OIDC Token Propagation with Token Exchange for multiple clients #36440
Replies: 4 comments 3 replies
-
/cc @pedroigor (oidc), @sberyozkin (oidc) |
Beta Was this translation helpful? Give feedback.
-
Hi @lmartella1
Sound approach indeed
You are right. It is now possible to inject named clients to OIDC Client filters (done by @michalvavrik ) but not yet to Token Propagation filters. I'll do a minor update to let users create custom token propagation filters customizing OIDC client names, which will do in the short term. And will open an enhancement request to support injecting named clients to the token propagation filters |
Beta Was this translation helpful? Give feedback.
-
@lmartella1 See #36459, hopefully will make it to 3.5.0. Thanks |
Beta Was this translation helpful? Give feedback.
-
@lmartella1 Sure, please see #36501, I also updated the #36458 requirements (though as I said it will likely take a while), thanks |
Beta Was this translation helpful? Give feedback.
-
Hello,
I'm currently building a Quarkus application which exposes secured endpoints via OpenID Connect. The application receives access tokens as bearer when accessing one of those protected endpoints and then needs to perform different downstream REST Client calls to other secured microservices. I'm currently using the quarkus-oidc-token-propagation-reactive extension to perform a token exchange and transform the incoming JWT token into a new one meant for the specific audience of the target microservice.
The following configuration allows me to properly do the token exchange but it applies in the same way to all the REST Clients annotated with @ AccessToken:
My question is: what to do in case each REST Client need to have a specific NamedOidcClient to be used when performing the client call?
For instance, imagine that the microservice needs to perform two REST Client calls to two different microservices having different clientIDs: serviceA and serviceB.
In this case I would need the token exchange towards serviceA to use a NamedOidcClient called serviceA and having:
while the calls towards serviceB uses a NamedOidcClient called serviceB and having:
Looking at the quarkus-oidc-token-propagation-reactive documentation I don't see this approach as currently feasible. Am I wrong?
Thanks in advance.
Beta Was this translation helpful? Give feedback.
All reactions