'quarkus + oauth2 + auth0

I'm trying to get auth0 to work with quarkus:

resources i've used are:

https://github.com/quarkusio/quarkus-quickstarts/tree/main/security-oauth2-quickstart

https://quarkus.io/guides/security-oauth2

when i go to my /auth/login page i redirect to my Auth0 tenant for login and it correctly redirects me back to to my landing page.

sample url with relevant info included:

https://tenant.us.auth0.com/authorize?response_type=code&client_id=xxxx&redirect_uri=https://lcl.test.com:8443&scope=openid%20profile

then i land on landing page with a token in the url:

?code=AT3rTCtZ_PixmX0l

then i go to the url running the sample code i got from the quickstart (above) "permit-all"

and this is my result: hello + anonymous, isSecure: true, authScheme: null

settings:

quarkus.oauth2.client-id=xxxxx

quarkus.oauth2.client-secret=xxxxx

quarkus.oauth2.introspection-url=https://tenant.us.auth0.com/intropect

code:

@Path("/secured")
public class TokenSecuredResource {

  private static final Logger LOG = Logger.getLogger(TokenSecuredResource.class);

  @GET
  @Path("permit-all")
  @Produces(MediaType.TEXT_PLAIN)
  @PermitAll
  public String hello(@Context SecurityContext ctx) {
    Principal caller = ctx.getUserPrincipal();
    String name = caller == null ? "anonymous" : caller.getName();

    String helloReply = String.format("hello + %s, isSecure: %s, authScheme: %s", name, ctx.isSecure(),
        ctx.getAuthenticationScheme());
    return helloReply;
  }

  @GET()
  @Path("roles-allowed")
  @RolesAllowed({ "hsp" })
  @Produces(MediaType.TEXT_PLAIN)
  public String helloRolesAllowed(@Context SecurityContext ctx) {
    LOG.info(ctx);
    Principal caller = ctx.getUserPrincipal();

    LOG.info(caller);
    String name = caller == null ? "anonymous" : caller.getName();
    String helloReply = String.format("hello + %s, isSecure: %s, authScheme: %s", name, ctx.isSecure(),
        ctx.getAuthenticationScheme());
    return helloReply;
  }
}

Main question: what are reasons why I wouldn't be seeing appropriate security context info?

Follow up questions:

In theory is that all I need to do to see some appropriate values?
Do i need to enable sessions or manage cookies?
Any other suggestions?

Solution 1:^[1]

Unfortunately auth0 is currently not supporting opaque token validation with introspection endpoint.

Opaque token validation with introspection endpoint

So I think in this case, problem is introspection URL given to Quarkus is not working.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	Kerim Oguzcan Yenidunya

'quarkus + oauth2 + auth0

Solution 1:[1]

Sources

Related Questions

Solution 1:^[1]