vertx-web
vertx-web copied to clipboard
vert-x3
Most simple form of Bearer (token) authentication is not supported.
Describe the feature
HTTP provides the Bearer-authentication of which JWT is probably the most commonly used implementation. Vert.x web provides an JWTAuthHandler (+ impl), but what is missing however, is a more simple scheme, where a server just sends "a bearer token" (aka string) without any of the fancy stuff of JWT.
The missing feature is thus a (Simple)BearerAuthHandler (+ impl).
Use cases
Servers using the Bearer-authentication scheme in a more raw format than standardised implementations such as JWT.
Contribution
I have been using a simple working solution for the last three years now, but it starts to annoy me that it clutters my project with glue code that could/should be part of the framework I am using.
If we don't know what kind of token it is, it is not possible for vertx-web to assert the authenticity of the token and therefore the authenticity of the user. We support bearer tokens with 2 handlers:
- JWTHandler (like you mentioned) where we expect the token to be a JWT of course and perform the right validation
- OAuth2Handler that relies on the configured IdP to perform the validation (this can be either an opaque token or a JWT in case of OpenID Connect capable IdP.
If you need a custom token, I'd suggest to create a new handler that extends the internal HTTPAuthorizationHandler abstract class as it already covers most of the work needed.
If the kind of token you're using is somehow a standard format that we can verify, I'm all open to work together and see if we can include it on the project directly.
pmlopes wrote: If you need a custom token, I'd suggest to create a new handler that extends the internal HTTPAuthorizationHandlerabstract class as it already covers most of the work needed.
-> that is exactly what I did three years ago, but it started to annoy me that it that it clutters my project with glue code that could be part of the framework I am using. I can add these two files (the interface and the impl-class)
I cloned the project and added those file to a new branch simple_bearer_auth, do you want me to push it?
Or should HTTPAuthorizationHandler be subclassed for all projects with custom tokens? In the latter case this issue should be closed.
https://github.com/madewael/vertx-web/commit/aa09c093eeef748010d86edfa5a862f123fc565e
@madewael just a second here! I like the direction this is going, but let us concentrate on the goal. You're looking for a generic Bearer token handler for a custom authentication provider. This is great, and we've been saying in the past that we would also like to unify the JWT and OAuth2 handlers under a single one as they overlap, I see that this goal also intersects this PR.
Let's keep in mind your use case, and see if we can define a "general" handler that can do the 3 cases:
- User defined token
- JWT
- OAuth2
I do like the name you choose for the handler as it is clear what the handler processes, now the tricky part is make sure we can support all cases. WDYT?
Okee, I think I catch the drift of what you are saying.
I would have to dive deeper into the (technical) details of the differences between handlers and authentication providers and probably dive a bit deeper into JWT and OAuth2 as well, to provide an informed answer on your * WDYT* . Right now I only have my working solution that I wanted to share, but I don't feel comfortable reasoning about a bigger picture atm.
Im quite confident that I could allocated some time in the first halve of next year try and figure it out. Are there other ppl currently working on this as well? For now, I would then put this issue on hold.