Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: New tenant specific service to map a TokenCredential to a SecurityIdentity #24069

Closed
knutwannheden opened this issue Mar 3, 2022 · 3 comments · Fixed by #36631
Closed

OIDC: New tenant specific service to map a TokenCredential to a SecurityIdentity #24069

knutwannheden opened this issue Mar 3, 2022 · 3 comments · Fixed by #36631
Assignees
@sberyozkin
Labels
area/oidc area/security kind/enhancement New feature or request
Milestone
3.6.0.CR1

Comments

@knutwannheden
Copy link
Contributor

Description

With #24051 an attempt was made to allow the OidcIdentityProvider to be used to parse an access token and map it to a SecurityIdentity. However, the OidcIdentityProvider implements multi-tenancy and to determine the applicable tenant it needs the Vert.x RoutingContext (cf. DefaultTenantConfigResolver#resolveContext()), which thus won't work when there is no request (e.g. when processing is triggered from the scheduler).

Thus, this issue requests a new injectable service which represents a tenant-specific configuration (request scoped), which would allow mapping a TokenCredential (or TokenAuthenticationRequest?) to a SecurityIdentity. A dedicated annotation would allow injecting the service for the default tenant configuration or a named tenant configuration (name as given in Quarkus configuration).

Implementation ideas

The PR #24051 provides a test case that may serve as an example and basis for a test for this feature.
@knutwannheden knutwannheden added the kind/enhancement New feature or request label Mar 3, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Mar 3, 2022

/cc @pedroigor, @sberyozkin

@sberyozkin sberyozkin self-assigned this Feb 16, 2023
@sberyozkin
Copy link
Member

sberyozkin commented Oct 5, 2023
edited

@michalvavrik Just FYI, please add to your queue if it can be of interest. I think this can indeed be a useful enhancement - it is about verifying the bearer access after the request has been completed, I've seen more than one query about it.

@michalvavrik
Copy link
Contributor

I'm on it.

@michalvavrik michalvavrik mentioned this issue Oct 23, 2023
Merged
@quarkus-bot quarkus-bot bot added this to the 3.6 - main milestone Oct 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/oidc area/security kind/enhancement New feature or request
Projects
None yet
Milestone
3.6.0.CR1
3 participants
@knutwannheden @sberyozkin @michalvavrik