0

I'm trying to secure my Quarkus API with JWT. The JWT is provided (snippet: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUI[...] ).

The following endpoints are the 2 endpoints I've tested:

@Path("/quiz")
@RequestScoped
public class SomeResource {
  @Inject
  JsonWebToken jwt;

  @POST
  @RolesAllowed({"magister"})
  @Path("/save")
  @Consumes("application/json")
  @Produces("*/*")
  @Transactional
  public Response save(@RequestBody Quiz quiz) { }

  @GET
  @PermitAll
  @Path("/get/all")
  @Produces("application/json")
  public Response getAll(){ }

Both endpoints (@PermitAll and @RolesAllowed) are returning me an HTTP 401 (Unauthorized).

Do you have an idea why? I thought that @PermitAll is permitting EVERY request? Even though my token proves I have the role needed:

"resource_access" : {
  "client_interface" : {
    "roles" : ["magister"]
  },
  ...
}

Edit: Found out that the MicroProfile Spec says that

"groups":["magister"]

should get mapped by microprofile to RolesAllowed annotations.

My Payload looks like this:

{
  [...]
  "resource_access": {
    "client_interface": {
      "roles": [
        "magister"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "profile email",
  "email_verified": false,
  "groups": [
    "magister"
  ],
  "preferred_username": "magister"
}

but I'll still get 401 Response

Improve this question

2 Answers 2

Reset to default
1

I had the same problem, I fixed it by adding the following code:

@OpenAPIDefinition(
        info = @Info(
                title = "Title API",
                version = "1.0.0",
                description = "Description API"
        ),
        security = @SecurityRequirement(name = "jwt"),
        components = @Components(
                securitySchemes = {
                        @SecurityScheme(
                                securitySchemeName = "jwt",
                                description = "Token JWT",
                                type = SecuritySchemeType.HTTP,
                                scheme = "bearer",
                                bearerFormat = "jwt"
                        )
                }
        )
)

and also made an update Quarkus to version 1.12.0.FINAL

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Generally 401 is about using a expired token, or a invalid one.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.