Support JWT bearer client authentication for quarkus-oidc
#40013
Comments
|
/cc @geoand (kubernetes), @iocanel (kubernetes), @pedroigor (bearer-token,oidc) |
|
Perhaps |
|
For me as for the end-user, the ideal option would be setting configuration properties like:
And then have Quarkus read the token and set it as a |
Then it would make it possible to use What I'm trying to say is that if such a feature is added to Quarkus it fits much better with other OIDC-related extensions than implementing custom request filters. However, I might not be aware of the whole picture, so I am looking forward to hearing from you |
|
@martaisty Well, then it would require Quarkus scan that location and that location can be anywhere, in the file system, in Kubernetes, correctly pick up the token which Azure may be refreshing, it does look like it is out of scope. As far as the same filter impacting both extensions is concerned, it can only cause side-effects if you have an endpoint protected by OIDC (the filter runs) and in scope of the current request, OIDC client also runs (and again the same filter runs), but it can only cause side-effects if both extensions want to use the filter for different purposes. We've thought with @pedroigor about it, and as far as I recall, the plan in this case is to add a Scope annotation, thus restricting a given filter to the client or server scope only. |
|
|
@martaisty #38458 also mentions:
So as I said, that means Quarkus itself would need to run a timer, check that location, compare it with the original token. In general, we do try to help users as much as we can, but this kind of work does look like something that is out of scope. |
|
I thought about a solution involving a cache, similar to this: read the token from FS and save it, whenever this token is needed check @sberyozkin that's a good point, I just thought k8s service account token volume projection is more or less common to worth being implemented (https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection)
Never mind, as long as filters can do the job, this |
|
@martaisty This is a good idea, thanks for it, it is just that at the get go I'd like to avoid a specialized, possibly very provider specific solution and just make sure that concept of the filters supplying extra request parameters dynamically works. |
|
I am testing JWT bearer client authentication with Quarkus version 3.11.2, following the instructions detailed at Quarkus Security OpenID Connect Client Reference. To implement this, I created a custom filter that overrides the The issue I am encountering is that the setup only works with the initially exchanged access token. Once this token expires, it appears that the |
|
@Sopka Apologies for a delay, missed this comment.
I don't see why it can be happening. This
But what is important is that what drives it all is the current request flowing through the filter. Would you like to try to debug at those points ? Do debug log messages for I've also added more log messages at #41638 |
|
@martaisty FYI, I've added this issue to the proposed WG list of tasks at #42116. Also, I'm leaning toward supporting it exactly as you proposed. Unfortunately it will take a bit more time but this issue is tracked, thanks |
Description
Sometimes, OIDC clients are expected to authenticate using an out of band, so called JWT bearer token, provided, for example, in Kubernetes or some shared secured file folder. Furthermore these tokens can be dynamic, so they can't configured in properties.
#38541 made it possible to easily pick up such tokens from custom OIDC client filters.
However,
quarkus-oidcdoes not support this case yet.Implementation ideas
May be
OidcRequestFiltercan be used to augment the request by setting a property onOidcRequestContextProperties, exactly as it can be done on RoutingContext.The text was updated successfully, but these errors were encountered: