OpenID Connect authorization code flow mechanism for protecting web applications
To protect your web applications, you can use the industry-standard OpenID Connect (OIDC) Authorization Code Flow mechanism provided by the Quarkus OIDC extension.
Overview of the OIDC authorization code flow mechanism
The Quarkus OpenID Connect (OIDC) extension can protect application HTTP endpoints by using the OIDC Authorization Code Flow mechanism supported by OIDC-compliant authorization servers, such as Keycloak.
The Authorization Code Flow mechanism authenticates users of your web application by redirecting them to an OIDC provider, such as Keycloak, to log in. After authentication, the OIDC provider redirects the user back to the application with an authorization code that confirms that authentication was successful. Then, the application exchanges this code with the OIDC provider for an ID token (which represents the authenticated user), an access token, and a refresh token to authorize the user’s access to the application.
The following diagram outlines the Authorization Code Flow mechanism in Quarkus.
-
The Quarkus user requests access to a Quarkus web-app application.
-
The Quarkus web-app redirects the user to the authorization endpoint, that is, the OIDC provider for authentication.
-
The OIDC provider redirects the user to a login and authentication prompt.
-
At the prompt, the user enters their user credentials.
-
The OIDC provider authenticates the user credentials entered and, if successful, issues an authorization code then redirects the user back to the Quarkus web-app with the code included as a query parameter.
-
The Quarkus web-app exchanges this authorization code with the OIDC provider for ID, access, and refresh tokens.
The authorization code flow is completed and the Quarkus web-app uses the tokens issued to access information about the user and grants the relevant role-based authorization to that user. The following tokens are issued:
-
ID token: The Quarkus
web-appapplication uses the user information in the ID token to enable the authenticated user to log in securely and to provide role-based access to the web application. -
Access token: The Quarkus web-app might use the access token to access the UserInfo API to get additional information about the authenticated user or to propagate it to another endpoint.
-
Refresh token: (Optional) If the ID and access tokens expire, the Quarkus web-app can use the refresh token to get new ID and access tokens.
See also the OIDC configuration properties reference guide.
To learn about how you can protect web applications by using the OIDC authorization code flow mechanism, see Protect a web application by using OIDC authorization code flow
If you want to protect service applications by using OIDC Bearer token authentication, see OIDC Bearer token authentication.
For information about how to support multiple tenants, see Using OpenID Connect Multi-Tenancy.
Using the authorization code flow mechanism
Configuring access to the OIDC provider endpoint
The OIDC web-app application requires URLs of the OIDC provider’s
authorization, token, JsonWebKey (JWK) set, and possibly the UserInfo,
introspection, and end session (RP-initiated logout) endpoints.
By convention, they are discovered by adding a
/.well-known/openid-configuration path to the configured
quarkus.oidc.auth-server-url.
Alternatively, if the discovery endpoint is not available, or you prefer to reduce the discovery endpoint round-trip, you can disable endpoint discovery and configure relative path values, for example:
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.discovery-enabled=false
# Authorization endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/auth
quarkus.oidc.authorization-path=/protocol/openid-connect/auth
# Token endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/token
quarkus.oidc.token-path=/protocol/openid-connect/token
# JWK set endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/certs
quarkus.oidc.jwks-path=/protocol/openid-connect/certs
# UserInfo endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/userinfo
quarkus.oidc.user-info-path=/protocol/openid-connect/userinfo
# Token Introspection endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/token/introspect
quarkus.oidc.introspection-path=/protocol/openid-connect/token/introspect
# End session endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/logout
quarkus.oidc.end-session-path=/protocol/openid-connect/logoutSome OIDC providers support metadata discovery but do not return all the endpoint URL values required for the authorization code flow to complete or to support application functions, for example, user logout. To work around this limitation, you can configure the missing endpoint URL values locally, as outlined in the following example:
# Metadata is auto-discovered but it does not return an end-session endpoint URL
quarkus.oidc.auth-server-url=http://localhost:8180/oidcprovider/account
# Configure the end-session URL locally, it can be an absolute or relative (to 'quarkus.oidc.auth-server-url') address
quarkus.oidc.end-session-path=logoutYou can use this same configuration to override a discovered endpoint URL if
that URL does not work for the local Quarkus endpoint and a more specific
value is required. For example, a provider that supports both global and
application-specific end-session endpoints returns a global end-session URL
such as http://localhost:8180/oidcprovider/account/global-logout. This
URL will log the user out of all of the applications that the user is
currently logged into. However, if the requirement is for the current
application to log the user out of only the specific application, you can
override the global end-session URL, by setting the
quarkus.oidc.end-session-path=logout parameter.
OIDC provider client authentication
OIDC providers typically require applications to be identified and
authenticated when they interact with the OIDC endpoints. Quarkus OIDC,
specifically the quarkus.oidc.runtime.OidcProviderClient class,
authenticates to the OIDC provider when the authorization code must be
exchanged for the ID, access, and refresh tokens, or when the ID and access
tokens need to be refreshed or introspected.
Typically, client id and client secrets are defined for a given application when it enlists to the OIDC provider. All the OIDC Client Authentication options are supported, for example:
client_secret_basic:quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.secret=mysecretOr:
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.client-secret.value=mysecretThe following example shows the secret retrieved from a credentials provider:
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
# This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc.credentials.client-secret.provider.key=mysecret-key
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc.credentials.client-secret.provider.name=oidc-credentials-providerclient_secret_postquarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.client-secret.value=mysecret
quarkus.oidc.credentials.client-secret.method=postclient_secret_jwt, where the signature algorithm is HS256:quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.jwt.secret=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAowclient_secret_jwt, where the secret is retrieved from a credentials provider:quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
# This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc.credentials.jwt.secret-provider.key=mysecret-key
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc.credentials.jwt.secret-provider.name=oidc-credentials-providerExample of private_key_jwt with the PEM key file, and where the signature
algorithm is RS256:
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.jwt.key-file=privateKey.pemprivate_key_jwt with the keystore file, where the signature algorithm is RS256:quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.jwt.key-store-file=keystore.jks
quarkus.oidc.credentials.jwt.key-store-password=mypassword
quarkus.oidc.credentials.jwt.key-password=mykeypassword
# Private key alias inside the keystore
quarkus.oidc.credentials.jwt.key-id=mykeyAliasUsing client_secret_jwt or private_key_jwt authentication methods
ensures that a client secret does not get sent to the OIDC provider,
therefore avoiding the risk of a secret being intercepted by a
'man-in-the-middle' attack.
Additional JWT authentication options
If client_secret_jwt, private_key_jwt authentication methods are used or
an Apple post_jwt method is used, then the JWT signature algorithm, key
identifier, audience, subject and issuer can be customized, for example:
# private_key_jwt client authentication
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.jwt.key-file=privateKey.pem
# This is a token key identifier 'kid' header - set it if your OpenID Connect provider requires it.
# Note if the key is represented in a JSON Web Key (JWK) format with a `kid` property then
# using 'quarkus.oidc.credentials.jwt.token-key-id' is not necessary.
quarkus.oidc.credentials.jwt.token-key-id=mykey
# Use RS512 signature algorithm instead of the default RS256
quarkus.oidc.credentials.jwt.signature-algorithm=RS512
# The token endpoint URL is the default audience value, use the base address URL instead:
quarkus.oidc.credentials.jwt.audience=${quarkus.oidc-client.auth-server-url}
# custom subject instead of the client id :
quarkus.oidc.credentials.jwt.subject=custom-subject
# custom issuer instead of the client id :
quarkus.oidc.credentials.jwt.issuer=custom-issuerApple POST JWT
The Apple OIDC provider uses a client_secret_post method whereby a secret
is a JWT produced with a private_key_jwt authentication method but with
the Apple account-specific issuer and subject claims.
