we are developing an application that consists of several REST web-applications written with different application frameworks (Java EE 6/ JBoss AS and Vert.x). So far we are using org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve from the skelton-key-as7 template (which as far as I can see, keycloak is based on?) as an OAuth provider and just add bearer tokens to the authentication headers of the HTTP requests between the modules.

One of the really nice features for us is that the role mapping of users is included in the tokens (which is also described in the keycloak docs with a reference to JSON Web Tokens). 

Now the modules that are deployed to JBoss AS transparently verify the bearer tokens and RESTEasy even takes care of adding the username and the user roles to the HttpServletRequest which also allows us to use @RolesAllowed (very convenient!).

What I'm wondering now is whether there is an easy way of adding validation and decoding of bearer tokens to Vert.x modules. Ideally, I would like to be able to add a jar dependency that provides me with a few methods to validate the token (make sure it is a real token, hasn't been modified and didn't expire...) and extract the user and roles from it. Since a private key is needed, I guess I would add a json config file or even just pass the required values to the API directly.

Does that make sense?

Cheers,

Nils