diff --git a/docs/src/main/asciidoc/security-testing.adoc b/docs/src/main/asciidoc/security-testing.adoc index 31c92f70d360e6..4726cf34b4bf38 100644 --- a/docs/src/main/asciidoc/security-testing.adoc +++ b/docs/src/main/asciidoc/security-testing.adoc @@ -9,6 +9,7 @@ include::./attributes.adoc[] This document describes how to test Quarkus Security. +[[configuring-user-information]] == Configuring User Information You can use link:security-properties[quarkus-elytron-security-properties-file] for testing security. This supports both embedding user info in `application.properties` and standalone properties files. diff --git a/docs/src/main/asciidoc/security.adoc b/docs/src/main/asciidoc/security.adoc index 6a1cd600fc2009..e45a19b21d8019 100644 --- a/docs/src/main/asciidoc/security.adoc +++ b/docs/src/main/asciidoc/security.adoc @@ -96,6 +96,7 @@ For example, `quarkus-oidc` uses its own `IdentityProvider` to convert a token t If you use `Basic` or `Form` HTTP-based authentication then you have to add an `IdentityProvider` which can convert a user name and password to `SecurityIdentity`. See link:security-jpa[JPA IdentityProvider] and link:security-jdbc[JDBC IdentityProvider] for more information. +You can also use link:security-testing#configuring-user-information[User Properties IdentityProvider] for testing. == Combining Authentication Mechanisms diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcJsonWebTokenProducer.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcJsonWebTokenProducer.java index 6df9def69bb991..34dfbefb2f1838 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcJsonWebTokenProducer.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcJsonWebTokenProducer.java @@ -8,6 +8,7 @@ import org.eclipse.microprofile.jwt.Claims; import org.eclipse.microprofile.jwt.JsonWebToken; +import org.jboss.logging.Logger; import org.jose4j.jwt.JwtClaims; import org.jose4j.jwt.consumer.InvalidJwtException; import org.jose4j.jwt.consumer.JwtConsumerBuilder; @@ -24,6 +25,7 @@ @Alternative @RequestScoped public class OidcJsonWebTokenProducer { + private static final Logger LOG = Logger.getLogger(OidcJsonWebTokenProducer.class); @Inject SecurityIdentity identity; @@ -77,6 +79,7 @@ private JsonWebToken getTokenCredential(Class type) { return new OidcJwtCallerPrincipal(jwtClaims, credential); } String tokenType = type == AccessTokenCredential.class ? "access" : "ID"; - throw new OIDCException("Current identity is not associated with an " + tokenType + " token"); + LOG.tracef("Current identity is not associated with an %s token", tokenType); + return new NullJsonWebToken(); } } diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTokenCredentialProducer.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTokenCredentialProducer.java index f29e5f85b622f6..2ee0952e4880d7 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTokenCredentialProducer.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTokenCredentialProducer.java @@ -4,6 +4,8 @@ import javax.enterprise.inject.Produces; import javax.inject.Inject; +import org.jboss.logging.Logger; + import io.quarkus.oidc.AccessTokenCredential; import io.quarkus.oidc.IdTokenCredential; import io.quarkus.oidc.OIDCException; @@ -13,7 +15,7 @@ @RequestScoped public class OidcTokenCredentialProducer { - + private static final Logger LOG = Logger.getLogger(OidcTokenCredentialProducer.class); @Inject SecurityIdentity identity; @@ -25,19 +27,34 @@ public class OidcTokenCredentialProducer { @Produces @RequestScoped IdTokenCredential currentIdToken() { - return identity.getCredential(IdTokenCredential.class); + IdTokenCredential cred = identity.getCredential(IdTokenCredential.class); + if (cred == null) { + LOG.trace("IdTokenCredential is null"); + cred = new IdTokenCredential(); + } + return cred; } @Produces @RequestScoped AccessTokenCredential currentAccessToken() { - return identity.getCredential(AccessTokenCredential.class); + AccessTokenCredential cred = identity.getCredential(AccessTokenCredential.class); + if (cred == null) { + LOG.trace("AccessTokenCredential is null"); + cred = new