Why is Quarkus JWT Returning Unauthorized on Every Endpoint

Question

I'm trying to secure my Quarkus API with JWT. The JWT is provided (snippet: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUI[...] ).

The following endpoints are the 2 endpoints I've tested:

@Path("/quiz")
@RequestScoped
public class SomeResource {
  @Inject
  JsonWebToken jwt;

  @POST
  @RolesAllowed({"magister"})
  @Path("/save")
  @Consumes("application/json")
  @Produces("*/*")
  @Transactional
  public Response save(@RequestBody Quiz quiz) { }

  @GET
  @PermitAll
  @Path("/get/all")
  @Produces("application/json")
  public Response getAll(){ }

Both endpoints (@PermitAll and @RolesAllowed) are returning me an HTTP 401 (Unauthorized).

Do you have an idea why? I thought that @PermitAll is permitting EVERY request? Even though my token proves I have the role needed:

"resource_access" : {
  "client_interface" : {
    "roles" : ["magister"]
  },
  ...
}

Edit: Found out that the MicroProfile Spec says that

"groups":["magister"]

should get mapped by microprofile to RolesAllowed annotations.

My Payload looks like this:

{
  [...]
  "resource_access": {
    "client_interface": {
      "roles": [
        "magister"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "profile email",
  "email_verified": false,
  "groups": [
    "magister"
  ],
  "preferred_username": "magister"
}

but I'll still get 401 Response

score 1 · Answer 1 · answered Mar 10 '21 at 06:01

I had the same problem, I fixed it by adding the following code:

@OpenAPIDefinition(
        info = @Info(
                title = "Title API",
                version = "1.0.0",
                description = "Description API"
        ),
        security = @SecurityRequirement(name = "jwt"),
        components = @Components(
                securitySchemes = {
                        @SecurityScheme(
                                securitySchemeName = "jwt",
                                description = "Token JWT",
                                type = SecuritySchemeType.HTTP,
                                scheme = "bearer",
                                bearerFormat = "jwt"
                        )
                }
        )
)

and also made an update Quarkus to version 1.12.0.FINAL

score 0 · Answer 2 · answered Apr 11 '22 at 23:14

0

Generally 401 is about using a expired token, or a invalid one.

answered Apr 11 '22 at 23:14

Swe77

21
4

Why is Quarkus JWT Returning Unauthorized on Every Endpoint

2 Answers2