How to access JWT in Quarkus when proactive auth is disabled?

Question

I need to access a jwt sent in authorization header. I also have to disable the proactive auth check. How can I get the token?

I have this class which used to work when proactive auth was enabled:

@RequestScoped
public class AccessRights {

    @Inject
    JsonWebToken accessToken;

    public boolean validateAccess() {

        if(accessToken.getRawToken() == null)
            throw new AccessDeniedException("Invalid Access Token");

        JsonObject claim = accessToken.getClaim("claim");
        // ... do some validation ...
    }

}

When I set quarkus.http.auth.proactive=false it stops working. The accessToken is always null. Now that is expected since its documented here https://quarkus.io/guides/security-jwt#proactive-authentication and here https://quarkus.io/guides/security-built-in-authentication#proactive-authentication. I tried to use the alternative way suggested in the docs, but I cannot get it to run.

1. Problem: I don't know how to get a JsonWebToken from the suggested workaround
2. Problem: Even when I try to use securityIdentity instead, it is always null. Plus I don't know yet how to actually use it for validation.

@RequestScoped
public class AccessRights {

    @Inject
    CurrentIdentityAssociation currentIdentityAssociation;

    public boolean validateAccess() {

        SecurityIdentity identity = identities.getDeferredIdentity().await().indefinitely();

        // identity is always null
    }

}

EDIT:

To add more context: I have a graphQL API and the initial problem was, that if I receive an expired token, the framework will respond with a 401 unauthorized error. However as is best practice in graphQL, I need to respond with a 200 with json body that describes the error. The proactive auth check prevents the graphql error handler to kick in. That is why I disabled it, effectively making things worse.

Here is how the whole auth process in my application works:

The API receives a request that should contain a bearer token (JWT) in the authorization header. The token is acquired somewhere else. My application needs to validate the issuer and expiration time. This part used to be handled by the pro-active auth check. After that my custom validateAccess() method will extract some roles from the token. If those roles are not present, I will call an external api, providing the raw token, to get back some more detailed access rights.

Answer 1

I believe you missed something important here.

Docs says that :

By default, Quarkus does what we call proactive authentication. This means that if an incoming request has a credential then that request will always be authenticated (even if the target page does not require authentication).

Which implicitly means : if you disable proactive auth, you need to require auth to be done before accessing resource.

That may be part of your problem, as you disabled proactive auth, you'll have to explicitly restrict access to resources to authenticated clients. Otherwise, no auth is performed and thus SecurityIdentity is null.

If you already tried that, please add more code and context. I'll gladly edit my response.

EDIT 1 :

I see 2 distinct problems in informations you added :

• You got to validate token (if proactive auth is disabled)
• You got to get response code 200 with error details instead of 401

But as you clearly stated, token validation works out of the box with proactive enabled.

So, I would suggest you to let proactive auth do its job. Then, I would add an ExceptionMapper.

This way, you can write custom code for Exception unfolding, and you can respond what you want for every situation.

See ExceptionMappers documentation for more