vert.xquarkusquarkus-oidc

OpenID access token sent in body, put it in the header


I have a legacy jax-rs request. I can't change it. It's body has OpenID access token. I want to validate it using quarkus-oidc. My idea is to read the body and put token to Authorization header.

I tried to use ContainerRequestFilter with and without quarkus proactive auth, but looks like quarkus auth checks happen way before jax-rs, somewhere in vert.x

I found this Quarkus Custom authorization interceptors, but it works only if access token is in a query string.

How do i read request body and write access token in the headers before quarkus-oidc checks access token?


Solution

  • I fixed! Not sure if this is most correct way to do what i want, but looks like it works reliably.

    import io.quarkus.vertx.web.RouteFilter;
    import io.vertx.core.http.HttpMethod;
    import io.vertx.ext.web.RoutingContext;
    import io.vertx.ext.web.handler.BodyHandler;
    
    public class JoinServerRequestSecurityRouterFilter {
        @RouteFilter(3000)
        public void extractBody(RoutingContext context) {
            if (context.request().method() != HttpMethod.POST) {
                context.next();
                return;
            }
    
            if (!"/session-service/join".equals(context.normalizedPath())) {
                context.next();
                return;
            }
            BodyHandler bodyHandler = BodyHandler.create(false);
            bodyHandler.handle(context);
        }
        @RouteFilter(3000 - 1)
        public void copyAccessToken(RoutingContext context) {
            if (context.request().method() != HttpMethod.POST) {
                context.next();
                return;
            }
    
            if (!"/session-service/join".equals(context.normalizedPath())) {
                context.next();
                return;
            }
    
            if (context.getBodyAsJson() == null) {
                context.next();
                return;
            }
            String accessToken = context.getBodyAsJson().getString("accessToken");
            context.request().headers().add("Authorization", "Bearer " + accessToken);
            context.next();
        }
    }