We are using the Netflix DGS framework to build our backend to provide a GraphQL API.
In addition to that we use Keykloak as an identity provider which comes with a handy Spring module to add support for authentication and authorization out of the box.
Every request contains a JWT token, which gets validated and from there a SecurityContext object is being generated which is then available in every endpoint.
This is working great for HTTP requests. GraphQL queries and mutations are sent via HTTP, therefore no problem here.
Subscriptions on the other hand use the web socket protocol. A WS request does not contain additional headers, therefore no JWT token is sent with the request.
We can add the token via a payload, the question is now how to set up a Spring Security Filter which creates a Security Context out of the payload.
I guess this is rather Spring specific, basically a filter which intercepts any web socket request (ws://... or wss://...) is needed.
Any help or hint is very much appreciated!
The only way to use headers in web socket messages is in the connection_init message. the headers will be sent by the client in the payload of the message.
The solution I propose is done in 2 steps (We will assume that the name of the header element is "token"):
Intercept the connection_init message, then force the insertion of a new element (token) in the subscription request.
Retrieve the element (token) of the header during the interception of the subscription and feed the context.
Concretely, the solution is the implementation of WebSocketGraphQlInterceptor interface
#Configuration
class SubscriptionInterceptor implements WebSocketGraphQlInterceptor {
#Override
public Mono<Object> handleConnectionInitialization(WebSocketSessionInfo sessionInfo, Map<String, Object> connectionInitPayload) {
sessionInfo.getHeaders().add("token", connectionInitPayload.get("token").toString());
return Mono.just(connectionInitPayload);
}
#Override
public Mono<WebGraphQlResponse> intercept(WebGraphQlRequest request, Chain chain) {
List<String> token = request.getHeaders().getOrEmpty("token");
return chain.next(request).contextWrite(context -> context. Put("token", token.isEmpty() ? "" : token.get(0)));
}
}
I have a Quarkus microservice doing authentication and authorization with Keycloak using quarkus-oidc and quarkus-keycloak-authorization extensions.
when i use quarkus.keycloak.policy-enforcer, reader & writer interceptors and container request & container response filters and exception mapper (with disable proactive) not working on 401 error. do you have any idea??
We are using spring boot 2.4.5 with webflux and calling a service with client credentials grant type. What we noticed is that webclient is not following redirects.
How can we enable webclient to follow redirects where it can continue passing access token until it get the http 200?
Adding following code snippet does not pass the access token to redirected url and it is returning 401.
WebClient.builder()
.clientConnector(new ReactorClientHttpConnector(
HttpClient.create().followRedirect(true)
))
The sensitive headers like the Authorization are removed from the initialized request when redirecting to a different domain.
You can use the following variant of followRedirect(boolean):
followRedirect(boolean followRedirect, Consumer<HttpClientRequest> redirectRequestConsumer)
In order to re-add the Authorization header using redirectRequestConsumer.
For more details see the Javadoc here and Reactor Netty documentation here.
Is it possible to inject an HTTP request in a SecurityIdentityAugmentor with Quarkus, so that I can use some HTTP header params to build the augmented identity ?
I am using RestTemplate with custom HttpClient. My request is getting redirected to S3 but somehow it is carrying Authorization header along with it after redirection.
Httpclient is configured to use LaxRedirectStrategy, cookies are ignored.
Is there a way how to fix this issue or any insight?