In Quarkus Security, quarkus-oidc supports a non-standard
client_secret_post_jwt authentication method, which you can configure as
follows:
# Apple provider configuration sets a 'client_secret_post_jwt' authentication method
quarkus.oidc.provider=apple
quarkus.oidc.client-id=${apple.client-id}
quarkus.oidc.credentials.jwt.key-file=ecPrivateKey.pem
quarkus.oidc.credentials.jwt.token-key-id=${apple.key-id}
# Apple provider configuration sets ES256 signature algorithm
quarkus.oidc.credentials.jwt.subject=${apple.subject}
quarkus.oidc.credentials.jwt.issuer=${apple.issuer}mutual TLS (mTLS)
Some OpenID Connect providers might require that a client is authenticated as part of the mutual TLS authentication process.
The following example shows how you can configure quarkus-oidc to support
mTLS:
quarkus.oidc.tls.verification=certificate-validation
# Keystore configuration
quarkus.oidc.tls.key-store-file=client-keystore.jks
quarkus.oidc.tls.key-store-password=${key-store-password}
# Add more keystore properties if needed:
#quarkus.oidc.tls.key-store-alias=keyAlias
#quarkus.oidc.tls.key-store-alias-password=keyAliasPassword
# Truststore configuration
quarkus.oidc.tls.trust-store-file=client-truststore.jks
quarkus.oidc.tls.trust-store-password=${trust-store-password}
# Add more truststore properties if needed:
#quarkus.oidc.tls.trust-store-alias=certAliasIntrospection endpoint authentication
Some OIDC providers require authenticating to its introspection endpoint by
using Basic authentication and with credentials that are different to the
client_id and client_secret. If you have previously configured security
authentication to support either the`client_secret_basic` or
client_secret_post client authentication methods as described in the
OIDC provider client
authentication section, you might need to apply the additional
configuration, as follows.
If the tokens have to be introspected and the introspection
endpoint-specific authentication mechanism is required, then you can
configure quarkus-oidc, as follows:
quarkus.oidc.introspection-credentials.name=introspection-user-name
quarkus.oidc.introspection-credentials.secret=introspection-user-secretOIDC request customization
You can customize OIDC requests made by Quarkus to the OIDC provider by
registering one or more OidcRequestFiler implementations which can update
or add new request headers, please see
Client
request customization for more information.
Redirecting to and from the OIDC provider
When a user is redirected to the OpenID Connect provider to authenticate,
the redirect URL includes a redirect_uri query parameter, which indicates
to the provider where the user has to be redirected to when the
authentication is complete. In our case, this is the Quarkus application.
Quarkus sets this parameter to the current application request URL by
default. For example, if a user is trying to access a Quarkus service
endpoint at http://localhost:8080/service/1 then the redirect_uri
parameter is set to http://localhost:8080/service/1. Similarly, if the
request URL is http://localhost:8080/service/2 then the redirect_uri
parameter is set to http://localhost:8080/service/2.
Some OIDC providers require the redirect_uri to have the same value for a
given application, for example, http://localhost:8080/service/callback,
for all the redirect URLs. In such cases, a
quarkus.oidc.authentication.redirect-path property has to be set, for
example, quarkus.oidc.authentication.redirect-path=/service/callback, and
Quarkus will set the redirect_uri parameter to an absolute URL such as
http://localhost:8080/service/callback, which will be the same regardless
of the current request URL.
If quarkus.oidc.authentication.redirect-path is set but you need the
original request URL to be restored after the user has been redirected back
to a unique callback URL, for example,
http://localhost:8080/service/callback, set
quarkus.oidc.authentication.restore-path-after-redirect property to
true. This will restore the request URL such as
http://localhost:8080/service/1.
Customizing authentication requests
By default, only the response_type (set to code), scope (set to
'openid'), client_id, redirect_uri and state properties are passed as
HTTP query parameters to the OpenID Connect provider’s authorization
endpoint when the user is redirected to it to authenticate.
You can add more properties to it with
quarkus.oidc.authentication.extra-params. For example, some OIDC
providers might choose to return the authorization code as part of the
redirect URI’s fragment, which would break the authentication process. The
following example shows how you can work around this issue:
quarkus.oidc.authentication.extra-params.response_mode=queryCustomizing the authentication error response
If the user authentication fails at the OIDC authorization endpoint, then
the provider will redirect the user back to Quarkus with error and
error_description parameters instead of code. For example, this can
happen when an invalid scope or other invalid parameters are included in the
redirect to the provider.
In such cases, an HTTP 401`error will be returned by default. However, you
can instead request that a custom public error endpoint is called to return
a more user-friendly HTML error page. To do this, set the
`quarkus.oidc.authentication.error-path property, as shown in the following
example:
quarkus.oidc.authentication.error-path=/errorEnsure that the property starts with a forward slash (/) character and the
path is relative to the base URI of the current endpoint. For example, if
it is set as '/error' and the current request URI is
https://localhost:8080/callback?error=invalid_scope then a final redirect
will be made to https://localhost:8080/error?error=invalid_scope.
It is important to ensure that this error endpoint is a public resource to prevent the user from being redirected to this page to be authenticated again.
Accessing authorization data
Let’s first discuss how to access information around authorization.
Accessing ID and access tokens
The OIDC code authentication mechanism acquires three tokens during the authorization code flow: IDToken, Access Token, and Refresh Token.
ID Token is always a JWT token and is used to represent a user
authentication with the JWT claims. You can use this to get the issuing
OIDC endpoint, the username, and other information called claims. One can
access ID Token claims by injecting JsonWebToken with an IdToken
qualifier:
import jakarta.inject.Inject;
import org.eclipse.microprofile.jwt.JsonWebToken;
import io.quarkus.oidc.IdToken;
import io.quarkus.security.Authenticated;
@Path("/web-app")
@Authenticated
public class ProtectedResource {
@Inject
@IdToken
JsonWebToken idToken;
@GET
public String getUserName() {
return idToken.getName();
}
}Access Token is usually used by the OIDC web-app application to access
other endpoints on behalf of the currently logged-in user. The raw access
token can be accessed as follows:
import jakarta.inject.Inject;
import org.eclipse.microprofile.jwt.JsonWebToken;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.security.Authenticated;
@Path("/web-app")
@Authenticated
public class ProtectedResource {
@Inject
JsonWebToken accessToken;
// or
// @Inject
// AccessTokenCredential accessTokenCredential;
@GET
public String getReservationOnBehalfOfUser() {
String rawAccessToken = accessToken.getRawToken();
//or
//String rawAccessToken = accessTokenCredential.getToken();
// Use the raw access token to access a remote endpoint
return getReservationfromRemoteEndpoint(rawAccesstoken);
}
}Note that AccessTokenCredential is used if the access token issued to the
Quarkus web-app application is opaque (binary) and can not be parsed to a
JsonWebToken or if the inner content is necessary for the application.
