-
Hello folks, I'm trying to integrate Micronaut with AWS' ALB authentication and I've gotten the access token to work well by simply setting the correct header like this:
But, according to the AWS documentation, claims are coming from a separate header Big thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
For posterity, here's a custom TokenValidator that handles AWS's EC256 keys: @Singleton
public class AwsAlbOidcTokenValidator implements TokenValidator {
private static final Logger LOG = Loggers.build();
private final HttpClient httpClient;
private final SecurityConfig securityConfig;
@Inject
public AwsAlbOidcTokenValidator(HttpClient httpClient, SecurityConfig securityConfig) {
this.httpClient = httpClient;
this.securityConfig = securityConfig;
}
@Override
public Publisher<Authentication> validateToken(String token) {
throw new IllegalStateException("deprecated");
}
@Override
public Publisher<Authentication> validateToken(String token, @Nullable HttpRequest<?> request) {
try {
LOG.debug("validating token {}", token);
final var jwt = SignedJWT.parse(token);
final var keyId = jwt.getHeader().getKeyID();
if (keyId == null) {
LOG.warn("kid not found in token header");
} else {
var jwk = getPublicKey(keyId);
if (jwt.verify(new ECDSAVerifier(jwk.toECKey()))) {
return Publishers.just(new Authentication() {
@NonNull
@Override
public Map<String, Object> getAttributes() {
return jwt.getPayload().toJSONObject();
}
@Override
public String getName() {
return (String) jwt.getPayload().toJSONObject().get("username");
}
});
} else {
LOG.warn("unable to verify token using kid: {}", jwt.getHeader().getKeyID());
}
}
} catch (JOSEException | ParseException | HttpClientResponseException e) {
LOG.error("error handling token {}", token, e);
}
return Publishers.empty();
}
@Cacheable(value = "1h")
@Retryable
JWK getPublicKey(String keyId) throws JOSEException {
final var location = UriBuilder.of(securityConfig.getOidcDataKeyURL()).expand(Map.of("kid", keyId))
.toString();
LOG.info("loading private key from {} for kid: {}", location, keyId);
var keyAsText = httpClient.toBlocking().retrieve(location);
return JWK.parseFromPEMEncodedObjects(keyAsText);
}
} A couple things of note:
|
Beta Was this translation helpful? Give feedback.
-
thanks for sharing this @rferreira ! |
Beta Was this translation helpful? Give feedback.
For posterity, here's a custom TokenValidator that handles AWS's EC256 keys: