OpenID access token sent in body, put it in the header - vert.x

I have a legacy jax-rs request. I can't change it. It's body has OpenID access token. I want to validate it using quarkus-oidc. My idea is to read the body and put token to Authorization header.
I tried to use ContainerRequestFilter with and without quarkus proactive auth, but looks like quarkus auth checks happen way before jax-rs, somewhere in vert.x
I found this Quarkus Custom authorization interceptors, but it works only if access token is in a query string.
How do i read request body and write access token in the headers before quarkus-oidc checks access token?

I fixed! Not sure if this is most correct way to do what i want, but looks like it works reliably.
import io.quarkus.vertx.web.RouteFilter;
import io.vertx.core.http.HttpMethod;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.BodyHandler;
public class JoinServerRequestSecurityRouterFilter {
#RouteFilter(3000)
public void extractBody(RoutingContext context) {
if (context.request().method() != HttpMethod.POST) {
context.next();
return;
}
if (!"/session-service/join".equals(context.normalizedPath())) {
context.next();
return;
}
BodyHandler bodyHandler = BodyHandler.create(false);
bodyHandler.handle(context);
}
#RouteFilter(3000 - 1)
public void copyAccessToken(RoutingContext context) {
if (context.request().method() != HttpMethod.POST) {
context.next();
return;
}
if (!"/session-service/join".equals(context.normalizedPath())) {
context.next();
return;
}
if (context.getBodyAsJson() == null) {
context.next();
return;
}
String accessToken = context.getBodyAsJson().getString("accessToken");
context.request().headers().add("Authorization", "Bearer " + accessToken);
context.next();
}
}

Related

keycloak throw authentication error from custom protocol mapper

I've crated a java custom protocol mapper extended from AbstractOIDCProtocolMapper
This mapper call a rest api, I want to show a custom message error on login based on te result of response. But I do not know how to do it
I am overriden the method
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession)
You can throw an Exception that extends org.keycloak.services.ErrorResponseException. There you can override
#Override
public Response getResponse() {
if (response != null) {
return response;
} else {
OAuth2ErrorRepresentation errorRep = new OAuth2ErrorRepresentation(error, errorDescription);
return Response.status(status).entity(errorRep).type(MediaType.APPLICATION_JSON_TYPE).build();
}
}
passing any object as entity to be returned as part of the response.

How to forward jwt token in Vert.x REST service

I have a Vert.x REST service that receive requests with jwt tokens, and I want to call my another REST service passing received token. Between router handler and WebClient call I have a business logic layer. My question is if there is a method to provide token to webClient other than passing it explicitly through my business logic layer? In other words is it possible to retrieve somehow my RoutingContext and token from e.g. vertxContext or an other component?
Example code demonstrating what I would like to achieve:
Verticle cass
public class RestApiVerticle extends AbstractVerticle {
businessLogicService service;
#Override
public void start() throws Exception {
initService();
HttpServer server = vertx.createHttpServer();
Router router = Router.router(vertx);
JWTAuth authProvider = JWTAuth.create(vertx, getAuthConfig());
router.route("/*").handler(JWTAuthHandler.create(authProvider));
router.route("/somePath").handler(this::handleRequest);
server.requestHandler(router::accept).listen(config().getInteger("port"));
}
private void handleRequest(RoutingContext context){
service.doSomeBusinessLogic(); //I could pass context here, but I thing this is not a proper way to do it, as business logic should not know about RequestContext
}
private void initService(){
ExternalAPICaller caller = new ExternalAPICaller(WebClient.create(vertx));
service = new BusinessLogicService(caller);
}
private JsonObject getAuthConfig() {
return new JsonObject();
}
}
BusinessLogicService:
public class BusinessLogicService {
ExternalAPICaller caller;
public BusinessLogicService(ExternalAPICaller caller){
this.caller = caller;
}
public void doSomeBusinessLogic(){
caller.doSth();
}
}
ExternalAPICaller:
public class ExternalAPICaller {
WebClient client;
public ExternalAPICaller(WebClient client){
this.client = client;
}
public void doSth(){
String TOKEN = null; // I would like to retrive here my token from some vertx component
client.post("externalAPIpath")
.putHeader("Authorization", "Bearer" + TOKEN)
.send(ctx -> {
//(..)
});
}
}
My implementation is in JavaScript (Node.js/Express), but I used cookies to send the JWT to the client.
res.cookie("auth", token);
return res.redirect(`http://localhost:3000/socialauthredirect`);
When you call your do business logic method you could pass the request authorization header value as it contains your untouched jwt token. Then on your web client add a header with that value and of course named authorization and your token is forwarded to the next service.

