(SPA + keycloack + OIDC) Getting notified to add extra check after login

[luca-bassoricci]

We have a SPA getting token from Keycloack; this token is sent to our Quarkus service as barrier and validated using oidc extensions.
After that we need to be notified from client via a REST API (eg. AuthResource#afterLogin()) about a successfully login to perform some additional checks and

1. if any check agains token and current user status on database fails, notify client about invalid authentication (and revoke token, if possibile)
2. create an user session in redis with user+permissions and return to SPA a cookie with some information used in recover user session later (or modify jwt token but I don't think this is possible)

Currently we have a SecurityIdentityAugmentor dedicated to inject user session read from redis but it is called also before AuthResource#afterLogin() is reached (because resource is protected with @Authenticated) and it fails because user session is not still created.
Which is a good way to proceed?
Remove augmentor and use a JAX-RS filter to extract session and inject user/permissions in current SecurityIdentity?
Any suggestions is welcome! :)

Thanks, Luca.

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

Hi @luca-bassoricci

if any check agains token and current user status on database fails, notify client about invalid authentication (and revoke token, if possibile)

The application can listen on the authentication failure events and revoke tokens, see the second example at https://quarkus.io/guides/security-oidc-code-flow-authentication#oidc-token-revocation, see also https://quarkus.io/guides/security-customization#observe-security-events

create an user session in redis with user+permissions and return to SPA a cookie with some information used in recover user session later (or modify jwt token but I don't think this is possible)

Re the token modification, what exactly do you have in mind, we have API that can take an existing JWT in and build a new one, but it requires having access to the private signing key...

Currently we have a SecurityIdentityAugmentor dedicated to inject user session read from redis but it is called also before AuthResource#afterLogin() is reached (because resource is protected with @authenticated) and it fails because user session is not still created. Which is a good way to proceed? Remove augmentor and use a JAX-RS filter to extract session and inject user/permissions in current SecurityIdentity? Any suggestions is welcome! :)

Right, if this user session is not needed to actually augment the identity, then retrieving it should probably not be done in the augmentor...

Hmm... Using the JAX-RS filter might work, perhaps another option is to also register a custom HttpAuthenticationMechanism dedicated to verifying the cookie that was created when SPA passed the token ? See https://quarkus.io/guides/security-customization#dealing-with-more-than-one-http-auth-mechanisms, I'm not sure it is the best option in your case, but you might want to try to create a mechanism that delegates to the default OidcAuthenticationMechanism when the bearer token is available and check the session cookie itself otherwise...

Also, some users use SPA with Quarkus OIDC itself doing the authorization code flow and managing the session cookie...

[sberyozkin]

Re the token modification, what exactly do you have in mind, we have API that can take an existing JWT in and build a new one, but it requires having access to the private signing key...

You can recreate a token from JWT like this: https://github.com/quarkusio/quarkus/blob/main/extensions/oidc-token-propagation/runtime/src/main/java/io/quarkus/oidc/token/propagation/JsonWebTokenRequestFilter.java#L35

Once you do Jwt.claims(jwt), it returns a claims builder that you can use to augment the token and then sign, you can use a secret key or private key, directly or picked up from the configuration

[luca-bassoricci]

Using a custom HttpAuthenticationMechanism works really well!
Thanks for your time!

Luca

[sberyozkin]

@luca-bassoricci Great, glad you made it work