Reputation: 11
How can I use Bearer Token to secure a Jakarta REST API with Jakarta Security's @OpenIdAuthenticationMechanismDefinition?
With the WildFly server and the integrated OIDC auth-method it is possible to secure a jakarta ee 10 rest api just sending a Bearer token in the Authentication Header. I have just to config it like this in the web.xml file:
<login-config>
<auth-method>OIDC</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>
With a oidc.json file and no additional rest-filters (add serverside) it is possible to use for example Bearer tokens which I receive from a keycloak server in the rest client api which is calling this rest server here.
But with the new OpenIdAuthenticationMechanism (@OpenIdAuthenticationMechanismDefinition), which was introduced with jakarta security 3 (jakarta ee 10) it is not possible for me to get it running the same way because if I call the rest api with the Bearer token like before the application is redirecting me to the keycloak server. My question is: Is it possible to teach the new mechanism to use the token from the Authorization header, or is that not intended?
No more code to provide.
Upvotes: 1
Views: 543
Answers (0)
Related Questions
- Use of PUT vs PATCH methods in REST API real life scenarios
- Springboot 2.7 with oidc bearer token always redirects to login page
- RESTful Authentication via Spring
- How to implement REST token-based authentication with JAX-RS and Jersey
- REST API Login Pattern
- Using Kong API Gateway key-auth plugin with keycloak protected rest apis
- Understanding REST: Verbs, error codes, and authentication
- REST API Token-based Authentication