Adding JWT claims in request filter

[Ivan St. Ivanov]

Hi everyone,

I have the following case in a Quarkus application. I receive requests that are authenticated elsewhere and the auth provider generates a JWT with some claims inside.

I'd like in a request filter (no matter what - Vert.x or JAX-RS) to intercept that request, read the value of a certain claim from that original JWT, based on that set the value of the groups claim and then pass the request through.

Is that possible at all?

Thanks,
Ivan

[Sergey Beryozkin]

Hi Ivan

If you have a re-signing key then yes, sure, for example, `quarkus-oidc-token-propagation` can do it to set a new issuer/audience before propagating:

https://github.com/quarkusio/quarkus/blob/main/extensions/oidc-token-propagation/runtime/src/main/java/io/quarkus/oidc/token/propagation/JsonWebTokenRequestFilter.java#L35

Note there an incoming token's claims are collected, new issuer/audience are set (these are configured in `application.properties`) and the token is re-signed - without resigning the token signature verification will fail once it reaches its target.

So you can just do

JwtClaimsBuilder builder = Jwt.claims(currentJwt);

// add few claims and

builder.sign();

I'd not mind updating that filter to recognize other custom claims, it can just be a config map.

Let me know if it can be of interest or you can easily write a custom filter if you'd like

thanks, Sergey

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CACYLA9HCufd_jjuwg7Vkc9kN%2B6iiD6mKAq9Htw2wKUhT8OdSCw%40mail.gmail.com.

[Sergey Beryozkin]

Using a token exchange can be a better way to achieve something similar - those filters support it - so if you work with Keycloak then you can experiment with it as well...

Sergey

[Sergey Beryozkin]

I have probably misunderstood the question, I assumed that task was to reaugment and propagate the token to the next hop but after re-reading it looks like you'd like to update the token for the current endpoint's RBAC layer to react correctly - in this case the simplest option is to use SecurityidentityAugmentor:

https://quarkus.io/guides/security-customization#security-identity-customization

You can cast SecurityIdentity.getPrincipal to JsonWebToken, and after checking the claims, if needed, copy construct a new identity and add a new role with the builder...

If it is just about a custom claim (but not `groups`) has the roles info then even a simpler alternative is to use `quarkus.oidc.roles.role-claim-path=path/to-custom/claim` (with quarkus-oidc) or `smallrye.jwt.path.groups=path/to-custom/claim` (with quarkus-smalrye-jwt)

Sergey

[Ivan St. Ivanov]

Hi Sergey,

Thank you very much for your answers.

Indeed, my goal is to update the token for the current endpoint within the same app. And certainly not for another hop. So I'll give SecurityIdentityAugmentor a try.

Actually I will need a mapping between general roles within the organization coming in another claim to custom application roles that I'd like to put in the groups claim. So the simpler alternative won't work for this case. But thanks for mentioning it!

Cheers,

Ivan