Hi everybody,
we are developing an application that consists of several REST
web-applications written with different application frameworks (Java EE 6/
JBoss AS and Vert.x). So far we are
using org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve
from the skelton-key-as7 template (which as far as I can see, keycloak is
based on?) as an OAuth provider and just add bearer tokens to the
authentication headers of the HTTP requests between the modules.
One of the really nice features for us is that the role mapping of users is
included in the tokens (which is also described in the keycloak docs with a
reference to JSON Web Tokens).
Now the modules that are deployed to JBoss AS transparently verify the
bearer tokens and RESTEasy even takes care of adding the username and the
user roles to the HttpServletRequest which also allows us to use
@RolesAllowed (very convenient!).
What I'm wondering now is whether there is an easy way of adding validation
and decoding of bearer tokens to Vert.x modules. Ideally, I would like to
be able to add a jar dependency that provides me with a few methods to
validate the token (make sure it is a real token, hasn't been modified and
didn't expire...) and extract the user and roles from it. Since a private
key is needed, I guess I would add a json config file or even just pass the
required values to the API directly.
Does that make sense?
Cheers,
Nils