Allow to do a blocking smallrye-jwt authentication #20635
Conversation
|
Let me make it a draft for now |
|
@stuartwdouglas Hi Stuart - do you think calling |
|
Silly me, it can be handled at the identity provider level, one would need to have a class specific blocking request context to call |
sberyozkin
force-pushed
the
blocking_jwt_authentication
branch
2 times, most recently
from
3f0444e to
66bf00d
Compare
|
Converting to draft again, Roberto, @radcortez, |
sberyozkin
force-pushed
the
blocking_jwt_authentication
branch
from
66bf00d to
4531e3c
Compare
|
@radcortez thanks, I've also added a test, I spent nearly an hour last Friday staring at the test file checking for a property typo but could not find a problem and now it just works, sorry for the noise |
sberyozkin
added
the
triage/waiting-for-ci
quarkus-bot
bot
removed
the
triage/waiting-for-ci
It is related to smallrye/smallrye-jwt#511.
smallrye-jwtuses an internal blocking Jose4j HTTP client and if the keys have to be fetched from a remote endpoint then it is done at the 1st request time and if the remote keys endpoint is slow or unavailable then the problems like #511 will happen.As far as
smallrye-jwtis concerned, the best effort can be made there to read the keys early. However even in that case, when dealing with the JWK keys, they will have to be refreshed now and then remotely, so a risk of blocking will remain.So, at the quarkus level it makes sense IMHO to let users control that a blocking authentication has to be performed in case of the slow/unstable remote key endpoints.
This is not a problem at the
quarkus-oidclevel but since we do not control the client at the smallrye-jwt level, we have to find a workaround. Longer term, 1) making smallrye-jwt reactive - the issue exists 2) making Jose4J HTTPS handler accept a client interface as opposed to its Simple HTTP client for Quarkus to register Vertx client will make it work as well but it may take awhile.If would be good if it could make it to 2.4.0.CR1, CC @aloubyansky
thanks