0

I can access @IdToken when running this Quarkus guide: https://quarkus.io/guides/security-openid-connect-web-authentication. It uses "quarkus.oidc.application-type=web-app".

However when I try to access @IdToken in this other Quarkus guide (https://quarkus.io/guides/security-openid-connect), I get the following exception:

io.quarkus.oidc.OIDCException: Current identity is not associated with an ID token

The only difference that I see is that the second guide uses "quarkus.oidc.application-type=service" which is the default.

I've tried to pass in both an access token and an id token, which I retrieve from Keycloak earlier, in the Authorization header, but without luck.

How can I get @IdToken to work to protect service applications as in the second guide?

To reproduce copy this snippet in https://github.com/quarkusio/quarkus-quickstarts/blob/master/security-openid-connect-quickstart/src/main/java/org/acme/security/openid/connect/UsersResource.java:

@Inject
@IdToken
JsonWebToken idToken;

@GET
@RolesAllowed("user")
@Path("/myname")
public String getUserName() {
   return idToken.getName();
}

Thanks!

Niklas Heidloff
  • 952
  • 6
  • 13

1 Answers1

1

Quarkus OIDC service applications can only deal with the bearer tokens coming with the HTTP Authorization header. Quarkus OIDC web-app applications are extracting ID and access tokens from the authorization code grant response. So for the service application you can get the name directly from the access token. If the access token is opaque/binary then the user name will be returned with the token instrospection response and can be accessed from Principal.getName()(supported starting from Quarkus 1.6.0.CR1) HTH

Sergey Beryozkin
  • 688
  • 1
  • 4
  • 9
  • Thanks Sergey! That's what I've done as workaround. I think it's pretty confusing though. I thought JWT tokens contain id tokens and access tokens which can be accessed via the annotations. – Niklas Heidloff Jul 15 '20 at 15:06