1 Reply Latest reply on Jul 25, 2018 2:20 AM by Martin Choma

    Elytron with JWT and OIDC

    Erik Mattheis Newbie

      Apologies in advance if this is covered already, but I have spent a lot of time searching around and haven't found anything conclusive.

       

      I'm trying to configure a REST web service to accept JWT bearer tokens for authentication as part of an OIDC implicit workflow. This is pretty well covered with servlet filter and JAX-RS interceptor examples on the web, but I'm interested in tying into the Elytron subsytem in Wildfly (and Wildfly-Swarm Thorntail) to take advantage of container-managed security across the platform. We have a legacy SAML integration with our IDP on JBoss EAP and it works nicely to separate the mechanics of auth from the application code where we rely on the standard getUserPrincipal and isUserInRole style Java EE APIs.

       

      While looking for answers, I've seen mention of the included token realm in Elytron:

       

      http://docs.wildfly.org/12/WildFly_Elytron_Security.html#provided-components

       

      And I've found code that seems to indicate support for JWT bearer tokens:

       

      https://github.com/wildfly-security/wildfly-elytron/blob/master/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java

      https://github.com/wildfly-security/elytron-web/blob/master/undertow/src/test/java/org/wildfly/elytron/web/undertow/server/BearerTokenAuthenticationTest.java

       

      But, I haven't found a guide or example that explains how to configure things. I'm hoping there's a way to configure a web application such that Elytron will look for a JWT bearer token in the HTTP Authorization header, validate the signature based on a configured key and populate the principal and roles based on claims in the token. Ideally there would be a pluggable mechanism for extracting/mapping roles from custom payloads in the JWT claims. If anyone has any guidance, I'd love to hear it before I dig in further.

       

      Also, I did see Darran's blog post about custom HTTP auth:

       

      http://darranl.blogspot.com/2018/02/wildfly-elytron-implementing-custom.html

       

      So I could do everything in custom code, I suppose, but it seems a shame to reinvent something that seems to already exist in the core of Elytron.

       

      --

      Erik