JWT guide: rewrite token generation part

[FroMage]

On https://quarkus.io/guides/security-jwt#generating-a-jwt

We have a horrible main class meant to generate a token, which takes a token from a JSON file and requires we run a program to get a token which we use for testing.

The entire main class could be rewritten as:

        JwtClaimsBuilder builder1 = Jwt.claims();
        long now = System.currentTimeMillis() / 1000;
        builder1
            .claim(Claims.auth_time.name(), now)
            .groups(new HashSet<>(Arrays.asList("Echoer", "Tester", "Subscriber", "group2")))
            .claim("roleMappings", Json.createObjectBuilder().add("group1", "Group1MappedRole").add("group2", "Group2MappedRole").build())
            .subject("jdoe-using-jwt-rbac")
            .upn("jdoe@quarkus.io")
            .preferredUserName("jdoe")
            .issuer("https://quarkus.io/using-jwt-rbac")
            .issuedAt(now)
            .expiresAt(now + 200)
            .audience("using-jwt-rbac")
            ;
        String jwt = builder1.jws().sign();
        System.out.println(jwt);

And in the last section https://quarkus.io/guides/security-jwt#generate-jwt-tokens we describe this a bit, but we don't say that only the following payload is required for RBAC:

        JwtClaimsBuilder builder1 = Jwt.claims();
        builder1
            .groups(new HashSet<>(Arrays.asList("Echoer", "Tester", "Subscriber", "group2")))
            .issuer("https://quarkus.io/using-jwt-rbac")
            ;
        String jwt = builder1.jws().sign();

We're also missing a "Testing" section that could tell me this is all I need for testing:

@QuarkusTest
public class AppTest {
 
    @Test
    public void test() {
        JwtClaimsBuilder builder1 = Jwt.claims();
        builder1
            .groups(new HashSet<>(Arrays.asList("Echoer", "Tester", "Subscriber", "group2")))
            .issuer("https://quarkus.io/using-jwt-rbac")
            ;
        String jwt = builder1.jws().sign();

        given()
        .when()
        .header("Authorization", "Bearer "+jwt)
        .get("/")
        .then()
           .statusCode(200)    
           .body(is("hello"));
    }
}

[FroMage]

For @sberyozkin again?

[sberyozkin]

Hi @FroMage
Do you mean the original TokenUtils.generateTokenString(...) ? Yeah, I kept it and just replaced the Nimbus and then Jose4j code inside it. I can drop TokenUtils.

FYI, you only need a .jws() transition to set the headers, otherwise just builder1.sign() will do.

There will be more properties added (for kid, token lifespan, issuer, etc) and shorcuts added, so one would just do in simple cases, Jwt.sign("token.json")

OK, I'll deal with some cleanup

[FroMage]

There will be more properties added (for kid, token lifespan, issuer, etc) and shorcuts added, so one would just do in simple cases, Jwt.sign("token.json")

This doesn't appear to be useful for tests. I really dislike having a token saved on file, rather than programmatically created for the test, which is why I didn't want to see a token on disk.

[sberyozkin]

@FroMage Yeah, well, TCK tests use some JSON resources, I suppose, any JSON is a set of claims, JWT is just that JSON, where every top level property called a claim, is signed :-). So what is on the disk is some JSON. This shortcut like Jwt.sign("some.json") turns that into an actual token. But indeed better can be, when dealing with the existing JSON resources, is to get them with claims(jsonResName) and then add more claims...

[sberyozkin]

@FroMage By the way, I really like your original idea of having no arg sign(), etc

[sberyozkin]

See quarkusio/quarkus-quickstarts#619