Quarkus
In this bonus lab we'll see how a Quarkus Microservice can be extended to an OAuth 2.0 and OpenID Connect 1.0 compliant Resource Server.
See Quarkus OpenID Connect Security Guide for all details on how to build and configure a resource server requiring JWT bearer tokens.
Lab Contents
REST API
This Quarkus demo app just provides one secured endpoint at localhost:9096/hello.
To test if the application works as expected, either
open Postman and configure request for localhost:9096/hello
or use a command line like curl, httpie or postman (if you like a UI)
Httpie:
Curl:
At this stage the application will return a 401 status.
Users and roles
As this app uses the same Keycloak client configuration you can just use the same users as before:
Username
Password
Role
bwayne
bruce.wayne@example.com
wayne
LIBRARY_USER
bbanner
bruce.banner@example.com
banner
LIBRARY_USER
pparker
peter.parker@example.com
parker
LIBRARY_CURATOR
ckent
clark.kent@example.com
kent
LIBRARY_ADMIN
We will use Keycloak as identity provider. Please again make sure you have set up and running keycloak as described in Setup Keycloak.
Step 1: Generate the application
The easiest way to create a Quarkus application is usually by using the web based init application (similar to generating a spring boot application) by navigating your web browser to code.quarkus.io. As an alternative you may just use the maven based project creator instead. This application has been generated using the maven create command:
Step 2: Add dependencies
After generation has been finished, change into the created directory. To extend a Quarkus application into a resource server you have to make sure to add the 'quarkus-oidc' extension. This can be done using the following gradle command:
Step 3: Add OIDC configuration
Quarkus requires the base URL pointing to the OIDC discovery information to fetch the public key to validate a JWT token signature. This is what the Quarkus configuration looks like in application.properties:
With this configuration in place we have already a working resource server that can handle JWt access tokens transmitted via http bearer token header. Quarkus also validates by default:
the JWT signature against the queried public key(s) from jwks_url
that the JWT is not expired
Step 4: Secure the endpoint
Look into the class com.example.ServerApp to see how Quarkus secures the only REST endpoint, and returns the details of the JWT based principal:
Step 5: Run and test basic resource server
Just run the quarkus application in hot-deployment development mode by using the following gradle command:
Again we use the password grant flow request to get a token for calling our new service:
httpie:
curl:
This should return an access token together with a refresh token:
```http request HTTP/1.1 200 OK Content-Type: application/json
{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO...", "expires_in": 300, "not-before-policy": 1556650611, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIg...", "scope": "profile email user", "session_state": "c92a82d1-8e6d-44d7-a2f3-02f621066968", "token_type": "bearer" }
curl:
You should now see something like this:
This concludes this Bonus Lab.
Last updated