Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the OIDC/OAuth2 documentation #10653

Merged
merged 1 commit into from
Jul 13, 2020
Merged

Improve the OIDC/OAuth2 documentation #10653

merged 1 commit into from
Jul 13, 2020

Conversation

sberyozkin
Copy link
Member

Fixes #10363
Fixes #10587

@sberyozkin sberyozkin mentioned this pull request Jul 10, 2020
Closed
@sberyozkin sberyozkin requested a review from loicmathieu July 10, 2020 22:02
@sberyozkin
Copy link
Member Author

I've tried to interlink all the OIDC/OAuth2 docs, clarify a few things, also added a section about the roles, etc
Hi Loic - did a tiny update to the OAuth2 guide, I was keen to mention it can verify JWT via the introspection too :-) but I suppose it is better to continue stressing OAuth2 extension can only verify the opaque tokens to minimize the confusion

loicmathieu
loicmathieu reviewed Jul 13, 2020
View reviewed changes
Copy link
Contributor

@loicmathieu loicmathieu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good by I add some questions / feedbacks

docs/src/main/asciidoc/security-jwt.adoc Outdated
This guide explains how your Quarkus application can utilize MicroProfile Json Web Token (link:https://jwt.io/[JWT])
Role-Based Access Control (link:https://en.wikipedia.org/wiki/Role-based_access_control[RBAC]) to provide
secured access to the JAX-RS endpoints.
This guide explains how your Quarkus application can utilize MicroProfile JWT (MP JWT) to verify https://tools.ietf.org/html/rfc7519[JSON Web Token]s, represent them as MP JWT `JsonWebToken` and provide secured access to the JAX-RS endpoints using Bearer Token Authorization and https://en.wikipedia.org/wiki/Role-based_access_control[Role-Based Access Control].
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

represent them as MP JWT JsonWebToken

Maybe give the fully qualified class name istead: represent them as org.microprofile.i-don't-know-which-package.JsonWebToken`.

Also, security is not only for JAX-RS endpoint right ? It also works for Sevlet and reactive route.

Copy link
Member Author

@sberyozkin sberyozkin Jul 13, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@loicmathieu thanks for the comments, sure I'll just say Quarkus HTTP endpoints

docs/src/main/asciidoc/security-openid-connect-web-authentication.adoc Outdated

This guide demonstrates how to use the OpenID Connect Extension to protect your application using Quarkus, where authentication and authorization are based on tokens issued by OpenId Connect and OAuth 2.0 compliant Authorization Servers such as https://www.keycloak.org/about.html[Keycloak].
This guide demonstrates how to use Quarkus OpenID Connect Extension to protect your JAX-RS applications using OpenId Connect Authorization Code Flow supported by OpenId Connect compliant Authorization Servers such as https://www.keycloak.org/about.html[Keycloak].
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, it's not only JAX-RS that you can protect

docs/src/main/asciidoc/security-openid-connect-web-authentication.adoc Outdated

== Token Claims And SecurityIdentity Roles

The way the roles are mapped to the SecurityIdentity roles from the verified tokens is identical to how it is done for the link:security-openid-connect#token-claims-and-securityidentity-roles[bearer tokens] with the only difference being is that ID JWT token is used as a source of the roles by default.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear for my what ID JWT token is ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@loicmathieu I'll change it to just ID token, it is returned, alongside access token, as part of the OIDC code flow, https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse

@loicmathieu
Copy link
Contributor

@sberyozkin

I was keen to mention it can verify JWT via the introspection too :-) but I suppose it is better to continue stressing OAuth2 extension can only verify the opaque tokens to minimize the confusion

I agree, let's keep the oauth2 extension for opaque token only, even if it can of validate a JWT token, we should keep the documentation as simple as possible and document the best way to do things.

loicmathieu
loicmathieu approved these changes Jul 13, 2020
View reviewed changes
Copy link
Contributor

@loicmathieu loicmathieu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sberyozkin
Copy link
Member Author

@loicmathieu @pedroigor Thanks, I'll be following up with more updates around the security and OIDC docs, cheers

@sberyozkin sberyozkin merged commit 825e4dd into quarkusio:master Jul 13, 2020
@famod
Copy link
Member

famod commented Jul 13, 2020
edited
Loading

@sberyozkin This seems to have broken the documentation module in master?

