Quarkus verify JWT signature from AWS Application Load Balancer

Question

I'm using AWS Elastic Load Balancer to authenticate users, which signs the user claim so that applications can verify the signature and verify that the claims were sent by the load balancer, as described in:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding

To verify the signature, it is necessary to request the public key located at:

https://public-keys.auth.elb.region.amazonaws.com/key-id

Notice that the key-id is dynamic, and is sent along the JWT on the header, in the kid field.

{
   "alg": "algorithm",
   "kid": "12345678-1234-1234-1234-123456789012",
   "signer": "arn:aws:elasticloadbalancing:region-code:account-id:loadbalancer/app/load-balancer-name/load-balancer-id", 
   "iss": "url",
   "client": "client-id",
   "exp": "expiration"
}

At the application level, I want to use Quarkus with smallrye-jwt to verify the JWT. Reading the guide at:

https://quarkus.io/guides/security-jwt#configuration-reference

There is the configuration mp.jwt.verify.publickey.location which accepts a URL, but how do i configure it when the the public key URL from AWS requires a key-id to be extracted from the JWT header?

Christoffer · Answer 1 · 2022-06-17T10:13:52.717

0

I had a similar problem with string values in docker secrets. I ended up writing my own config interceptor which I found in the guide below.

https://quarkus.io/guides/config-extending-support

So in your case a suggestion is to filter out the property which you need to resolve/extract and use a rest client to fetch the value.

The solution doesn't come off ass elegant, but should do the trick for you.

edited Jun 17 '22 at 10:13

answered Jun 16 '22 at 21:31

Christoffer

21
4

Quarkus verify JWT signature from AWS Application Load Balancer

1 Answers1