Closed wesleysalimansdvb closed 5 months ago
/cc @pedroigor (oidc), @sberyozkin (oidc)
@wesleysalimansdvb This is only for the local tests, tokens issued by the provider and signed by EC keys will be accepted. Do you need to use EC keys locally for tests ?
No I want to decode EC public keys in production, not for testing. Would this be possible?
@wesleysalimansdvb Can you clarify please what type of flow do you have in mind ? If you work with the OIDC provider which has a public JWKS endpoint with the JWK set containing the EC verification keys, it must work as expected
This also requires me to set the auth-server-url (which i do not have). I just want to use the JWKS endpoint for verifying bearer tokens
@wesleysalimansdvb
This also requires me to set the auth-server-url (which i do not have). I just want to use the JWKS endpoint for verifying bearer tokens
With quarkus-oidc
you can handle it by setting auth-server-url
to some base URL, disable the discovery with quarkus.oidc.discovery-enabled=false
and set quarkus.oidc.jwks-path=/myjwks
Alternatively, you may want to look at the quarkus-smallrye-jwt
, have you considered it ? quarkus-oidc
is really about working with the tokens issued by OIDC or OAuth2 providers, quarkus-smallrye-jwt
has a much better support for dealing with self-issued tokens for example, see https://quarkus.io/guides/security-authentication-mechanisms#oidc-jwt-oauth2-comparison
Yes, we have looked at quarkus-smallrye-jwt, but that library doesn't support multi tenancy. I have gotten it to work though, with the info you provided. Thanks again for your help, we can close this issue :)
Description
Hi, right now it is only possible to give a RSA256 public key. https://github.com/quarkusio/quarkus/blob/main/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProvider.java#L547
As the company I work for also has ES256 public keys, these cannot be decoded right now (as the algorithm is not supported)
Implementation ideas
Would it be possible to extend quarkus oidc with an
quarkus.oidc.public-key-algorithm
property so that different types of keys, (that are defined in io.smallrye.jwt.algorithm.SignatureAlgorithm) can also be supported?I wouldn't mind proposing the change myself :)