNAPSHOT with OIDC and I am trying to get the @RolesAllowed annotations working. I can see that the user groups are being returned by the OIDC provider, however, the groups are not being translated into roles in the Subject. Comparing io.helidon.security.providers.oidc.OidcProvider against io.helidon.microprofile.jwt.auth.JwtAuthProvider I can see that the latter has these additional lines of code:

Optional<List<String>> userGroups = jwt.userGroups();
userGroups.ifPresent(groups -> groups.forEach(group -> subjectBuilder.addGrant(Role.create(group))));

Not sure if #478 would fix this.

[mattjlewis]

Ok, I'm a little bit confused on the difference between JwtAuthProvider and JwtProvider and how to correctly configure the corresponding Maven dependencies. I think it is as follows:
JWT:

		<dependency>
			<groupId>io.helidon.security.providers</groupId>
			<artifactId>helidon-security-providers-jwt</artifactId>
		</dependency>

OIDC:

		<dependency>
			<groupId>io.helidon.microprofile</groupId>
			<artifactId>helidon-microprofile-oidc</artifactId>
		</dependency>

JWT Auth is the one that confuses me a little as helidon-microprofile-jwt-auth-cdi is automatically included as part of the io.helidon.microprofile.bundles:helidon-microprofile dependency. The above two OIDC and JWT dependencies aren't.

		<dependency>
			<groupId>io.helidon.microprofile.jwt</groupId>
			<artifactId>helidon-microprofile-jwt-auth</artifactId>
		</dependency>

Both OIDC and JWT need the additional code to map groups to roles. I can now get all three providers to work - only the JWT-Auth one has the group to role mapping code in the current Helidon codebase.

[spericas]

@tomas-langer?

[tomas-langer]

Jwt Auth provider is an implementation of a MicroProfile specification.
The other providers are general security providers that work both in SE and in MP.
I think we can add this line of code to all our JWT providers (e.g. if groups claim exists, use it).

[mattjlewis]

Yes please, that would be great. BTW, I do plan to use MP JWT-Auth as my application is based on Helidon-MP - I assume that would be the recommendation?

[tomas-langer]

That really depends on what you want to achieve. If you have security resolved in your infrastructure (e.g. redirection to login page etc.) and you have a JWT in each header, then the MP JWT-Auth is the simplest way to go.
If you need to do some advanced stuff (e.g. you want to redirect to login page from Helidon, or you want to use Oracle IDCS to obtain roles, propagate tokens, or create new tokens for outbound), then you would use one of the providers we have.

[tomas-langer]

I will add the groups feature to OidcProvider and JwtProvider. Delaying the refactoring to #478