quarkusio · sberyozkin · Nov 24, 2023 · Nov 21, 2023
diff --git a/...idc-token-propagation-reactive/src/main/java/io/quarkus/it/keycloak/FrontendResource.java b/...idc-token-propagation-reactive/src/main/java/io/quarkus/it/keycloak/FrontendResource.java
@@ -16,6 +16,10 @@ public class FrontendResource {
     @RestClient
     AccessTokenPropagationService accessTokenPropagationService;
 
+    @Inject
+    @RestClient
+    IdTokenPropagationService idTokenPropagationService;
+
     @Inject
     @RestClient
     ServiceWithoutToken serviceWithoutToken;
@@ -28,6 +32,14 @@ public Uni<String> userNameAccessTokenPropagation() {
         return accessTokenPropagationService.getUserName();
     }
 
+    @GET
+    @Path("id-token-propagation")
+    @Produces("text/plain")
+    @RolesAllowed("user")
+    public Uni<String> userNameIdTokenPropagation() {
+        return idTokenPropagationService.getUserName();
+    }
+
     @GET
     @Path("service-without-token")
     @Produces("text/plain")

diff --git a/...-propagation-reactive/src/main/java/io/quarkus/it/keycloak/IdTokenPropagationService.java b/...-propagation-reactive/src/main/java/io/quarkus/it/keycloak/IdTokenPropagationService.java
@@ -0,0 +1,20 @@
+package io.quarkus.it.keycloak;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+
+import org.eclipse.microprofile.rest.client.annotation.RegisterProvider;
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+import io.smallrye.mutiny.Uni;
+
+@RegisterRestClient
+@RegisterProvider(IdTokenRequestReactiveFilter.class)
+@Path("/")
+public interface IdTokenPropagationService {
+
+    @GET
+    @Produces("text/plain")
+    Uni<String> getUserName();
+}
diff --git a/...opagation-reactive/src/main/java/io/quarkus/it/keycloak/IdTokenRequestReactiveFilter.java b/...opagation-reactive/src/main/java/io/quarkus/it/keycloak/IdTokenRequestReactiveFilter.java
@@ -0,0 +1,23 @@
+package io.quarkus.it.keycloak;
+
+import jakarta.annotation.Priority;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.Priorities;
+import jakarta.ws.rs.core.HttpHeaders;
+
+import org.jboss.resteasy.reactive.client.spi.ResteasyReactiveClientRequestContext;
+import org.jboss.resteasy.reactive.client.spi.ResteasyReactiveClientRequestFilter;
+
+import io.quarkus.oidc.IdTokenCredential;
+
+@Priority(Priorities.AUTHENTICATION)
+public class IdTokenRequestReactiveFilter implements ResteasyReactiveClientRequestFilter {
+
+    @Inject
+    IdTokenCredential idToken;
+
+    @Override
+    public void filter(ResteasyReactiveClientRequestContext requestContext) {
+        requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, "Bearer " + idToken.getToken());
+    }
+}
diff --git a/...dc-token-propagation-reactive/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java b/...dc-token-propagation-reactive/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java
@@ -1,13 +1,13 @@
 package io.quarkus.it.keycloak;
 
-import java.security.Principal;
-
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;
 
+import org.eclipse.microprofile.jwt.JsonWebToken;
+
 import io.quarkus.security.Authenticated;
 import io.smallrye.mutiny.Uni;
 
@@ -16,12 +16,12 @@
 public class ProtectedResource {
 
     @Inject
-    Principal principal;
+    JsonWebToken jwt;
 
     @GET
     @Produces("text/plain")
     @RolesAllowed("user")
     public Uni<String> principalName() {
-        return Uni.createFrom().item(principal.getName());
+        return Uni.createFrom().item(jwt.getClaim("typ") + ":" + jwt.getName());
     }
 }
diff --git a/integration-tests/oidc-token-propagation-reactive/src/main/resources/application.properties b/integration-tests/oidc-token-propagation-reactive/src/main/resources/application.properties
@@ -1,4 +1,5 @@
 io.quarkus.it.keycloak.AccessTokenPropagationService/mp-rest/uri=http://localhost:8081/protected
+io.quarkus.it.keycloak.IdTokenPropagationService/mp-rest/uri=http://localhost:8081/protected
 io.quarkus.it.keycloak.ServiceWithoutToken/mp-rest/uri=http://localhost:8081/protected
 
 quarkus.oidc.application-type=web-app

diff --git a/...ation-reactive/src/test/java/io/quarkus/it/keycloak/OidcTokenReactivePropagationTest.java b/...ation-reactive/src/test/java/io/quarkus/it/keycloak/OidcTokenReactivePropagationTest.java
@@ -29,8 +29,11 @@ public void testGetUserNameWithAccessTokenPropagation() throws Exception {
             loginForm.getInputByName("password").setValueAttribute("alice");
 
             TextPage textPage = loginForm.getInputByName("login").click();
+            assertEquals("Bearer:alice", textPage.getContent());
+
+            textPage = webClient.getPage("http://localhost:8081/frontend/id-token-propagation");
+            assertEquals("ID:alice", textPage.getContent());
 
-            assertEquals("alice", textPage.getContent());
             webClient.getCookieManager().clearCookies();
         }
     }