Quarkus: how to manage complex role relationships?

Question

Our team is currently developing our first Quarkus application, with most developers primarily experienced with the Spring ecosystem. We are facing the following authorization related problem:

Our users are authenticated by openID and JWT using the company-given SSO solution, where some default roles are already given. We have some special domain specific rules like if user has at least one role of [A, B, C] he implicitely gets role Z (in principle something like composite roles). The role "Z" is not coming from the JWT token. Authorization in the resource endpoints should then work e.g. with both @RolesAllowed("A") and @RolesAllowed("Z").

How would you achieve this in Quarkus?

Ladicek Ladicek · Accepted Answer · 2020-09-24T06:56:42

You can implement a SecurityIdentityAugmentor to modify the SecurityIdentity. One that would implement your rule of "if the identity has at least one role of [A, B, C], then it also has role Z" would look like this:

@Singleton
public class MyRolesAugmentor implements SecurityIdentityAugmentor {
    @Override
    public int priority() {
        return 0;
    }

    @Override
    public Uni<SecurityIdentity> augment(SecurityIdentity identity, AuthenticationRequestContext context) {
        return Uni.createFrom().item(() -> {
            QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder(identity);
            if (identity.hasRole("A") || identity.hasRole("B") || identity.hasRole("C")) {
                builder.addRole("Z");
            }
            return builder.build();
        });
    }
}

Quarkus: how to manage complex role relationships?

1 Answers