search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.57k stars 2.63k forks source link

No way to configure publickey algorithm in quarkus-oidc #39482

Closed wesleysalimansdvb closed 5 months ago

wesleysalimansdvb commented 6 months ago

Description

Hi, right now it is only possible to give a RSA256 public key. https://github.com/quarkusio/quarkus/blob/main/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProvider.java#L547

As the company I work for also has ES256 public keys, these cannot be decoded right now (as the algorithm is not supported)

Implementation ideas

Would it be possible to extend quarkus oidc with an quarkus.oidc.public-key-algorithm property so that different types of keys, (that are defined in io.smallrye.jwt.algorithm.SignatureAlgorithm) can also be supported?

I wouldn't mind proposing the change myself :)

quarkus-bot[bot] commented 6 months ago

/cc @pedroigor (oidc), @sberyozkin (oidc)

sberyozkin commented 6 months ago

@wesleysalimansdvb This is only for the local tests, tokens issued by the provider and signed by EC keys will be accepted. Do you need to use EC keys locally for tests ?

wesleysalimansdvb commented 6 months ago

No I want to decode EC public keys in production, not for testing. Would this be possible?

sberyozkin commented 6 months ago

@wesleysalimansdvb Can you clarify please what type of flow do you have in mind ? If you work with the OIDC provider which has a public JWKS endpoint with the JWK set containing the EC verification keys, it must work as expected

wesleysalimansdvb commented 6 months ago

This also requires me to set the auth-server-url (which i do not have). I just want to use the JWKS endpoint for verifying bearer tokens

sberyozkin commented 6 months ago

@wesleysalimansdvb

This also requires me to set the auth-server-url (which i do not have). I just want to use the JWKS endpoint for verifying bearer tokens

With quarkus-oidc you can handle it by setting auth-server-url to some base URL, disable the discovery with quarkus.oidc.discovery-enabled=false and set quarkus.oidc.jwks-path=/myjwks

Alternatively, you may want to look at the quarkus-smallrye-jwt, have you considered it ? quarkus-oidc is really about working with the tokens issued by OIDC or OAuth2 providers, quarkus-smallrye-jwt has a much better support for dealing with self-issued tokens for example, see https://quarkus.io/guides/security-authentication-mechanisms#oidc-jwt-oauth2-comparison

wesleysalimansdvb commented 5 months ago

Yes, we have looked at quarkus-smallrye-jwt, but that library doesn't support multi tenancy. I have gotten it to work though, with the info you provided. Thanks again for your help, we can close this issue :)