Injection of the JsonWebToken and AccessTokenCredential is supported in
both @RequestScoped and @ApplicationScoped contexts.
RefreshToken is used by Quarkusn OIDC to refresh the current ID and access tokens as part of its session management process.
User info
If the ID token does not provide enough information about the
currently-authenticated user, you can get more information from the
UserInfo endpoint. Set the
quarkus.oidc.authentication.user-info-required=true property for a
UserInfo
JSON object from the OIDC UserInfo endpoint to be requested.
A request will be sent to the OpenID Provider UserInfo endpoint using the
access token returned with the authorization code grant response and an
io.quarkus.oidc.UserInfo (a simple jakarta.json.JsonObject wrapper)
object will be created. io.quarkus.oidc.UserInfo can be either injected or
accessed as a SecurityIdentity userinfo attribute.
Accessing the OIDC configuration information
The current tenant’s discovered
OpenID
Connect Configuration Metadata is represented by
io.quarkus.oidc.OidcConfigurationMetadata and can be either injected or
accessed as a SecurityIdentity configuration-metadata attribute.
The default tenant’s OidcConfigurationMetadata is injected if the endpoint
is public.
Mapping token claims and SecurityIdentity roles
The way the roles are mapped to the SecurityIdentity roles from the verified tokens is identical to how it is done for the Bearer tokens with the only difference being that ID Token is used as a source of the roles by default.
|
If you use Keycloak, set a |
But depending on your OIDC provider, roles might be stored in the access token or the user info.
If the access token contains the roles and this access token is not meant to
be propagated to the downstream endpoints then set
quarkus.oidc.roles.source=accesstoken.
If UserInfo is the source of the roles then set
quarkus.oidc.roles.source=userinfo, and if needed,
quarkus.oidc.roles.role-claim-path.
Additionally, a custom SecurityIdentityAugmentor can also be used to add
the roles. For more information, see
SecurityIdentity
customization.
Ensuring validity of tokens and authentication data
A core part of the authentication process is ensuring the chain of trust and validity of the information. This is done by ensuring tokens are trustable.
Token verification and introspection
The verification process of OIDC authorization code flow tokens follows the Bearer token authentication token verification and introspection logic. For more information, see the Token Verification And Introspection section of the "Quarkus OpenID Connect (OIDC) Bearer token authentication" guide.
|
With Quarkus |
Token introspection and UserInfo cache
Code flow access tokens are not introspected unless they are expected to be
the source of roles. They will however be used to get UserInfo. There
will be one or two remote calls with the code flow access token, if the
token introspection and/or UserInfo are required.
Please see Token Introspection and UserInfo cache for more information about using a default token cache or registering a custom cache implementation.
JSON web token claim verification
Please see
JSON
Web Token Claim verification section about the claim verification,
including the iss (issuer) claim. It applies to ID tokens but also to
access tokens in a JWT format if the web-app application has requested the
access token verification.
Further security with Proof Key for Code Exchange (PKCE)
Proof Key for Code Exchange (PKCE) minimizes the risk of authorization code interception.
While PKCE is of primary importance to public OpenID Connect clients, such
as SPA scripts running in a browser, it can also provide an extra level of
protection to Quarkus OIDC web-app applications. With PKCE, Quarkus OIDC
web-app applications are confidential OpenID Connect clients capable of
securely storing the client secret and using it to exchange the code for the
tokens.
You can enable PKCE for your OIDC web-app endpoint with a
quarkus.oidc.authentication.pkce-required property and a 32-character
secret which is required to encrypt the PKCE code verifier in the state
cookie, as shown in the following example:
quarkus.oidc.authentication.pkce-required=true
quarkus.oidc.authentication.state-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBUIf you already have a 32-characters client secret then you do not need to
set the quarkus.oidc.authentication.pkce-secret property unless you prefer
to use a different secret key. This secret will be auto-generated if it is
not configured and if the fallback to the client secret is not possible in
case of the client secret being less than 16 characters long.
The secret key is required for encrypting a randomly generated PKCE
code_verifier while the user is being redirected with the code_challenge
query parameter to an OIDC provider to authenticate. The code_verifier is
decrypted when the user is redirected back to Quarkus and sent to the token
endpoint alongside the code, client secret, and other parameters to
complete the code exchange. The provider will fail the code exchange if a
SHA256 digest of the code_verifier does not match the code_challenge
that was provided during the authentication request.
Handling and controlling the lifetime of authentication
Another important requirement for authentication is to ensure that the data the session is based on is up-to-date without requiring the user to authenticate for every single request. There are also situations where a logout event is explicitly requested. Use the following key points to find the right balance for securing your Quarkus applications:
Cookies
The OIDC adapter uses cookies to keep the session, code flow, and post-logout state. This state is a key element controlling the lifetime of authentication data.
Use the quarkus.oidc.authentication.cookie-path property to ensure that
the same cookie is visible when you access protected resources with
overlapping or different roots, for example:
-
/index.htmland/web-app/service -
/web-app/service1and/web-app/service2 -
/web-app1/serviceand/web-app2/service
By default, quarkus.oidc.authentication.cookie-path is set to / but you
can change this to a more specific path if required, for example,
/web-app.
To set the cookie path dynamically, configure the
quarkus.oidc.authentication.cookie-path-header property. Set the
quarkus.oidc.authentication.cookie-path-header property. For example, to
set the cookie path dynamically by using the value of
the`X-Forwarded-Prefix` HTTP header, configure the property to
quarkus.oidc.authentication.cookie-path-header=X-Forwarded-Prefix.
If quarkus.oidc.authentication.cookie-path-header is set but no configured
HTTP header is available in the current request then the
quarkus.oidc.authentication.cookie-path will be checked.
If your application is deployed across multiple domains, set the
quarkus.oidc.authentication.cookie-domain property so that the session
cookie is visible to all protected Quarkus services. For example, if you
have Quarkus services deployed on the following two domains, then you must
set the quarkus.oidc.authentication.cookie-domain property to
company.net.
-
https://whatever.wherever.company.net/
-
https://another.address.company.net/
Session cookie and default TokenStateManager
OIDC CodeAuthenticationMechanism uses the default
io.quarkus.oidc.TokenStateManager interface implementation to keep the ID,
access, and refresh tokens returned in the authorization code or refresh
grant responses in an encrypted session cookie.
It makes Quarkus OIDC endpoints completely stateless and it is recommended to follow this strategy in order to achieve the best scalability results.
See Database TokenStateManager and Session cookie and custom TokenStateManager sections of this guide for alternative approaches where tokens can be stored in the database or other server-side storage, if you prefer and have good reasons for storing the token state on the server.
You can configure the default TokenStateManager to avoid saving an access
token in the session cookie and only keep ID and refresh tokens or ID token
only.
