smallrye-jwt-extension: Make role mapping configurable and use newer smallrye-jwt apis

bom/runtime/pom.xml

@@ -38,7 +38,7 @@
         <smallrye-open-api.version>1.2.1</smallrye-open-api.version>
         <smallrye-opentracing.version>1.3.4</smallrye-opentracing.version>
         <smallrye-fault-tolerance.version>4.1.0</smallrye-fault-tolerance.version>
-        <smallrye-jwt.version>2.0.13</smallrye-jwt.version>
+        <smallrye-jwt.version>2.1.0-SNAPSHOT</smallrye-jwt.version>
         <smallrye-context-propagation.version>1.0.11</smallrye-context-propagation.version>
         <smallrye-reactive-streams-operators.version>1.0.10</smallrye-reactive-streams-operators.version>
         <smallrye-converter-api.version>1.0.10</smallrye-converter-api.version>

extensions/smallrye-jwt/deployment/src/main/java/io/quarkus/smallrye/jwt/deployment/SmallRyeJwtProcessor.java

@@ -30,6 +30,7 @@
 import io.quarkus.deployment.builditem.nativeimage.NativeImageResourceBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
 import io.quarkus.security.deployment.JCAProviderBuildItem;
+import io.quarkus.smallrye.jwt.runtime.auth.DefaultJwtRolesMapper;
 import io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism;
 import io.quarkus.smallrye.jwt.runtime.auth.JwtPrincipalProducer;
 import io.quarkus.smallrye.jwt.runtime.auth.MpJwtValidator;
@@ -39,6 +40,7 @@
 import io.smallrye.jwt.auth.cdi.CommonJwtProducer;
 import io.smallrye.jwt.auth.cdi.JsonValueProducer;
 import io.smallrye.jwt.auth.cdi.RawClaimTypeProducer;
+import io.smallrye.jwt.auth.principal.DefaultJWTParser;
 import io.smallrye.jwt.config.JWTAuthContextInfoProvider;
 
 /**
@@ -79,6 +81,8 @@ void registerAdditionalBeans(BuildProducer<AdditionalBeanBuildItem> additionalBe
         removable.addBeanClass(RawClaimTypeProducer.class);
         removable.addBeanClass(JsonValueProducer.class);
         removable.addBeanClass(JwtPrincipalProducer.class);
+        removable.addBeanClass(DefaultJwtRolesMapper.class);
+        removable.addBeanClass(DefaultJWTParser.class);
         removable.addBeanClass(Claim.class);
         additionalBeans.produce(removable.build());
 

extensions/smallrye-jwt/deployment/src/test/java/io/quarkus/jwt/test/TokenRealmUnitTest.java

@@ -16,8 +16,12 @@
 import io.quarkus.security.identity.request.TokenAuthenticationRequest;
 import io.quarkus.security.runtime.AnonymousIdentityProvider;
 import io.quarkus.security.runtime.QuarkusIdentityProviderManagerImpl;
+import io.quarkus.smallrye.jwt.runtime.auth.DefaultJwtRolesMapper;
+import io.quarkus.smallrye.jwt.runtime.auth.JwtRolesMapper;
 import io.quarkus.smallrye.jwt.runtime.auth.MpJwtValidator;
+import io.smallrye.jwt.auth.principal.DefaultJWTParser;
 import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;
+import io.smallrye.jwt.auth.principal.JWTParser;
 
 /**
  * Validate usage of the bearer token based realm
@@ -29,8 +33,12 @@ public void testAuthenticator() throws Exception {
         KeyPair keyPair = generateKeyPair();
         PublicKey pk1 = keyPair.getPublic();
         PrivateKey pk1Priv = keyPair.getPrivate();
+
         JWTAuthContextInfo contextInfo = new JWTAuthContextInfo((RSAPublicKey) pk1, "https://server.example.com");
-        MpJwtValidator jwtValidator = new MpJwtValidator(contextInfo);
+        JWTParser jwtParser = new DefaultJWTParser(contextInfo);
+        JwtRolesMapper jwtRolesMapper = new DefaultJwtRolesMapper();
+        MpJwtValidator jwtValidator = new MpJwtValidator(jwtParser, jwtRolesMapper);
+
         QuarkusIdentityProviderManagerImpl authenticator = QuarkusIdentityProviderManagerImpl.builder()
                 .addProvider(new AnonymousIdentityProvider())
                 .setBlockingExecutor(new Executor() {

extensions/smallrye-jwt/runtime/src/main/java/io/quarkus/smallrye/jwt/runtime/auth/DefaultJwtRolesMapper.java

@@ -0,0 +1,19 @@
+package io.quarkus.smallrye.jwt.runtime.auth;
+
+import java.util.Set;
+
+import javax.enterprise.context.ApplicationScoped;
+
+import org.eclipse.microprofile.jwt.JsonWebToken;
+
+import io.quarkus.arc.DefaultBean;
+
+@DefaultBean
+@ApplicationScoped
+public class DefaultJwtRolesMapper implements JwtRolesMapper {
+
+    @Override
+    public Set<String> mapGroupsAndRoles(JsonWebToken token) {
+        return token.getGroups();
+    }
+}

extensions/smallrye-jwt/runtime/src/main/java/io/quarkus/smallrye/jwt/runtime/auth/JWTAuthMechanism.java

