search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.44k stars 2.58k forks source link

OIDC configurations should configure Swagger UI #26615

Open StephenOTT opened 2 years ago

StephenOTT commented 2 years ago

Description

continuation of #26614

when you configure oidcwith configs such as the auth url with quarkus.oidc.auth-server-url=https://... the Dev Ui Swagger UI does not receive the proper configurations:

Example that in order for Swagger UI (Dev UI) to pickup the OIDC well known they have to provide the property quarkus.smallrye-openapi.oidc-open-id-connect-url, even though this url is already determined by quarkus.oidc.auth-server-url. Further more if quarkus.oidc.auth-server-url is provided then oidc should be made one of the auth types for Swagger UI: Currently you have to provide quarkus.smallrye-openapi.security-scheme=oidc or else swagger does not detect any of the configs.

Currently you have to also set:

quarkus.smallrye-openapi.oidc-open-id-connect-url=https://..../.well-known/openid-configuration
quarkus.smallrye-openapi.security-scheme=oidc
quarkus.swagger-ui.oauth-client-id=MY_CLIENT_ID
quarkus.swagger-ui.oauth-scopes=openid profile email

If you do not set the above, then the Swagger UI does not read from the well-known and the Auth modal does not work.

Implementation ideas

When you configure OIDC under quarkus.oidc it should also config the other missing props so swagger Ui functions with OIDC auth

See https://github.com/quarkusio/quarkus/issues/26614 for full working example

quarkus-bot[bot] commented 2 years ago

/cc @MikeEdgar, @pedroigor, @phillip-kruger, @sberyozkin

sberyozkin commented 2 years ago

Hey @phillip-kruger Can you please investigate when you get a chance ? Reading the metadata can be copied from OIDC Dev services code. Or we can consider some other options

sberyozkin commented 2 years ago

Moving some content from #26614 :

There are also some cleanups possible for the Dev UI Swagger UI:

Example that in order for Swagger UI (Dev UI) to pickup the OIDC well known they have to provide the property quarkus.smallrye-openapi.oidc-open-id-connect-url, even though this url is already determined by quarkus.oidc.auth-server-url. Further more if quarkus.oidc.auth-server-url is provided then oidc should be made one of the auth types for Swagger UI: Currently you have to provide quarkus.smallrye-openapi.security-scheme=oidc or else swagger does not detect any of the configs

# For Swagger UI in Dev UI:
# This needs to be set for Swagger UI in Dev Ui to pick up the endpoint.  Needs to be full path to well-known
quarkus.smallrye-openapi.oidc-open-id-connect-url=https://login.microsoftonline.com/MY_TENANT_ID/v2.0/.well-known/openid-configuration
#quarkus.smallrye-openapi.oidc-open-id-connect-url=https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

# Needed to define what auth to use or else Swagger UI does not work:
quarkus.smallrye-openapi.security-scheme=oidc
# Pre-populates Client ID in Swagger UI Auth:
quarkus.swagger-ui.oauth-client-id=MY_CLIENT_ID
# Pre-populates the scopes in Swagger UI Auth (Note the 4th "dummy scope" is required but will not show in the UI)
# Note the "dummy scope" that must be created (AzureAd>Your App>Expose an API>Add Scope) that will force the JWT to be issued instead of an opaque token
# When you create a scope for the first time it will have you create an Application ID URI.  You can copy the entire scope name from AzureAd>Your App>Expose an API>Under the "Scopes" section
# In order to receive the email claim you need to enable the Optional Claim "email" at: AzureAd>Your App>Token Configuration>Add optional claim>TokenType:Access>email
# If you omit email, the preferred_username is still provided, but it is not guaranteed to be an email: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
quarkus.swagger-ui.oauth-scopes=openid profile email api://Application_ID_URI/my.dummy.scope

@StephenOTT, looks like there is some duplication in the content I moved here from #26614, it duplicates the description, please remove here what is already listed in the description, or may be better, collapse it all in the description and delete this comment :-)