An access token is only required if the endpoint needs to:
-
Retrieve
UserInfo -
Access the downstream service with this access token
-
Use the roles associated with the access token, which are checked by default
In such cases, use the quarkus.oidc.token-state-manager.strategy property
to configure the token state strategy as follows:
To… |
Set the property to … |
Keep the ID and refresh tokens only |
|
Keep the ID token only |
|
If your chosen session cookie strategy combines tokens and generates a large
session cookie value that is greater than 4KB, some browsers might not be
able to handle such cookie sizes. This can occur when the ID, access, and
refresh tokens are JWT tokens and the selected strategy is keep-all-tokens
or with ID and refresh tokens when the strategy is id-refresh-token. To
workaround this issue, you can set
quarkus.oidc.token-state-manager.split-tokens=true to create a unique
session token for each token. An alternative solution is to have the tokens
saved in the database, see Database
TokenStateManager for more information.
Default TokenStateManager encrypts the tokens before storing them in the
session cookie. The following example shows how you configure it to split
the tokens and encrypt them:
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app
quarkus.oidc.token-state-manager.split-tokens=true
quarkus.oidc.token-state-manager.encryption-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBUThe token encryption secret must be at least 32 characters long. If this
key is not configured then either quarkus.oidc.credentials.secret or
quarkus.oidc.credentials.jwt.secret will be hashed to create an encryption
key.
Configure the quarkus.oidc.token-state-manager.encryption-secret property
if Quarkus authenticates to the OpenId Connect Provider by using one of the
following authentication methods:
-
mTLS
-
private_key_jwt, where a private RSA or EC key is used to sign a JWT token
Otherwise, a random key is generated, which can be problematic if the Quarkus application is running in the cloud with multiple pods managing the requests.
You can disable token encryption in the session cookie by setting
quarkus.oidc.token-state-manager.encryption-required=false.
Session cookie and custom TokenStateManager
Register a custom io.quarkus.oidc.TokenStateManager' implementation as an
`@ApplicationScoped CDI bean if you need to customize the way the tokens
are associated with the session cookie.
For example, you may want to keep the tokens in a cache cluster and have only a key stored in a session cookie. Note that this approach might introduce some challenges if you need to make the tokens available across multiple microservices nodes.
Here is a simple example:
package io.quarkus.oidc.test;
import jakarta.annotation.Priority;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Alternative;
import jakarta.inject.Inject;
import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.TokenStateManager;
import io.quarkus.oidc.runtime.DefaultTokenStateManager;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
@ApplicationScoped
@Alternative
@Priority(1)
public class CustomTokenStateManager implements TokenStateManager {
@Inject
DefaultTokenStateManager tokenStateManager;
@Override
public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantConfig oidcConfig,
AuthorizationCodeTokens sessionContent, TokenStateManager.CreateTokenStateRequestContext requestContext) {
return tokenStateManager.createTokenState(routingContext, oidcConfig, sessionContent, requestContext)
.map(t -> (t + "|custom"));
}
@Override
public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, OidcTenantConfig oidcConfig,
String tokenState, TokenStateManager.GetTokensRequestContext requestContext) {
if (!tokenState.endsWith("|custom")) {
throw new IllegalStateException();
}
String defaultState = tokenState.substring(0, tokenState.length() - 7);
return tokenStateManager.getTokens(routingContext, oidcConfig, defaultState, requestContext);
}
@Override
public Uni<Void> deleteTokens(RoutingContext routingContext, OidcTenantConfig oidcConfig, String tokenState,
TokenStateManager.DeleteTokensRequestContext requestContext) {
if (!tokenState.endsWith("|custom")) {
throw new IllegalStateException();
}
String defaultState = tokenState.substring(0, tokenState.length() - 7);
return tokenStateManager.deleteTokens(routingContext, oidcConfig, defaultState, requestContext);
}
}See Session cookie and default TokenStateManager
for the information about the default TokenStateManager storing the tokens
in an encrypted session cookie.
See Database TokenStateManager for the
information about the custom TokenStatemanager implementation provided by
Quarkus.
Database TokenStateManager
If you prefer to follow a stateful token storage strategy, then you can use
a custom TokenStateManager provided by Quarkus to have your application
storing tokens in a database, instead of storing them in an encrypted
session cookie which is done by default, as described in the
Session cookie and default TokenStateManager
section.
To use this feature, add the following extension to your project:
quarkus extension add oidc-db-token-state-manager./mvnw quarkus:add-extension -Dextensions='oidc-db-token-state-manager'./gradlew addExtension --extensions='oidc-db-token-state-manager'This extension will replace the default `io.quarkus.oidc.TokenStateManager' with a database-based one.
OIDC Database Token State Manager is using a Reactive SQL client under the hood to avoid blocking since the authentication is likely to happen on IO thread.
Depending on your database, please include and configure exactly one Reactive SQL client. Following Reactive SQL clients are supported:
-
Reactive MS SQL client
-
Reactive MySQL client
-
Reactive PostgreSQL client
-
Reactive Oracle client
-
Reactive DB2 client
| Your application is not required to switch to using the Reactive SQL client if it already uses Hibernate ORM with one of the JDBC driver extensions. |
Let’s say you already have application that is using the Hibernate ORM extension together with a PostgreSQL JDBC Driver and your datasource is configured like this:
quarkus.datasource.db-kind=postgresql
quarkus.datasource.username=quarkus_test
quarkus.datasource.password=quarkus_test
quarkus.datasource.jdbc.url=jdbc:postgresql://localhost:5432/quarkus_testNow, if you decided to use OIDC Database Token State Manager, you need to add following dependencies and set a reactive driver URL.
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-oidc-db-token-state-manager</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-reactive-pg-client</artifactId>
</dependency>implementation("io.quarkus:quarkus-oidc-db-token-state-manager")
implementation("io.quarkus:quarkus-reactive-pg-client")quarkus.datasource.reactive.url=postgresql://localhost:5432/quarkus_testAnd you are ready to go.
By default, a database table used for storing tokens is created for you,
however you can disable this option with the
quarkus.oidc.db-token-state-manager.create-database-table-if-not-exists
configuration property. Should you want the Hibernate ORM extension to
create this table instead, you simply need to include an Entity like this
one:
package org.acme.manager;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.Id;
import jakarta.persistence.Table;
@Table(name = "oidc_db_token_state_manager") (1)
@Entity
public class OidcDbTokenStateManagerEntity {
@Id
String id;
@Column(name = "id_token", length = 4000) (2)
String idToken;
@Column(name = "refresh_token", length = 4000)
String refreshToken;
@Column(name = "access_token", length = 4000)
String accessToken;
@Column(name = "expires_in")
Long expiresIn;
}| 1 | The Hibernate ORM extension will only create this table for you when database schema is generated. Please refer to the Hibernate ORM guide for more information. |
| 2 | You can choose column length depending on the length of your tokens. |
Logout and expiration
There are two main ways for the authentication information to expire: the tokens expired and were not renewed or an explicit logout operation was triggered.
Let’s start with explicit logout operations.
User-initiated logout
Users can request a logout by sending a request to the Quarkus endpoint
logout path set with a quarkus.oidc.logout.path property. For example, if
the endpoint address is https://application.com/webapp and the
quarkus.oidc.logout.path is set to "/logout" then the logout request has
to be sent to https://application.com/webapp/logout.
This logout request will start an RP-Initiated Logout and the user will be redirected to the OpenID Connect Provider to logout where a user may be asked to confirm the logout is indeed intended.