How does REST authentication work for client-side apps?

I'm trying to design my first public API, and I'm trying to learn how REST works with authentication, especially in the context of completely client-side apps using js-frameworks, e.g., angularJS.
Say you have a client which is a browser application (i.e., HTML, JS, CSS only) served as static files from something like nginx using a javascript framework to consume a REST service from, e.g. something that requires a secret access key that's used to create a signature for each request to the service, something like Amazon S3.
In terms of authentication in this scenario, where you don't have a server-side application, how would the secret access key be handled, i.e., how do you get it, where do you store it, etc.? It would seem like a horrible security situation to serve the key for each request (even if it only happens once to bootstrap the application).
And even if you do have a light server-side application--how do you securely inform the client (which still calls the authenticated 3rd party API itself) what the signature should be for every request it could possibly make? I'm very confused by how this is supposed to be designed from either end.
I've done a few AngularJS apps and the way that I've found is to use an HttpModule like this one:
using System;
using System.Net.Http.Headers;
using System.Security.Principal;
using System.Text;
using System.Threading;
using System.Web;
namespace YourSolution.WebApp.Modules
{
public class BasicAuthenticationHttpModule : IHttpModule
{
public BasicAuthenticationHttpModule()
{
}
public void Init(HttpApplication context)
{
context.AuthenticateRequest += OnApplicationAuthenticateRequest;
context.EndRequest += OnApplicationEndRequest;
}
private static void SetPrincipal(IPrincipal principal)
{
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null)
{
HttpContext.Current.User = principal;
}
}
private static bool CheckPassword(
string username, string password)
{
return username == password;
}
private static void AuthenticateUser(string credentials)
{
try
{
var encoding = Encoding.GetEncoding(
"iso-8859-1");
credentials = encoding.GetString(
Convert.FromBase64String(credentials));
var separator = credentials.IndexOf(':');
var name = credentials.Substring(0, separator);
var password = credentials.Substring(separator + 1);
var validated = CheckPassword(name, password);
if (!validated) return;
var identity = new GenericIdentity(name);
SetPrincipal(new GenericPrincipal(identity, null));
}
catch (FormatException)
{
}
}
private static void OnApplicationAuthenticateRequest(
object sender, EventArgs e)
{
var request = HttpContext.Current.Request;
var authHeader = request.Headers["Authorization"];
if (authHeader == null) return;
var authHeaderVal = AuthenticationHeaderValue.Parse(authHeader);
if (authHeaderVal.Scheme.Equals(
"basic",
StringComparison.OrdinalIgnoreCase)
&& authHeaderVal.Parameter != null)
{
AuthenticateUser(authHeaderVal.Parameter);
}
}
private static void OnApplicationEndRequest(
object sender, EventArgs e)
{
var response = HttpContext.Current.Response;
if (response.StatusCode == 401)
{
//response.Headers.Add(
// "WWW-Authenticate",
// string.Format("Basic realm=\"{0}\"", Realm));
}
}
public void Dispose()
{
}
}
}
The most important part is inside CheckPassword method, there is where you should validate the credentials.
Another point is this line response.Headers.Add("WWW-Authenticate", string.Format("Basic realm=\"{0}\"", Realm)); if you don't comment this line, the classic login requested form will show up, and if you do comment this line you have to catch the 401 error in your requests.
If you want to know about realm: What is the “realm” in basic authentication.
Plus, you will need to register the module in your web.config file:
<system.webServer>
<modules>
<add
name="BasicAuthenticationHttpModule"
type="YourSolution.WebApp.Modules.BasicAuthenticationHttpModule" />
</modules>
</system.webServer>
Then I've added these two methods to deal with the authentication token:
// u: username; p: password
CreateBasicAuthenticationToken = function (u, p) {
var t = u + ':' + p;
var hat = btoa(t);
window.sessionStorage.setItem('basicauthtoken', 'basic ' + hat);
};
DestroyBasicAuthenticationToken = function () {
window.sessionStorage.removeItem('basicauthtoken');
};
The btoa method: The btoa() method of window object is used to convert a given string to a encoded data (using base-64 encoding) string.. Taken from: http://www.w3resource.com/javascript/client-object-property-method/window-btoa.php.
And last I've added the authtoken to the request header using the beforeSend:
$.ajax({
type: 'GET',
url: 'your url',
beforeSend: function (xhr) {
window.sessionStorage.getItem('basicauthtoken');
}
}).done(function (data, textStatus, xhr) {
//...
});
Please do note using jQuery outside an angular directive is not recommended, AngularJS best practices dictates jQuery code must be always placed inside a directive.
Hope it helps.

