Dev UI: security / JWT / OIDC

[FroMage]

Description

It would be super useful if the Dev UI panel showed info such as:

• Current user (for all authentication methods)
• Authentication method (of the current user)
• Authentication methods (enabled), and some info about them, like their endpoints, docs
• For OIDC / JWT:
  -- Current tenant
  -- Tenants (enabled)
  -- UserInfo
  -- ID Token
  -- Refrensh Token
  -- Access Token

And in the case of JWT tokens, we should decode them, and provide something like https://jwt.io that is local and doesn't involve sending tokens to untrusted 3rd parties. This would feel much more secure if Dev UI provided that.

/CC @phillip-kruger

Implementation ideas

No response

[quarkus-bot]

/cc @cescoffier (devui), @pedroigor (oidc), @phillip-kruger (devui), @sberyozkin (jwt,oidc,security)

[sberyozkin]

Hi @FroMage, for a single tenant, current OIDC DevUI works for Keycloak, or any other provider which does not require PKCE like Twitter - can you please give a try for Google and see what is already available ?

Here is what you should see with current one for a single tenant:

Current user (for all authentication methods)

You'd see something like Logged in as Alice with an option to logout - if the provider supports RP initiated logout

Authentication method (of the current user)

It is implicit for OIDC, but also:

Authentication methods (enabled), and some info about them, like their endpoints, docs

You would see supported method security in Swagger UI

For OIDC / JWT:

-- Current tenant

It has been on the map, as I said, right now it works for the default tenant - but what I'd like to have, is, when more than one tenant is available, OIDC card will let users select the tenant first and then sign in the user with the tenant specific config, I suppose, I can use this JIRA as a specific enhancement request for it

-- Tenants (enabled)
-- UserInfo
-- ID Token
-- Refrensh Token
-- Access Token

ID token and access tokens is what SPA would work with, UserInfo is not supposed to be accepted via the front channel (browser), but you can have a secured service method returning UserInfo and see UserInfo in the Swagger UI (which Phillip integrated with OIDC Dev UI)

[FroMage]

You'd see something like Logged in as Alice with an option to logout - if the provider supports RP initiated logout

I'd really like to be able to logout without calling the RP initiated logout. In the case of OIDC, especially via Google and related, I want to be able to log out from my application without logging the user out from Google.

Authentication methods (enabled), and some info about them, like their endpoints, docs

You would see supported method security in Swagger UI

Well no, I don't want to see them in Swagger UI. I want to see that I have the following security methods enabled:

• OIDC / Google
• WebAuthn
• Basic
• Form Auth

It has been on the map, as I said, right now it works for the default tenant - but what I'd like to have, is, when more than one tenant is available, OIDC card will let users select the tenant first and then sign in the user with the tenant specific config, I suppose, I can use this JIRA as a specific enhancement request for it

Without even supporting signing in from Dev UI (which granted, would be nice), we can display the current tenant because I'm already signed in (via my application).

[sberyozkin]

You'd see something like Logged in as Alice with an option to logout - if the provider supports RP initiated logout
I'd really like to be able to logout without calling the RP initiated logout. In the case of OIDC, especially via Google and >related, I want to be able to log out from my application without logging the user out from Google.

Sure, Google and other social providers don't really have a standard logout endpoint, and we have a local logout support with OidcSession - at the Dev UI level it is about discoverable metadata

Well no, I don't want to see them in Swagger UI. I want to see that I have the following security methods enabled:
OIDC / Google
WebAuthn
Basic
Form Auth

My understanding Swagger UI is only way to fetch the metadata about which resource method is secured, which authentication method is required, what else do you have in mind ?

Without even supporting signing in from Dev UI (which granted, would be nice), we can display the current tenant because I'm already signed in (via my application).

I'm not sure I understand, Dev UI initates SPA, user logs in via this SPA, not via Quarkus, and then this SPA can sent tokens to Quarkus methods to test. DevUI needs a tenant selector before initiating a login

I'll show you later what we'll have for a multi-tenant OIDC Dev UI support