The user will be returned to the endpoint post logout page once the logout
has been completed if the quarkus.oidc.logout.post-logout-path property is
set. For example, if the endpoint address is
https://application.com/webapp and the
quarkus.oidc.logout.post-logout-path is set to "/signin" then the user
will be returned to https://application.com/webapp/signin (note this URI
must be registered as a valid post_logout_redirect_uri in the OpenID
Connect Provider).
If the quarkus.oidc.logout.post-logout-path is set then a q_post_logout
cookie will be created and a matching state query parameter will be added
to the logout redirect URI and the OpenID Connect Provider will return this
state once the logout has been completed. It is recommended for the
Quarkus web-app applications to check that a state query parameter
matches the value of the q_post_logout cookie which can be done for
example in a Jakarta REST filter.
Note that a cookie name varies when using
OpenID Connect
Multi-Tenancy. For example, it will be named q_post_logout_tenant_1 for a
tenant with a tenant_1 ID, and so on.
Here is an example of how to configure a Quarkus app initiated logout flow:
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app
quarkus.oidc.logout.path=/logout
# Logged-out users should be returned to the /welcome.html site which will offer an option to re-login:
quarkus.oidc.logout.post-logout-path=/welcome.html
# Only the authenticated users can initiate a logout:
quarkus.http.auth.permission.authenticated.paths=/logout
quarkus.http.auth.permission.authenticated.policy=authenticated
# All users can see the welcome page:
quarkus.http.auth.permission.public.paths=/welcome.html
quarkus.http.auth.permission.public.policy=permitYou may also need to set quarkus.oidc.authentication.cookie-path to a path
value common to all the application resources which is / in this example.
For more information, see the Cookies section.
|
Some OIDC providers do not support
RP-initiated
logout specification and do not return an OpenID Connect well-known
According to the
RP-initiated
logout specification, the You can use |
Back-channel logout
The OIDC provider can force the logout of all applications using the authentification data: this is called back-channel logout. In this case the OIDC will call a specific URL from each application to trigger that logout.
Back-Channel Logout is used by OpenID Connect providers to log out the current user from all the applications this user is currently logged in, bypassing the user agent.
You can configure Quarkus to support Back-Channel Logout as follows:
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app
quarkus.oidc.logout.backchannel.path=/back-channel-logoutThe absolute back-channel logout URL is calculated by adding
quarkus.oidc.back-channel-logout.path to the current endpoint URL, for
example, http://localhost:8080/back-channel-logout. You will need to
configure this URL in the admin console of your OIDC provider.
You will also need to configure a token age property for the logout token
verification to succeed if your OpenID Connect Provider does not set an
expiry claim in the current logout token. For example, set
quarkus.oidc.token.age=10S to ensure that no more than 10 seconds elapse
since the logout token’s iat (issued at) time.
Front-channel logout
Front-Channel Logout can be used to logout the current user directly from the user agent (e.g. its browser). It is like Back-channel logout but the logout steps are executed by the user agent like the browser and not in the background by the OIDP provider. This option is rarely used.
You can configure Quarkus to support Front-Channel Logout as follows:
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app
quarkus.oidc.logout.frontchannel.path=/front-channel-logoutThis path will be compared against the current request’s path and the user will be logged out if these paths match.
Local logout
User-initiated logout will log the user out of the OIDC provider, if it is used as single sign-on, it might not be what you require. If, for example, your OIDC provider is Google, you will be logged out from Google and its services. Instead the user might just want to log out of that specific application. Another use case might be when the OIDC provider does not have a logout endpoint.
By using OidcSession, you can support a local logout, which means that only the local session cookie is cleared, as shown in the following example:
import jakarta.inject.Inject;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import io.quarkus.oidc.OidcSession;
@Path("/service")
public class ServiceResource {
@Inject
OidcSession oidcSession;
@GET
@Path("logout")
public String logout() {
oidcSession.logout().await().indefinitely();
return "You are logged out".
}Using OidcSession for local logout
io.quarkus.oidc.OidcSession is a wrapper around the current IdToken,
which can help to perform a Local logout, retrieve the
current session’s tenant identifier, and check when the session will
expire. More useful methods will be added to it over time.
Session management
By default, logout is based on the expiration time of the ID token issued by the OIDC provider. When the ID token expires, the current user session at the Quarkus endpoint is invalidated and the user is redirected to the OIDC provider again to authenticate. If the session at the OIDC provider is still active, users are automatically re-authenticated without needing to provide their credentials again.
The current user session can be automatically extended by enabling the
quarkus.oidc.token.refresh-expired property. If set to true, when the
current ID token expires, a refresh token grant will be used to refresh the
ID token as well as access and refresh tokens.
|
If you have a
single
page application for service applications where your OIDC provider script
such as |
If you work with a Quarkus OIDC web-app application, then it is the
Quarkus OIDC code authentication mechanism that is managing the user session
lifespan.
To use the refresh token, you should carefully configure the session cookie age. The session age should be longer than the ID token lifespan and close to or equal to the refresh token lifespan.
You calculate the session age by adding the lifespan value of the current ID
token and the values of the
quarkus.oidc.authentication.session-age-extension and
quarkus.oidc.token.lifespan-grace properties.
|
You use only the |
When the current authenticated user returns to the protected Quarkus endpoint and the ID token associated with the session cookie has expired, then, by default, the user is automatically redirected to the OIDC Authorization endpoint to re-authenticate. The OIDC provider might challenge the user again if the session between the user and this OIDC provider is still active, which might happen if the session is configured to last longer than the ID token.
If the quarkus.oidc.token.refresh-expired is set to true, then the
expired ID token (as well as the access token) is refreshed by using the
refresh token returned with the initial authorization code grant response.
This refresh token might also be recycled (refreshed) itself as part of this
process. As a result, the new session cookie is created and the session is
extended.
|
In instances where the user is not very active, you can use the
|
You can go one step further and proactively refresh ID tokens or access
tokens that are about to expire. Set
quarkus.oidc.token.refresh-token-time-skew to the value you want to
anticipate the refresh. If, during the current user request, it is
calculated that the current ID token will expire within this
quarkus.oidc.token.refresh-token-time-skew then it will be refreshed and
the new session cookie will be created. This property should be set to a
value which is less than the ID token lifespan; the closer it is to this
lifespan value the more often the ID token will be refreshed.
You can further optimize this process by having a simple JavaScript function ping your Quarkus endpoint to periodically emulate the user activity, which minimizes the time frame during which the user might have to be re-authenticated.
|
You cannot extend the user session indefinitely. The returning user with the expired ID token will have to re-authenticate at the OIDC provider endpoint once the refresh token has expired. |
Integration with GitHub and non-OIDC OAuth2 providers
Some well known providers such as GitHub or LinkedIn are not OpenID Connect
but OAuth2 providers which support the authorization code flow, for
example,
GitHub
OAuth2 and
LinkedIn
OAuth2. Remember, OIDC is built on top of OAuth2.
The main difference between OpenID Connect and OAuth2 providers is that
OpenID Connect providers return an ID Token that represents a user
authentication, in addition to the standard authorization code flow access
and refresh tokens returned by OAuth2 providers.
OAuth2 providers such as GitHub do not return IdToken, the fact of the
user authentication is implicit and is indirectly represented by the
access token which represents an authenticated user authorizing the
current Quarkus web-app application to access some data on behalf of the
authenticated user.
For OIDC, you validate the ID token as proof of authentication validity
whereas in the case of OAuth2, you validate the access token. This is done
by subsequently calling an endpoint that requires the access token and that
typically returns user information. This approach is similar to the OIDC
UserInfo approach, with UserInfo fetched by Quarkus OIDC
on your behalf.
For example, when working with GitHub, the Quarkus endpoint can acquire an
access token which allows the Quarkus endpoint to request a GitHub profile
for the current user.
To support the integration with such OAuth2 servers, quarkus-oidc needs to
be configured a bit differently to allow the authorization code flow
responses without IdToken:
quarkus.oidc.authentication.id-token-required=false.
|
Even though you configure the extension to support the authorization code
flows without This simplifies how you handle an application that supports multiple OIDC providers. |
The next step is to ensure that the returned access token can be useful and
is valid to the current Quarkus endpoint. The first way is to call the
OAuth2 provider introspection endpoint by configuring
quarkus.oidc.introspection-path, if the provider offers such an endpoint.
In this case you can use the access token as a source of roles using
quarkus.oidc.roles.source=accesstoken. If no introspection endpoint is
present, you can attempt instead to request UserInfo from
the provider as it will at least validate the access token. To do so,
specify quarkus.oidc.token.verify-access-token-with-user-info=true. You
also need to set the quarkus.oidc.user-info-path property to a URL
endpoint that fetches the user info (or to an endpoint protected by the
access token). For GitHub, since it does not have an introspection
endpoint, requesting the UserInfo is required.
|
Requiring UserInfo involves making a remote call on every
request. Therefore, you might want to consider caching Alternatively, you may want to request that |
OAuth2 servers might not support a well-known configuration endpoint. In this case, you must disable the discovery and configure the authorization, token, and introspection and the userinfo endpoint paths manually.
For well-known OIDC or OAuth2 providers, like Apple, Facebook, GitHub,
Google, Microsoft, Spotify, and Twitter, Quarkus can help significantly
simplify your application’s configuration with the quarkus.oidc.provider
property. Here is how you can integrate quarkus-oidc with GitHub after
you have
created
a GitHub OAuth application. Configure your Quarkus endpoint like this:
quarkus.oidc.provider=github
quarkus.oidc.client-id=github_app_clientid
quarkus.oidc.credentials.secret=github_app_clientsecret
# user:email scope is requested by default, use 'quarkus.oidc.authentication.scopes' to request different scopes such as `read:user`.
# See https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps for more information.
# Consider enabling UserInfo Cache
# quarkus.oidc.token-cache.max-size=1000
# quarkus.oidc.token-cache.time-to-live=5M
#
# Or having UserInfo cached inside IdToken itself
# quarkus.oidc.cache-user-info-in-idtoken=trueSee OpenID Connect providers for more details about configuring other well-known providers.
This is all what is needed for an endpoint like this one to return the
currently-authenticated user’s profile with GET
http://localhost:8080/github/userinfo and access it as the individual
UserInfo properties:
import jakarta.inject.Inject;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import io.quarkus.oidc.UserInfo;
import io.quarkus.security.Authenticated;
@Path("/github")
@Authenticated
public class TokenResource {
@Inject
UserInfo userInfo;
@GET
@Path("/userinfo")
@Produces("application/json")
public String getUserInfo() {
return userInfo.getUserInfoString();
}
}If you support more than one social provider with the help of
OpenID Connect
Multi-Tenancy, for example, Google which is an OpenID Connect Provider
returning IdToken and GitHub which is an OAuth2 provider returning no
IdToken and only allowing to access UserInfo then you can have your
endpoint working with only the injected SecurityIdentity for both Google
and GitHub flows. A simple augmentation of SecurityIdentity will be
required where a principal created with the internally generated IdToken
will be replaced with the UserInfo based principal when the GiHub flow is
active:
package io.quarkus.it.keycloak;
import java.security.Principal;
import jakarta.enterprise.context.ApplicationScoped;
import io.quarkus.oidc.UserInfo;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.SecurityIdentityAugmentor;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
@ApplicationScoped
public class CustomSecurityIdentityAugmentor implements SecurityIdentityAugmentor {
@Override
public Uni<SecurityIdentity> augment(SecurityIdentity identity, AuthenticationRequestContext context) {
RoutingContext routingContext = identity.getAttribute(RoutingContext.class.getName());
if (routingContext != null && routingContext.normalizedPath().endsWith("/github")) {
QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder(identity);
UserInfo userInfo = identity.getAttribute("userinfo");
builder.setPrincipal(new Principal() {
@Override
public String getName() {
return userInfo.getString("preferred_username");
}
});
identity = builder.build();
}
return Uni.createFrom().item(identity);
}
}Now, the following code will work when the user signs into your application by using Google or GitHub:
import jakarta.inject.Inject;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import io.quarkus.security.Authenticated;
import io.quarkus.security.identity.SecurityIdentity;
@Path("/service")
@Authenticated
public class TokenResource {
@Inject
SecurityIdentity identity;
@GET
@Path("/google")
@Produces("application/json")
public String getUserName() {
return identity.getPrincipal().getName();
}
@GET
@Path("/github")
@Produces("application/json")
public String getUserName() {
return identity.getPrincipal().getUserName();
}
}Possibly a simpler alternative is to inject both @IdToken JsonWebToken and
UserInfo and use JsonWebToken when dealing with the providers returning
IdToken and UserInfo with the providers which do not return IdToken.
You must ensure that the callback path you enter in the GitHub OAuth
application configuration matches the endpoint path where you’d like the
user be redirected to after a successful GitHub authentication and
application authorization, in this case it has to be set to
http:localhost:8080/github/userinfo.
Listening to important authentication events
You can register the @ApplicationScoped bean which will observe important
OIDC authentication events. When a user logs in for the first time,
reauthenticates, or refreshes the session, the listener is updated. In the
future, more events might be reported. For example:
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.event.Observes;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.SecurityEvent;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.vertx.ext.web.RoutingContext;
@ApplicationScoped
public class SecurityEventListener {
public void event(@Observes SecurityEvent event) {
String tenantId = event.getSecurityIdentity().getAttribute("tenant-id");
RoutingContext vertxContext = event.getSecurityIdentity().getAttribute(RoutingContext.class.getName());
vertxContext.put("listener-message", String.format("event:%s,tenantId:%s", event.getEventType().name(), tenantId));
}
}Propagating tokens to downstream services
For information about Authorization Code Flow access token propagation to downstream services, see the Token Propagation section.
Integration considerations
Your application secured by OIDC integrates in an environment where it can be called from single-page applications, needs to work with well-known OIDC providers, run behind HTTP Reverse Proxy, require external and internal access, etc.
This section discusses these considerations.
Single-page applications
You can check if implementing single-page applications (SPAs) the way it is suggested in the Single-page applications section of the "OpenID Connect (OIDC) Bearer token authentication" guide meets your requirements.
If you prefer to use SPAs and JavaScript APIs such as Fetch or
XMLHttpRequest(XHR) with Quarkus web applications, be aware that OpenID
Connect providers might not support cross-origin resource sharing (CORS) for
authorization endpoints where the users are authenticated after a redirect
from Quarkus. This will lead to authentication failures if the Quarkus
application and the OpenID Connect provider are hosted on different HTTP
domains, ports, or both.
In such cases, set the
quarkus.oidc.authentication.java-script-auto-redirect property to false,
which will instruct Quarkus to return a 499 status code and a
WWW-Authenticate header with the OIDC value.
The browser script must set a header to identify the current request as a
JavaScript request for 499 status code to be returned when
quarkus.oidc.authentication.java-script-auto-redirect property is set to
false.
If the script engine sets an engine-specific request header itself, then you
can register a custom quarkus.oidc.JavaScriptRequestChecker bean, which
will inform Quarkus if the current request is a JavaScript request. For
example, if the JavaScript engine sets a header such as HX-Request: true
then you can have it checked like this:
import jakarta.enterprise.context.ApplicationScoped;
import io.quarkus.oidc.JavaScriptRequestChecker;
import io.vertx.ext.web.RoutingContext;
@ApplicationScoped
public class CustomJavaScriptRequestChecker implements JavaScriptRequestChecker {
@Override
public boolean isJavaScriptRequest(RoutingContext context) {
return "true".equals(context.request().getHeader("HX-Request"));
}
}and reload the last requested page in case of a 499 status code.
Otherwise you must also update the browser script to set the
X-Requested-With header with the JavaScript value and reload the last
requested page in case of a 499 status code.
For example:
Future<void> callQuarkusService() async {
Map<String, String> headers = Map.fromEntries([MapEntry("X-Requested-With", "JavaScript")]);
await http
.get("https://localhost:443/serviceCall")
.then((response) {
if (response.statusCode == 499) {
window.location.assign("https://localhost.com:443/serviceCall");
}
});
}Cross-origin resource sharing
If you plan to consume this application from a single-page application running on a different domain, you need to configure cross-origin resource sharing (CORS). For more information, see the CORS filter section of the "Cross-origin resource sharing" guide.
Calling Cloud provider services
Google Cloud
You can have Quarkus OIDC web-app applications access Google Cloud
services such as BigQuery on behalf of the currently-authenticated
users who have enabled OpenID Connect (Authorization Code Flow) permissions
to such services in their Google developer consoles.
It is super easy to do with Quarkiverse Google Cloud Services, only add the latest tag service dependency, for example:
<dependency>
<groupId>io.quarkiverse.googlecloudservices</groupId>
<artifactId>quarkus-google-cloud-bigquery</artifactId>
<version>${quarkiverse.googlecloudservices.version}</version>
</dependency>implementation("io.quarkiverse.googlecloudservices:quarkus-google-cloud-bigquery:${quarkiverse.googlecloudservices.version}")and configure Google OIDC properties:
quarkus.oidc.provider=google
quarkus.oidc.client-id={GOOGLE_CLIENT_ID}
quarkus.oidc.credentials.secret={GOOGLE_CLIENT_SECRET}
quarkus.oidc.token.issuer=https://accounts.google.comRunning Quarkus application behind a reverse proxy
OIDC authentication mechanism can be affected if your Quarkus application is
running behind a reverse proxy/gateway/firewall when HTTP Host header may
be reset to the internal IP address, HTTPS connection may be terminated,
etc. For example, an authorization code flow redirect_uri parameter may be
set to the internal host instead of the expected external one.
In such cases configuring Quarkus to recognize the original headers forwarded by the proxy will be required, for more information, see the Running behind a reverse proxy Vert.x documentation section.
For example, if your Quarkus endpoint runs in a cluster behind Kubernetes
Ingress then a redirect from the OpenID Connect Provider back to this
endpoint may not work since the calculated redirect_uri parameter may
point to the internal endpoint address. This problem can be resolved with
the following configuration:
quarkus.http.proxy.proxy-address-forwarding=true
quarkus.http.proxy.allow-forwarded=false
quarkus.http.proxy.enable-forwarded-host=true
quarkus.http.proxy.forwarded-host-header=X-ORIGINAL-HOSTwhere X-ORIGINAL-HOST is set by Kubernetes Ingress to represent the
external endpoint address.
quarkus.oidc.authentication.force-redirect-https-scheme property may also
be used when the Quarkus application is running behind an SSL terminating
reverse proxy.
External and internal access to the OIDC provider
Note that the OpenID Connect Provider externally accessible authorization,
logout and other endpoints may have different HTTP(S) URLs compared to the
URLs auto-discovered or configured relative to
quarkus.oidc.auth-server-url internal URL. In such cases an issuer
verification failure may be reported by the endpoint and redirects to the
externally accessible Connect Provider endpoints may fail.
In such cases, if you work with Keycloak then please start it with a
KEYCLOAK_FRONTEND_URL system property set to the externally accessible
base URL. If you work with other Openid Connect providers then please check
your provider’s documentation.
OIDC SAML Identity broker
If your identity provider does not implement OpenId Connect but only the
legacy XML-based SAML2.0 SSO protocol, then Quarkus can not be used as a
SAML 2.0 adapter, similarly to how quarkus-oidc is used as an OIDC
adapter.
However, many OIDC providers such as Keycloak, Okta, Auth0, Microsoft ADFS
can offer OIDC to SAML 2.0 bridges. You can create an identity broker
connection to SAML 2.0 provider in your OIDC provider and use quarkus-oidc
to authenticate your users to this SAML 2.0 provider with the OIDC provider
coordinating OIDC and SAML 2.0 communications. As far as Quarkus endpoints
are concerned, they can continue using the same Quarkus Security and OIDC
API and annotations such as @Authenticated, SecurityIdentity, etc.
For example, lets assume Okta is your SAML 2.0 provider and Keycloak is
your OIDC provider. Here is a typical sequence explaining how to configure
Keycloak to broker with the Okta SAML 2.0 provider.
First, create a new SAML2 integration in your Okta
Dashboard/Applications:
For example, name it as OktaSaml:
Next, configure it to point to a Keycloak SAML broker endpoint. At this
point you need to know the name of the Keycloak realm, for example,
quarkus, and, assuming that the Keycloak SAML broker alias is saml,
enter the endpoint address as
http:localhost:8081/realms/quarkus/broker/saml/endpoint and Service
provider (SP) entity id as http:localhost:8081/realms/quarkus, where
http://localhost:8081 is a Keycloak base address and saml is a broker
alias:
Next, save this SAML integration and note its Metadata URL:
Next, add SAML Provider to Keycloak:
First, as usual, create a new realm or import the existing realm to
Keycloak, in this case, the realm name has to be quarkus.
Now, in the quarkus Realm properties, navigate to Identity Providers and
add a new SAML provider:
Note the alias is set to saml, Redirect URI is
http:localhost:8081/realms/quarkus/broker/saml/endpoint and Service
provider entity id is http:localhost:8081/realms/quarkus - these are the
same values you have entered when creating the Okta SAML integration in the
previous step.
Finally, set Service entity descriptor to point to the Okta SAML
Intregration Metadata URL you noted at the end of the previous step.
Next, if you would like, you can register this Keycloak SAML Provider as a
Default Provider by navigating to Authentication/browser/Identity Provider
Redirector config and setting both Alias and Default Identity Provider
properties to saml. If you do not configure it as a Default Provider then,
at the authentication time, Keycloak will offer 2 options - authenticate
with the SAML provider, and authenticate directly to Keycloak with the name
and password.
Now configure the Quarkus OIDC web-app application to point to the
Keycloak quarkus realm,
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus and you
are ready to start authenticating your Quarkus users to the Okta SAML 2.0
provider using an OIDC to SAML bridge provided by Keycloak OIDC and Okta
SAML 2.0 providers.
You can configure other OIDC providers to provide a SAML bridge similarly to how it can be done for Keycloak.
Testing
Testing is often tricky when it comes to authentification to a separate OIDC like server. Quarkus offers several options from mocking to a local run of an OIDC provider.
Start by adding the following dependencies to your test project:
<dependency>
<groupId>net.sourceforge.htmlunit</groupId>
<artifactId>htmlunit</artifactId>
<exclusions>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-junit5</artifactId>
<scope>test</scope>
</dependency>testImplementation("net.sourceforge.htmlunit:htmlunit")
testImplementation("io.quarkus:quarkus-junit5")Wiremock
Add the following dependency:
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-test-oidc-server</artifactId>
<scope>test</scope>
</dependency>testImplementation("io.quarkus:quarkus-test-oidc-server")Prepare the REST test endpoints, set application.properties, for example:
# keycloak.url is set by OidcWiremockTestResource
quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus/
quarkus.oidc.client-id=quarkus-web-app
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-appand finally write the test code, for example:
import static org.junit.jupiter.api.Assertions.assertEquals;
import org.junit.jupiter.api.Test;
import com.gargoylesoftware.htmlunit.SilentCssErrorHandler;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import io.quarkus.test.common.QuarkusTestResource;
import io.quarkus.test.junit.QuarkusTest;
import io.quarkus.test.oidc.server.OidcWiremockTestResource;
@QuarkusTest
@QuarkusTestResource(OidcWiremockTestResource.class)
public class CodeFlowAuthorizationTest {
@Test
public void testCodeFlow() throws Exception {
try (final WebClient webClient = createWebClient()) {
// the test REST endpoint listens on '/code-flow'
HtmlPage page = webClient.getPage("http://localhost:8081/code-flow");
HtmlForm form = page.getFormByName("form");
// user 'alice' has the 'user' role
form.getInputByName("username").type("alice");
form.getInputByName("password").type("alice");
page = form.getInputByValue("login").click();
assertEquals("alice", page.getBody().asText());
}
}
private WebClient createWebClient() {
WebClient webClient = new WebClient();
webClient.setCssErrorHandler(new SilentCssErrorHandler());
return webClient;
}
}OidcWiremockTestResource recognizes alice and admin users. The user
alice has the user role only by default - it can be customized with a
quarkus.test.oidc.token.user-roles system property. The user admin has
the user and admin roles by default - it can be customized with a
quarkus.test.oidc.token.admin-roles system property.
Additionally, OidcWiremockTestResource set token issuer and audience to
https://service.example.com which can be customized with
quarkus.test.oidc.token.issuer and quarkus.test.oidc.token.audience
system properties.
OidcWiremockTestResource can be used to emulate all OpenID Connect
providers.
Dev services for Keycloak
Using Dev Services for
Keycloak is recommended for the integration testing against Keycloak. Dev
Services for Keycloak will launch and initialize a test container: it will
create a quarkus realm, a quarkus-app client (secret secret) and add
alice (admin and user roles) and bob (user role) users, where all
of these properties can be customized.
First, prepare application.properties. You can start with a completely
empty application.properties as Dev Services for Keycloak will register
quarkus.oidc.auth-server-url pointing to the running test container as
well as quarkus.oidc.client-id=quarkus-app and
quarkus.oidc.credentials.secret=secret.
But if you already have all the required quarkus-oidc properties
configured then you only need to associate quarkus.oidc.auth-server-url
with the prod profile for `Dev Services for Keycloak`to start a container,
for example:
%prod.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkusIf a custom realm file has to be imported into Keycloak before running the
tests then you can configure Dev Services for Keycloak as follows:
%prod.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.keycloak.devservices.realm-path=quarkus-realm.jsonFinally, write a test code the same way as it is described in the
Wiremock section. The only difference is
that @QuarkusTestResource is no longer needed:
@QuarkusTest
public class CodeFlowAuthorizationTest {
}Using KeycloakTestResourceLifecycleManager
Use KeycloakTestResourceLifecycleManager for your tests only if there is a
good reason not to use Dev Services for Keycloak. If you need to do the
integration testing against Keycloak then you are encouraged to do it with
Dev services For Keycloak.
Start with adding the following dependency:
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-test-keycloak-server</artifactId>
<scope>test</scope>
</dependency>testImplementation("io.quarkus:quarkus-test-keycloak-server")which provides
io.quarkus.test.keycloak.server.KeycloakTestResourceLifecycleManager - an
implementation of
io.quarkus.test.common.QuarkusTestResourceLifecycleManager which starts a
Keycloak container.
And configure the Maven Surefire plugin as follows:
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<systemPropertyVariables>
<!-- or, alternatively, configure 'keycloak.version' -->
<keycloak.docker.image>${keycloak.docker.image}</keycloak.docker.image>
<!--
Disable HTTPS if required:
<keycloak.use.https>false</keycloak.use.https>
-->
</systemPropertyVariables>
</configuration>
</plugin>(and similarly the Maven Failsafe plugin when testing in native image).
And now set the configuration and write the test code the same way as it is
described in the Wiremock section. The
only difference is the name of QuarkusTestResource:
import io.quarkus.test.keycloak.server.KeycloakTestResourceLifecycleManager;
@QuarkusTest
@QuarkusTestResource(KeycloakTestResourceLifecycleManager.class)
public class CodeFlowAuthorizationTest {
}KeycloakTestResourceLifecycleManager registers alice and admin
users. The user alice has the user role only by default - it can be
customized with a keycloak.token.user-roles system property. The user
admin has the user and admin roles by default - it can be customized
with a keycloak.token.admin-roles system property.
By default, KeycloakTestResourceLifecycleManager uses HTTPS to initialize
a Keycloak instance which can be disabled with keycloak.use.https=false.
Default realm name is quarkus and client id - quarkus-web-app - set
keycloak.realm and keycloak.web-app.client system properties to
customize the values if needed.
TestSecurity annotation
See
Use
TestingSecurity with injected JsonWebToken section for more information
about using @TestSecurity and @OidcSecurity annotations for testing the
web-app application endpoint code which depends on the injected ID and
access JsonWebToken as well as UserInfo and OidcConfigurationMetadata.
Checking errors in the logs
To see details about the token verification errors, you must enable
io.quarkus.oidc.runtime.OidcProvider TRACE level logging:
quarkus.log.category."io.quarkus.oidc.runtime.OidcProvider".level=TRACE
quarkus.log.category."io.quarkus.oidc.runtime.OidcProvider".min-level=TRACETo see details about the OidcProvider client initialization errors, enable
io.quarkus.oidc.runtime.OidcRecorder TRACE level logging:
quarkus.log.category."io.quarkus.oidc.runtime.OidcRecorder".level=TRACE
quarkus.log.category."io.quarkus.oidc.runtime.OidcRecorder".min-level=TRACEYou can also from quarkus dev console hit j to change the application
global log level.
