micronaut-security-jwt and authorization of bearer tokens

[nedelva]

Context

I have a Micronaut Lambda RESTful application and I would like to restrict the usage of the API to only the clients that present as well a JWT token. The application will validate this token before honoring the request. (The validation will involve the Auth0 server to perform the actual authorization)

micronaut-security-jwt to the rescue!

So after reading through Micronaut Security Guide and Micronaut JWT Authentication Guide, I started by adding the needed Maven dependencies and configuration entries:

In Maven pom.xml, dependencies section:

<dependency>
	<groupId>io.micronaut.security</groupId>
	<artifactId>micronaut-security-jwt</artifactId>
</dependency>

and in the micronaut-maven-plugin configuration section:

<aotDependencies>
    <dependency>
	<groupId>io.micronaut.security</groupId>
	<artifactId>micronaut-security-aot</artifactId>
	<version>${micronaut.security.version}</version>
    </dependency>
</aotDependencies>

In my application.yaml file I added this section, (copied from Micronaut Launch generated project):

micronaut:
  security:
    authentication:
    token:
      jwt:
        signatures:
          secret:
            generator:
              secret: ${JWT_GENERATOR_SIGNATURE_SECRET:pleaseChangeThisSecretForANewOne}

And finally, I copied the aot-jar.properties file containing the configs for JAR packaging AS-IS. With only these changes and nothing else, my very simple integration test failed:

import com.amazonaws.services.lambda.runtime.events.APIGatewayProxyRequestEvent;
import io.micronaut.function.aws.proxy.MockLambdaContext;
import io.micronaut.function.aws.proxy.payload1.ApiGatewayProxyRequestEventFunction;
import io.micronaut.http.HttpMethod;
import io.micronaut.http.HttpStatus;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;

import static org.junit.jupiter.api.Assertions.assertEquals;

class SimpleHomeControllerIntegrationTest {
    private static ApiGatewayProxyRequestEventFunction handler;

    @BeforeAll
    static void setupSpec() {
        handler = new ApiGatewayProxyRequestEventFunction();
    }

    @AfterAll
    static void cleanupSpec() {
        handler.getApplicationContext().close();
    }

    @Test
    void testIndexHandler() {
        APIGatewayProxyRequestEvent request = new APIGatewayProxyRequestEvent();
        request.setPath("/");
        request.setHttpMethod(HttpMethod.GET.toString());
        //needed to avoid a NPE at io.micronaut.function.aws.proxy.security.MicronautLambdaAuthenticationFetcher.fetchAuthentication(MicronautLambdaAuthenticationFetcher.java:81)
        APIGatewayProxyRequestEvent.ProxyRequestContext requestContext = new APIGatewayProxyRequestEvent.ProxyRequestContext();
        var response = handler.handleRequest(request, new MockLambdaContext());
        assertEquals(HttpStatus.OK.getCode(), response.getStatusCode());
    }

}

The assertion failed because now the status code is 401 (UNAUTHORIZED)
Now, it is pretty obvious that I should expect this since there was no JWT token present.

Questions:

1. How do I set up an integration test that get past that JWT authorization phase ? (either by skipping it or by using a fake token)
2. Where do I specify my Auth0-related settings? Can these be mocked/stubbed in a test?
3. The guide does not say anything about securing or using JWT tokens with Lambda. Are there any docs/resources covering this scenario?
4. The JWT guide doesn't say what's the purpose of micronaut.security.token.jwt.signatures.secret.generator.secret property. Which API uses it?
5. The same JWT guide shows a test for the controller:

    @Test
    void uponSuccessfulAuthenticationAJsonWebTokenIsIssuedToTheUser() throws ParseException {
        UsernamePasswordCredentials creds = new UsernamePasswordCredentials("sherlock", "password");
        HttpRequest<?> request = HttpRequest.POST("/login", creds); 
        HttpResponse<BearerAccessRefreshToken> rsp = client.toBlocking().exchange(request, BearerAccessRefreshToken.class); 
        assertEquals(OK, rsp.getStatus());

        BearerAccessRefreshToken bearerAccessRefreshToken = rsp.body();
        assertEquals("sherlock", bearerAccessRefreshToken.getUsername());
        assertNotNull(bearerAccessRefreshToken.getAccessToken());
        assertTrue(JWTParser.parse(bearerAccessRefreshToken.getAccessToken()) instanceof SignedJWT);

        String accessToken = bearerAccessRefreshToken.getAccessToken();
        HttpRequest<?> requestWithAuthorization = HttpRequest.GET("/")
                .accept(TEXT_PLAIN)
                .bearerAuth(accessToken); 
        HttpResponse<String> response = client.toBlocking().exchange(requestWithAuthorization, String.class);

        assertEquals(OK, rsp.getStatus());
        assertEquals("sherlock", response.body()); 
    }

• How is the "/login" resource served? there is no declaration for it in the controller.

6. Must I annotate my controller with @Secured(SecurityRule.IS_AUTHENTICATED) ? I don't need to perform any authentication process (I don't need/want to implement HttpRequestAuthenticationProvider)!
7. Is there an API that would just allow me to pass a JWT token to be validated by my Auth0 server?