@@ -24,7 +24,7 @@
 import io.smallrye.jwt.auth.AbstractBearerTokenExtractor;
 import io.smallrye.jwt.auth.cdi.PrincipalProducer;
 import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;
-import io.vertx.ext.web.Cookie;
+import io.vertx.core.http.Cookie;
 import io.vertx.ext.web.RoutingContext;
 
 /**

extensions/smallrye-jwt/runtime/src/main/java/io/quarkus/smallrye/jwt/runtime/auth/JwtRolesMapper.java

@@ -0,0 +1,9 @@
+package io.quarkus.smallrye.jwt.runtime.auth;
+
+import java.util.Set;
+
+import org.eclipse.microprofile.jwt.JsonWebToken;
+
+public interface JwtRolesMapper {
+    Set<String> mapGroupsAndRoles(JsonWebToken token);
+}

extensions/smallrye-jwt/runtime/src/main/java/io/quarkus/smallrye/jwt/runtime/auth/MpJwtValidator.java

@@ -1,25 +1,21 @@
 package io.quarkus.smallrye.jwt.runtime.auth;
 
-import java.util.HashSet;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionStage;
 
 import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Inject;
 
+import org.eclipse.microprofile.jwt.JsonWebToken;
 import org.jboss.logging.Logger;
-import org.jose4j.jwt.JwtClaims;
-import org.jose4j.jwt.MalformedClaimException;
-import org.jose4j.jwt.consumer.JwtContext;
 
 import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.identity.AuthenticationRequestContext;
 import io.quarkus.security.identity.IdentityProvider;
 import io.quarkus.security.identity.SecurityIdentity;
 import io.quarkus.security.identity.request.TokenAuthenticationRequest;
 import io.quarkus.security.runtime.QuarkusSecurityIdentity;
-import io.smallrye.jwt.auth.principal.DefaultJWTTokenParser;
-import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;
+import io.smallrye.jwt.auth.principal.JWTParser;
 import io.smallrye.jwt.auth.principal.ParseException;
 
 /**
@@ -30,17 +26,13 @@ public class MpJwtValidator implements IdentityProvider<TokenAuthenticationReque
 
     private static final Logger log = Logger.getLogger(MpJwtValidator.class);
 
-    final JWTAuthContextInfo authContextInfo;
-
-    private final DefaultJWTTokenParser parser = new DefaultJWTTokenParser();
-
-    public MpJwtValidator() {
-        authContextInfo = null;
-    }
+    final JWTParser parser;
+    final JwtRolesMapper jwtRolesMapper;
 
     @Inject
-    public MpJwtValidator(JWTAuthContextInfo authContextInfo) {
-        this.authContextInfo = authContextInfo;
+    public MpJwtValidator(JWTParser parser, JwtRolesMapper jwtRolesMapper) {
+        this.parser = parser;
+        this.jwtRolesMapper = jwtRolesMapper;
     }
 
     @Override
@@ -52,25 +44,16 @@ public Class<TokenAuthenticationRequest> getRequestType() {
     public CompletionStage<SecurityIdentity> authenticate(TokenAuthenticationRequest request,
             AuthenticationRequestContext context) {
         try {
-            JwtContext jwtContext = parser.parse(request.getToken().getToken(), authContextInfo);
+            JsonWebToken jwt = parser.parse(request.getToken().getToken());
 
-            JwtClaims claims = jwtContext.getJwtClaims();
-            String name = claims.getClaimValue("upn", String.class);
-            if (name == null) {
-                name = claims.getClaimValue("preferred_username", String.class);
-                if (name == null) {
-                    name = claims.getSubject();
-                }
-            }
-            QuarkusJwtCallerPrincipal principal = new QuarkusJwtCallerPrincipal(name, claims);
             return CompletableFuture
-                    .completedFuture(QuarkusSecurityIdentity.builder().setPrincipal(principal)
-                            .addRoles(new HashSet<>(claims.getStringListClaimValue("groups")))
-                            .addAttribute(SecurityIdentity.USER_ATTRIBUTE, principal).build());
+                    .completedFuture(QuarkusSecurityIdentity.builder().setPrincipal(jwt)
+                            .addRoles(jwtRolesMapper.mapGroupsAndRoles(jwt))
+                            .addAttribute(SecurityIdentity.USER_ATTRIBUTE, jwt).build());
 
-        } catch (ParseException | MalformedClaimException e) {
+        } catch (ParseException e) {
             log.debug("Authentication failed", e);
-            CompletableFuture<SecurityIdentity> cf = new CompletableFuture<SecurityIdentity>();
+            CompletableFuture<SecurityIdentity> cf = new CompletableFuture<>();
             cf.completeExceptionally(new AuthenticationFailedException(e));
             return cf;
         }