Render output format (HTML, JSON, XML) depending on parameter?

is there a good or proper way to render the output in Play Framework depending on a parameter? Example:
For HTML:
http://localhost:9000/user/get/5?v=HTML // should render HTML template
For JSON:
http://localhost:9000/user/get/5?v=JSON // should render JSON template
I think that a request interceptor could have the ability to achieve this, but I have no clue how to start or where to start :-(
Or perhaps, write a general render method that reads the parameters and output as requested, but this seems to me like overkill?
If /user/5?v=html and /user/5?v=json return two representations of the same resource, they should be the same URL, e.g. /user/5, according to the REST principles.
On client side, you can use the Accept header in your requests to indicate which representation you want the server to send you.
On server side, you can write the following with Play 2.1 to test the value of the Accept header:
public static Result user(Long id) {
User user = User.find.byId(id);
if (user == null) {
return notFound();
}
if (request().accepts("text/html")) {
return ok(views.html.user(user));
} else if (request().accepts("application/json")) {
return ok(Json.toJson(user));
} else {
return badRequest();
}
}
Note that the test against "text/html" should always be written prior to any other content type because browsers set the Accept header of their requests to */* which matches all types.
If you don’t want to write the if (request().accepts(…)) in each action you can factor it out, e.g. like the following:
public static Result user(Long id) {
User user = User.find.byId(id);
return representation(user, views.html.user.ref);
}
public static Result users() {
List<User> users = User.find.all();
return representation(users, views.html.users.ref);
}
private <T> Result representation(T resource, Template1<T, Html> html) {
if (resource == null) {
return notFound();
}
if (request().accepts("text/html")) {
return ok(html.apply(resource));
} else if (request().accepts("application/json")) {
return ok(Json.toJson(resource));
} else {
return badRequest();
}
}
Write 2 methods, use 2 routes (as you don't specify I will use Java samples:
public static Result userAsHtml(Long id) {
return ok(someView.render(User.find.byId(id)));
}
public static Result userAsJson(Long id) {
return play.libs.Json.toJson(User.find.byId(id));
}
routes:
/GET /user/get/:id/html controllers.YourController.userAsHtml(id:Long)
/GET /user/get/:id/json controllers.YourController.userAsJson(id:Long)
next you can just make a link in other view to display user's data
Show details
Get JSON
or something else...
edit #1
you can also use common if or case to determine final output
public static Result userAsV() {
String vType = form().bindFromRequest().get("v");
if (vTtype.equals("HTML")){
return ok(someView.render(User.find.byId(id)));
}
return play.libs.Json.toJson(User.find.byId(id));
}
I wanted the user to be able to be viewed in the browser as html or as json so the accepts method did not work for me.
I solved it by putting a generic renderMethod in a base class with the following style syntax
public static Result requestType( )
{
if( request().uri().indexOf("json") != -1)
{
return ok(Json.toJson(request()));
}
else
{
return ok("Got HTML request " + request() );
}
}

GWT - Hiding or showing a Div at runtime

I have a GWT App where I need to call a webservice to check whether the user signed in is an administrator - and then set the admin Div to visible (hidden by default) if the web service returns true.
The problem is the program passes the check before the web service can return the result. It's looking something like this
public class ModelClass{
boolean isAdmin = false;
public ModelClass(){
//Call webservice in constructor, if returns true, set isAdmin to true via setter
}
}
Then, in my widget, I create an instance of the ModelClass and then in the last step before the page finishes loading, I check the isAdmin property to see if it's true, if so - set the Admin panel to visible. No matter how early I try to make the call, and how late I check the property, the admin check always happens before the web service response returns.
I've tried change listeners - but they only apply to widgets. I tried rigging the property as a label and using a click event by calling click() on the label from the web service response.
Nothing seems to work - does anyone have any ideas?
If you are using a callback mechanism, you will have to do it in the callback function.
e.g. If you are using the GWT's request builder, You will have to do it in onResponseReceived of your request callback:
public ModelClass() {
isAdmin();
}
private void isAdmin() {
RequestBuilder builder = new RequestBuilder(
RequestBuilder.GET, webserviceurl);
try {
request = builder.sendRequest(null, new RequestCallback() {
public void onResponseReceived(Request request,
Response response) {
int code = response.getStatusCode();
if(code >= 400) {
Window.alert(response.getStatusText());
return;
}
if(code == 200) {
// if admin is logged in
// hide your div
}
}
public void onError(Request request, Throwable exception) {
Window.alert("Error checking admin status");
}
});
}catch(RequestException re) {
Window.alert("Error checking admin status");
}
}