StephenOTT commented 2 years ago

@sberyozkin I updated the first comment. I think 99% of the comments in the snippet are more relevant for when using the Microsoft provider. For example the commentary on the dummy scope is purely related to the microsoft OIDC to force a JWT instead of receiving an opaque token.

pehunka commented 1 year ago

I may have a related issue. It seems like quarkus.smallrye-openapi.oidc-open-id-connect-url is fixed during the build time, but quarkus.oidc.auth-server-url is not. This is causing some headache when I'm changing oidc url trough environment variable. It will be great to have them both consistent and configurable during runtime. I could have same property expression for both values and change it trough env. variable.

femangl commented 7 months ago

Did run in the same problem like @pehunka. Are there any news / workarounds for the problem "quarkus.smallrye-openapi.oidc-open-id-connect-url is fixed during the build time"?

codespearhead commented 7 months ago

I can corroborate that, unlike quarkus.oidc.auth-server-url, quarkus.smallrye-openapi.oidc-open-id-connect-url value is fixed at build time.

The workaround is to provide it at build time via its respective environment variable:

QUARKUS_SMALLRYE_OPENAPI_OIDC_OPEN_ID_CONNECT_URL=...

MikeEdgar commented 6 months ago

Can any of those with this issue confirm whether or not your application uses @RolesAllowed or @Authenticated annotations on your REST endpoint methods? I believe this issue should be fixed by #38231 , but only if you are not using those annotations currently.

cc: @StephenOTT , @pehunka , @femangl , @codespearhead

StephenOTT commented 4 months ago

@MikeEdgar I Confirm that YES i am using RolesAllowed annotation.

Still seeing this issue as of 3.2.11

michalvavrik commented 4 months ago

@MikeEdgar I Confirm that YES i am using RolesAllowed annotation.

Still seeing this issue as of 3.2.11

https://github.com/quarkusio/quarkus/pull/38231 wasn't backported to 3.2.11, so that's alright. Can you please check with newest version?

marcelinobadin commented 1 month ago

Hello all. I am struggling with this. If QUARKUS_SMALLRYE_OPENAPI_OIDC_OPEN_ID_CONNECT_URL is fixed at build time, which strategy can I adopt to have different values among environments without building specific versions for each environment?

MikeEdgar commented 1 month ago

@marcelinobadin , although quarkus.smallrye-openapi.oidc-open-id-connect-url is currently fixed at build time, quarkus.oidc.auth-server-url is not. If you do not need to differentiate, you can ignore quarkus.smallrye-openapi.oidc-open-id-connect-url and just use quarkus.oidc.auth-server-url instead. Let us know if that's not working.

marcelinobadin commented 1 month ago

@MikeEdgar thank you. That worked. I was using the quarkus.smallrye-openapi.security-scheme=oidc and then I also removed it and it worked. Thank you very much.

fmatar commented 1 week ago

How would that work in a docker environment?

My setup works like charm in native mode and swagger with authentication through Keycloak in place. However I can't get it to work if the service is running in a docker environment. (Note that keycloak authentication is working)

Here's my config for reference:

QUARKUS_SMALLRYE_OPENAPI_SECURITY_SCHEME=oauth2-implicit
QUARKUS_SWAGGER_UI_OAUTH2_REDIRECT_URL=http://localhost:8080/q/swagger-ui/oauth2-redirect.html
QUARKUS_SWAGGER_UI_OAUTH_CLIENT_ID=api
QUARKUS_SWAGGER_UI_OAUTH_CLIENT_SECRET=xxxx
QUARKUS_SMALLRYE_OPENAPI_OAUTH2_IMPLICIT_AUTHORIZATION_URL=https://localhost:8443/realms/genfusion/protocol/openid-connect/auth

QUARKUS_DEV_UI_CORS_ENABLED=true