Can I perform OpenID Connect ID token validation without the full OIDC protocol with Quarkus?

[aixigo-soffermann]

In our infrastructure, the services are behind an API Gateway that performs OIDC authentication. We want our services to be able to validate the ID token passed by the API Gateway again without them having to be OIDC clients, i.e. we do not want any OIDC redirect or active token retrieval to happen on behalf of the service.

For this to work, the services will have to retrieve the public JWKS from the ID provider, though, or they won't be able to validate the token signature.

How can this be achieved? Do I have to use plain quarkus-smallrye-jwt and implement the endpoint discovery and token validation myself?

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

@aixigo-soffermann

By default, quarkus-oidc expects the bearer token be present, the authorization code flow is only activated if you have quarkus.oidc.application-type=web-app.

Assuming the ID token is passed as Authorization: Bearer token, quarkus-oidc will verify it.
You can customize the scheme, for example, if you have Authorization: ID token, you can do quarkus.oidc.token.authorization-scheme=ID.
Or, if the token is passed with then custom header, say ID-Token: token, then you can do quarkus.oidc.token.header=ID-TOKEN.

quarkus-smallryr-jwt will also do the work for you, you have to configure to point to the JWKS locations, for example:
https://github.com/quarkusio/quarkus/blob/main/integration-tests/smallrye-jwt-oidc-webapp/src/main/resources/application.properties#L1

HTH

[aixigo-soffermann]

Thanks, @sberyozkin! So you are saying, with quarkus-oidc, even though my service is not an OIDC client and hence has no client credentials or client ID, I can configure it to perform the bearer (ID) token validation including the automatic endpoint discovery?

With quarkus-smallrye-jwt, I would, as it seems, have to provide the JWKS endpoint URI statically, which is not possible in my case. It must be detected via OIDC discovery.

[aixigo-soffermann]

Oh, and I also need to be able to configure the trusted issuers and audience claims, because the token has not been issued on behalf of the service that wants to validate it. Would that be possible with the quarkus-oidc approach?

[sberyozkin]

Sure, the client id/secret are optional for the bearer token authentication, so just something like quarkus.oidc.auth-server-uri=oidc-provider-address will do. Quarkus will add .well-known/openid-configuration to this address and get all the metadata, including the issuer, but you can use the quarkus.oidc.token. namespace to set the issuer, audience, etc

[aixigo-soffermann]

Works like a charm! Thanks again! :)