-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add RoutingContext to SecurityIdentity for mTLS authentication #28326
Comments
/cc @sberyozkin |
Hi @lorenzobenvenuti Sure, please do it |
It turns out that implementing this feature is harder than I thought: I didn't notice that I can think of different solutions, but TBH I don't like any of them.
For options 1 and 2, attributes could also be copied in Thoughts? Thanks, lorenzo |
Another (hack-ish) option: add this bean to the @Priority(1000)
public class RoutingContextAwareX509IdentityProvider extends X509IdentityProvider {
@Override
public Uni<SecurityIdentity> authenticate(CertificateAuthenticationRequest request, AuthenticationRequestContext context) {
final Uni<SecurityIdentity> authenticate = super.authenticate(request, context);
return authenticate.onItem().transform(
it -> QuarkusSecurityIdentity.builder(it)
.addAttribute(RoutingContext.class.getName(), HttpSecurityUtils.getRoutingContextAttribute(request))
.build()
);
}
} This is an HTTP-oriented implementation of |
@lorenzobenvenuti Hi, sorry for a delay, so may be the simplest is for your application to ship such a custom provider ? |
Hi @sberyozkin yes, actually that's what we're doing right now. I was just wondering if someone else could benefit from moving this class to the framework, but probably it's a pretty unique use case (mTLS + need to access an header) and it's not worth the effort: if someone else needs something similar they can just write their own Thanks, lorenzo |
Description
Hi,
I'm trying to access the current request in a
SecurityIdentityAugmentor
. Since injectingRoutingContext
doesn't seem to work (I tried with and without@ActivateRequestContext
), I'm wondering ifRoutingContext
can be passed in aSecurityIdentity
attribute. I see it's already done inOidcIdentityProvider
(here) andMpJwtValidator
(here). For my use case, I'd like to have the same behavior for mTLS authentication (X509IdentityProvider
). If you think it's valuable, I can try to put an MR together.Thanks,
lorenzo
Implementation ideas
MtlsAuthenticationMechanism
is already adding theRequestContext
to theAuthenticationRequest
attributes, I think it only needs to be forwarded to theSecurityIdentity
attributes inX509IdentityProvider
:The text was updated successfully, but these errors were encountered: