From io.vertx.ext.auth.impl.UserImpl to io.quarkus.vertx.http.runtime.security.QuarkusHttpUser

[Stwissel]

I'm coming from a Vert.x background. When trying to use a RouteFilter that authenticates users using Vert.x's JWTAuth, I get a ClassCast exception: io.vertx.ext.auth.impl.UserImpl cannot be cast to class io.quarkus.vertx.http.runtime.security.QuarkusHttpUser Both classes implement User. My code:

@ApplicationScoped
public class sampleRoute {


  // Keeping Hello around to have something to test
  @Route(methods = HttpMethod.GET, path = "/hello")
  void hello(RoutingContext rc) {
    rc.response().end("hello");
  }


  @RouteFilter(8888)
  void onlyAuthorized(RoutingContext ctx) {
    String authHeader = ctx.request().getHeader("Authorization");
    String jwtString = authHeader.substring(7);

    Credentials credentials = new TokenCredentials(jwtString);
    JWTAuthOptions options = new JWTAuthOptions();
    AuthenticationProvider provider = JWTAuth.create(vertx, options);
    provider.authenticate(credentials)
        .onSuccess(user -> {
          ctx.setUser(user);
          ctx.next();
        })
        .onFailure(err -> ctx.fail(401, err));
  }

}

What's the correct approach here?

[sberyozkin]

It probably requires a conversion support from UserImpl to QuarkusHttpUser if it is possible at the Quarkus Security level, CC @michalvavrik.

FYI, you can make the authentication declarative with routes in Quarkus, by configuring the secure policy for a given path, https://quarkus.io/guides/security-authorize-web-endpoints-reference and use quarkus-oidc to set OIDC provider properties.

But if we can support the minimal UserImpl->QuarkusHttpUser conversion then you should be able to stay on the same code

[Stwissel]

Appreciate the feedback. What I’m trying to do is JWT token validation with a cert loaded from disk. I knew how to do that in vert.x. Happy to learn the Quarkus way. Not looking for OICD. An invalid JWT simply would 401.
Pointers where I can find that appreciated

[Stwissel]

I did read https://quarkus.io/guides/security-jwt
My missing piece: I need to be able to point to the keys at runtime. Application.properties file isn’t an option

[Stwissel]

I think the missing piece was this: https://quarkus.io/guides/config-extending-support

[michalvavrik]

well, you can use custom config source, but considering the config needs to be available as almost first thing at runtime, you cannot just provide it anytime, inject stuff etc. that said, I don't know your needs so good luck

[Stwissel]

I'll poke around and report back

[michalvavrik]

But if we can support the minimal UserImpl->QuarkusHttpUser conversion then you should be able to stay on the same code

IMHO when users starts to set RoutingContext#user instead of producing identity with our constructs like identity provider and auth mechanism or augmentors, we are asking for synchronization problem. We cannot change the fact that RoutingContext user is mutable, but Quarkus must be the one controlling narrative. So let's keep user entrypoints limited.

[michalvavrik]

Michal, @michalvavrik, I wonder, would it make sense for us to consider supporting @authenticated and other security annotations directly alongside @route annotations ? Not sure it is even possible

I'd expect it to work as I wrote some tests and fixes some time back, e.g. https://github.com/quarkusio/quarkus/blob/main/extensions/reactive-routes/deployment/src/test/java/io/quarkus/vertx/web/LazyAuthRouteTest.java but Reactive Routes are deprecated in product and barely see any issues open in community. IMO we shouldn't invest time into RR unless there is more users asking for it

[Stwissel]

Ahhh...
Reactive Routes are deprecated. Which opens the question how to interface with an vert.x Future based back-end. Reactive Routes seemed to be the natural choice. What would be a more future proof approach

[michalvavrik]

Quarkus is conservative and RR are not deprecated in community, I think you can use it. You can @Observes router and register your routes as you are used to with Vert.x. No difference there. It's some there in Quarkus docs, let's look for it please.