AccessTokenCredential(); + } + return cred; } @Produces @RequestScoped RefreshToken currentRefreshToken() { - return identity.getCredential(RefreshToken.class); + RefreshToken cred = identity.getCredential(RefreshToken.class); + if (cred == null) { + LOG.trace("RefreshToken is null"); + cred = new RefreshToken(); + } + return cred; } /** diff --git a/integration-tests/oidc/pom.xml b/integration-tests/oidc/pom.xml index 2e4079086fab88..c616f218a92073 100644 --- a/integration-tests/oidc/pom.xml +++ b/integration-tests/oidc/pom.xml @@ -53,8 +53,11 @@ awaitility test - + + io.quarkus + quarkus-elytron-security-properties-file-deployment + io.quarkus quarkus-oidc-deployment diff --git a/integration-tests/oidc/src/main/java/io/quarkus/it/keycloak/UsersResource.java b/integration-tests/oidc/src/main/java/io/quarkus/it/keycloak/UsersResource.java index 14bead7f636a69..2ea179a6881536 100644 --- a/integration-tests/oidc/src/main/java/io/quarkus/it/keycloak/UsersResource.java +++ b/integration-tests/oidc/src/main/java/io/quarkus/it/keycloak/UsersResource.java @@ -1,7 +1,5 @@ package io.quarkus.it.keycloak; -import java.security.Principal; - import javax.annotation.security.RolesAllowed; import javax.inject.Inject; import javax.ws.rs.GET; @@ -11,6 +9,8 @@ import org.eclipse.microprofile.jwt.JsonWebToken; +import io.quarkus.security.identity.SecurityIdentity; + /** * @author Pedro Igor */ @@ -18,14 +18,14 @@ public class UsersResource { @Inject - Principal identity; + SecurityIdentity identity; @GET @Path("/me") @RolesAllowed("user") @Produces(MediaType.APPLICATION_JSON) public User principalName() { - return new User(identity.getName()); + return new User(identity.getPrincipal().getName()); } @GET @@ -33,7 +33,7 @@ public User principalName() { @RolesAllowed("user") @Produces(MediaType.APPLICATION_JSON) public User preferredUserName() { - return new User(((JsonWebToken) identity).getClaim("preferred_username")); + return new User(((JsonWebToken) identity.getPrincipal()).getClaim("preferred_username")); } public static class User { diff --git a/integration-tests/oidc/src/main/resources/application.properties b/integration-tests/oidc/src/main/resources/application.properties index 423e0a93117e10..2a425123ef58e6 100644 --- a/integration-tests/oidc/src/main/resources/application.properties +++ b/integration-tests/oidc/src/main/resources/application.properties @@ -3,5 +3,11 @@ quarkus.oidc.auth-server-url=${keycloak.ssl.url}/realms/quarkus/ quarkus.oidc.client-id=quarkus-app quarkus.oidc.credentials.secret=secret quarkus.oidc.token.principal-claim=email -quarkus.http.cors=true quarkus.oidc.tls.verification=none +quarkus.http.cors=true + +quarkus.http.auth.basic=true +quarkus.security.users.embedded.enabled=true +quarkus.security.users.embedded.plain-text=true +quarkus.security.users.embedded.users.alice=password +quarkus.security.users.embedded.roles.alice=user diff --git a/integration-tests/oidc/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java b/integration-tests/oidc/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java index ba94d9db19aa67..ae0c79dadc6c5f 100644 --- a/integration-tests/oidc/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java +++ b/integration-tests/oidc/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java @@ -5,7 +5,9 @@ import static org.awaitility.Awaitility.await; import static org.hamcrest.Matchers.equalTo; +import java.nio.charset.StandardCharsets; import java.util.Arrays; +import java.util.Base64; import java.util.concurrent.TimeUnit; import org.hamcrest.Matchers; @@ -58,6 +60,17 @@ public void testSecureAccessSuccessCustomPrincipal() { } } + @Test + public void testBasicAuth() { + byte[] basicAuthBytes = "alice:password".getBytes(StandardCharsets.UTF_8); + RestAssured.given() + .header("Authorization", "Basic " + Base64.getEncoder().encodeToString(basicAuthBytes)) + .when().get("/api/users/me") + .then() + .statusCode(200) + .body("userName", equalTo("alice")); + } + @Test public void testSecureAccessSuccessPreferredUsername() { for (String username : Arrays.asList("alice", "jdoe", "admin")) {