2020-07-13T16:36:52.8471210Z [ERROR] Failed to execute goal org.asciidoctor:asciidoctor-maven-plugin:2.0.0:process-asciidoc (output-pdf) on project quarkus-documentation: Found 92 issue(s) of severity WARN or higher during conversion -> [Help 1]
2020-07-13T16:36:52.8486147Z org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.asciidoctor:asciidoctor-maven-plugin:2.0.0:process-asciidoc (output-pdf) on project quarkus-documentation: Found 92 issue(s) of severity WARN or higher during conversion
2020-07-13T16:36:52.8492076Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
2020-07-13T16:36:52.8497310Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
2020-07-13T16:36:52.8502280Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
2020-07-13T16:36:52.8508954Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
2020-07-13T16:36:52.8515171Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
2020-07-13T16:36:52.8522291Z     at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
2020-07-13T16:36:52.8527841Z     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
2020-07-13T16:36:52.8531742Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
2020-07-13T16:36:52.8535933Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
2020-07-13T16:36:52.8539799Z     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
2020-07-13T16:36:52.8543568Z     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
2020-07-13T16:36:52.8547441Z     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
2020-07-13T16:36:52.8551124Z     at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
2020-07-13T16:36:52.8555627Z     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
2020-07-13T16:36:52.8561053Z     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
2020-07-13T16:36:52.8567013Z     at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
2020-07-13T16:36:52.8570240Z     at java.lang.reflect.Method.invoke (Method.java:566)
2020-07-13T16:36:52.8575456Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
2020-07-13T16:36:52.8580239Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
2020-07-13T16:36:52.8585715Z     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
2020-07-13T16:36:52.8590279Z     at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
2020-07-13T16:36:52.8597360Z Caused by: org.apache.maven.plugin.MojoExecutionException: Found 92 issue(s) of severity WARN or higher during conversion
2020-07-13T16:36:52.8602471Z     at org.asciidoctor.maven.AsciidoctorMojo.execute (AsciidoctorMojo.java:247)
2020-07-13T16:36:52.8608593Z     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
2020-07-13T16:36:52.8613592Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
2020-07-13T16:36:52.8618580Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
2020-07-13T16:36:52.8623583Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
2020-07-13T16:36:52.8629921Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
2020-07-13T16:36:52.8636324Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
2020-07-13T16:36:52.8643464Z     at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
2020-07-13T16:36:52.8648826Z     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
2020-07-13T16:36:52.8652874Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
2020-07-13T16:36:52.8656941Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
2020-07-13T16:36:52.8660883Z     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
2020-07-13T16:36:52.8664625Z     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
2020-07-13T16:36:52.8668303Z     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
2020-07-13T16:36:52.8671977Z     at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
2020-07-13T16:36:52.8676622Z     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
2020-07-13T16:36:52.8682252Z     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
2020-07-13T16:36:52.8688217Z     at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
2020-07-13T16:36:52.8691283Z     at java.lang.reflect.Method.invoke (Method.java:566)
2020-07-13T16:36:52.8696994Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
2020-07-13T16:36:52.8702190Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
2020-07-13T16:36:52.8707367Z     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
2020-07-13T16:36:52.8712272Z     at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

I can reproduce this locally and once I do git checkout d7fa26d4cd7beababd8f7b93125dd02ac754dbd2 the problem vanishes.

/cc @geoand & @gastaldi

@gastaldi
Copy link
Contributor

I can confirm that by reverting commit dfdcad9 the build works again

@geoand
Copy link
Contributor

geoand commented Jul 13, 2020

Yup, saw this in one of my PRs as well

@gastaldi gastaldi mentioned this pull request Jul 13, 2020
Merged
@sberyozkin sberyozkin mentioned this pull request Jul 13, 2020
Closed
@gsmet gsmet added this to the 1.7.0 - master milestone Jul 17, 2020
@sberyozkin sberyozkin deleted the oidc_roles_docs branch September 16, 2020 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loicmathieu loicmathieu loicmathieu approved these changes

@pedroigor pedroigor pedroigor approved these changes

@stuartwdouglas stuartwdouglas Awaiting requested review from stuartwdouglas

@gsmet gsmet Awaiting requested review from gsmet

Assignees
No one assigned
Labels
area/documentation
Projects
None yet
Milestone
1.7.0.CR1
Development

Successfully merging this pull request may close these issues.

Document how to get the roles with quarkus-oidc Improve Authentication Documentation
7 participants
@sberyozkin @loicmathieu @famod @gastaldi @geoand @pedroigor @gsmet