Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC authentication for discovery endpoints #38246

Closed
01epa opened this issue Jan 17, 2024 · 5 comments
Closed

OIDC authentication for discovery endpoints #38246

01epa opened this issue Jan 17, 2024 · 5 comments
Labels
area/kubernetes area/oidc kind/enhancement New feature or request

Comments

@01epa
Copy link

01epa commented Jan 17, 2024

Description

I want to make oidc authentication in Quarkus service where auth service is Kubernetes.

So, i want to send a service account token to my quarkus service, validate it using public key (retrieved from OIDC endpoints), extract roles from token and perform authorization.

But when i tried to access well-know configuration endpoint I got 403 UnAuthorized. To access it I have to provide a service account token of my own service.

Kubernetes has a support of OIDC endpoints but they are closed with authentication

The recommended way to authenticate to the API server is with a service account credential.

Can you provide some way to set authorization header?

Probably it is better to add custom header interceptors to a client or some client customizer.

Here is a place where client created via new and later it is passed OidcCommonUtils.discoverMetadata() method

quarkus/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java

Line 474 in e5b9477

WebClient client = WebClient.create(new io.vertx.mutiny.core.Vertx(vertx), options);

Implementation ideas

No response
@01epa 01epa added the kind/enhancement New feature or request label Jan 17, 2024
@quarkus-bot
Copy link

quarkus-bot bot commented Jan 17, 2024

/cc @geoand (kubernetes), @iocanel (kubernetes), @pedroigor (oidc), @sberyozkin (oidc)

@01epa 01epa changed the title OIDC authinetication for discovery endpoints OIDC authintication for discovery endpoints Jan 17, 2024
@01epa 01epa changed the title OIDC authintication for discovery endpoints OIDC authentication for discovery endpoints Jan 17, 2024
@sberyozkin
Copy link
Member

@01epa This is now can be supported easily with the custom OidcRequestFilter, https://quarkus.io/guides/security-openid-connect-client-reference#oidc-client-filters, works for quarkus-oidc as well.

Specifically, this shows how to intercept discovery requests only:

https://github.com/quarkusio/quarkus/blob/main/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/OidcDiscoveryRequestCustomizer.java

Can you try it and close the issue once you confirm it works ?

@sberyozkin
Copy link
Member

@01epa 3.7.0.CR1 which will have this annotation feature is about to be released, but you can test even in 3.6.x, in 3.6.x one needs to check manually if the current request targets the discovery endpoint

@01epa
Copy link
Author

01epa commented Jan 18, 2024

I checked what you suggested. This is exactly what I wanted. Thanks. ALso i saw your MR with specifing endpoints to apply filter. Will wait next Qurkus release as well.

@01epa 01epa closed this as completed Jan 18, 2024
@sberyozkin
Copy link
Member

@01epa FYI, 3.7.0.CR1 has just been released by @gsmet

@sberyozkin sberyozkin mentioned this issue Feb 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubernetes area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sberyozkin @01epa