[michalvavrik]

void observe(@Observes Router router) {
        router.route().order(0).handler(rc -> {
            if (rc.request().path().equals("/api/tenant-paths///public-key//match")) {
                rc.end("public-key");
            } else {
                rc.next();
            }
        });
    }

copied from some tests, but it's an example

[Stwissel]

OK. Got a sample already with @Observes router running. Thx for the pointer

[Stwissel]

Btw. I VERY MUCH appreciate your time and expertise provided here

[sberyozkin]

Np at all, @Stwissel, thanks for being so positive about trying different options

[Stwissel]

Happy to report @Authenticated works with reactive routes. Currently struggling with @RolesAllowed. I'm following https://quarkus.io/guides/security-jwt

In the example I find

@RolesAllowed({ "User", "Admin" })

However when I decode the token from the example:

eyJraWQiOiJcL3ByaXZhdGVLZXkucGVtIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJqZG9lLXVzaW5nLWp3dC1yYmFjIiwiYXVkIjoidXNpbmctand0LXJiYWMiLCJ1cG4iOiJqZG9lQHF1YXJrdXMuaW8iLCJiaXJ0aGRhdGUiOiIyMDAxLTA3LTEzIiwiYXV0aF90aW1lIjoxNTUxNjUyMDkxLCJpc3MiOiJodHRwczpcL1wvcXVhcmt1cy5pb1wvdXNpbmctand0LXJiYWMiLCJyb2xlTWFwcGluZ3MiOnsiZ3JvdXAyIjoiR3JvdXAyTWFwcGVkUm9sZSIsImdyb3VwMSI6Ikdyb3VwMU1hcHBlZFJvbGUifSwiZ3JvdXBzIjpbIkVjaG9lciIsIlRlc3RlciIsIlN1YnNjcmliZXIiLCJncm91cDIiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoiamRvZSIsImV4cCI6MTU1MTY1MjM5MSwiaWF0IjoxNTUxNjUyMDkxLCJqdGkiOiJhLTEyMyJ9.aPA4Rlc4kw7n_OZZRRk25xZydJy_J_3BRR8ryYLyHTO1o68_aNWWQCgpnAuOW64svPhPnLYYnQzK-l2vHX34B64JySyBD4y_vRObGmdwH_SEufBAWZV7mkG3Y4mTKT3_4EWNu4VH92IhdnkGI4GJB6yHAEzlQI6EdSOa4Nq8Gp4uPGqHsUZTJrA3uIW0TbNshFBm47-oVM3ZUrBz57JKtr0e9jv0HjPQWyvbzx1HuxZd6eA8ow8xzvooKXFxoSFCMnxotd3wagvYQ9ysBa89bgzL-lhjWtusuMFDUVYwFqADE7oOSOD4Vtclgq8svznBQ-YpfTHfb9QEcofMlpyjNA

I get:

{
  "sub": "jdoe-using-jwt-rbac",
  "aud": "using-jwt-rbac",
  "upn": "[email protected]",
  "birthdate": "2001-07-13",
  "auth_time": 1551652091,
  "iss": "https://quarkus.io/using-jwt-rbac",
  "roleMappings": {
    "group2": "Group2MappedRole",
    "group1": "Group1MappedRole"
  },
  "groups": [
    "Echoer",
    "Tester",
    "Subscriber",
    "group2"
  ],
  "preferred_username": "jdoe",
  "exp": 1551652391,
  "iat": 1551652091,
  "jti": "a-123"
}

The roles claim is nowhere to be found. So what's used for roles?

[Stwissel]

Found it, it's not roles but groups in the JWT payload. Happy to report @RolesAllowed works as advertised for reactive routes.

I ended up with a dynamic ConfigSource that checks a few potential locations. For reference:

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.eclipse.microprofile.config.spi.ConfigSource;
import com.beyonddemise.config.ConfigFactory;
import io.quarkus.logging.Log;
import io.quarkus.runtime.annotations.StaticInitSafe;


@StaticInitSafe
public class TokenConfigSource implements ConfigSource {

  private final static Map<String, String> dynamicConfig = new HashMap<>();

  static {
    // Location of config
    Path configDir = ConfigFactory.PathToConfig();
    Path keylocation = configDir.resolve("beyond.public.pem");
    if (keylocation.toFile().exists()) {
      System.out.println(keylocation);
      try {
        String pubKey = Files.readString(keylocation, StandardCharsets.UTF_8);
        dynamicConfig.put("mp.jwt.verify.publickey", pubKey);
      } catch (IOException e) {
        Log.error(e);
      }

    } else {
      throw new RuntimeException("key location invalid:" + keylocation);
    }

    dynamicConfig.put("mp.jwt.verify.issuer", "BeyondDemise Server");
    dynamicConfig.put("mp.jwt.verify.publickey.algorithm", "ES512");
    dynamicConfig.put("mp.jwt.verify.audiences", "BeyondDemise");
  }

  @Override
  public int getOrdinal() {
    return 270;
  }

  @Override
  public String getName() {
    return "DynamicConfigSource";
  }

  @Override
  public Set<String> getPropertyNames() {
    return dynamicConfig.keySet();
  }

  @Override
  public String getValue(String key) {
    return dynamicConfig.get(key);
  }
}

[Stwissel]

happy camper here, thx so much