I am using Smallrye JwtClaimsBuilder to build a token in my application.
Is it possible to use gzip to compress the body of the token? I couldn't find something in the documentation about this.
Of course I could use a different way to generate the token, but can it be validate by the quarkus framework?
Related
I am building a REST API that uses data in the JWT token to perform some operations. (E.g. verifying the ownership of the data, so for some cases, I might send user_id or something like that in the JWT token).
Is that possible to describe the expected contents of the JWT token using OpenAPI?
This is not supported as of OpenAPI 3.1, but there's an existing feature request:
Allow payload definition for JWT schema
Im trying to make an .NET 5 Web Api works with Jwt Bearer token. I want some operations to be secured by using a token that comes from another issuer. The token would be generated by MS Azure AD. The application will read the token from the request header, validate it and extract the user's roles for more validations. The app shoudn't be the issuer of the token.
Is this possible? I tried so many ways to make this works without success. I setup Swagger to use OpenId Connect with Microsoft Azure and then the bearer is used to call the secured operations but always got errors. Now I don't understand how Dotnet Core Authencation and Authorization works.
Thanks in advance!
That will definitely work OK but requires an understanding of the science:
AZURE AD TOKENS
I would first look at the JWT in an online viewer. There is a known issue with the default setup where you get JWT access tokens that cannot be validated. See Step 3 of my blog post for details.
UNDERSTAND PRINCIPLES
Validating a JWT involves the general steps in this blog post. Once you understand this it will hopefully unblock you.
C# JWT ACCESS TOKEN VALIDATION IN APIs
The Microsoft framework often hides the required logic, which doesn't always help, and the option I prefer is to validate JWTs via a library.
Aim to understand how to use the JwtSecurityTokenHandler class to validate a JWT manually, eg in a console app. Maybe borrow some ideas from this C# code of mine.
C# AUTHORIZATION
Once JWT validation works, the next step is to use the details in the ClaimsPrincipal to determine whether to allow access to data. I would get on top of the JWT validation first though.
I have tried the sample app of Quarkus and JWT Security Sample App
How can I implement JWT refresh token in Quarkus Framework?
You have to options here, which are basically the same, you have to invoke keycloak through the rest api in order to get your refresh token. You can do that by using a rest-client, like in here or an adapter, this are your options with the jwt integration.
If you instead use a different dependency like the oidc client you will be able to create new tokens and have more options, check this guide.
Thanks
I'm currently using auth0-js library v8 to authenticate users against Auth0. This library forcibly signs JWT tokens using RS256. Temporarily, I would like to decode the token and re-encode it using HS256/my current CLIENT SECRET, before returning the token in the authenticated response. Can I use Auth0 rules for that? Any idea how?
Reacting to Pawel's comment up there: this is no longer an issue! With Graphcool resolvers you can now extend your schema to handle authentication (amongst others) whatever way you deem suitable.
So I'm trying to secure my web application by using JWT in Scalatra. At the moment I'm using Scentry with both User-Password and RememberMe strategies and my intention is to swap the cookie-based authentication in RememberMe strategy with JWT authentication.
I have found this implementation I can use with json4s (example) but I'm not sure of how to include these features in my code. Can I just simply switch the verifications done with cookies in RememberMe for JWT verifications?
In the same repository, which you have provided there are now code examples. You can check this link.