Is there any way in Micronaut, where I can do an authentication to the JWT authentication provider ?

[dileepnaik]

I can Only see the documentation for the authentication mechanism in the same server.
But in my case, I have the JWT auth provider, and the clients will directly call and get the jwt token.
Clients, While sending the request it includes the bearer token, but I have to go and validate against the Auth provider. Is there any way in micronaut I can override the behaviour and make a call to AuthProvider and validate the JWT token ?

[sdelamo]

@dileepnaik I move this to a discussion. I don't think it is an issue.

Sorry but I don't fully understand your question.

Typically, in Micronaut Security when you receive a request with a JWT Bearer token we validate the signature of the JWT and the claims. We don't do an extra network call against a central service. Is that what you want to achieve?

You can always create your own implementation of TokenValidator.

I explain here the security flow: https://youtu.be/VrnVbAyKSEY?t=336

[dileepnaik]

Yes, I want to validate this token with an identity server.
call to http://someserver/validateToken

[dileepnaik]

I have implemented the custom TokenValidator, But Authentication works fine, But the Authorisation with roles is not working.
Is there anything I should be looking in to ?

[sdelamo]

Is your token a JWT. which claims does it have? Which claim do you want to use as the one contributing the roles used for Authorization? By default Micronaut uses. the roles claim but you can change it:

micronaut.security.token.roles-name Authentication attributes map key for the user’s roles. Default value "roles".

[Fohlen]

Hi, I have a similar requirement, I am trying to authenticate a Firebase user. I have retrieved the JWT token of the user and checked that it is indeed a valid JWT token. I use the following class:

package example.app;

import com.google.firebase.FirebaseApp;
import com.google.firebase.auth.FirebaseAuth;
import com.google.firebase.auth.FirebaseAuthException;
import com.google.firebase.auth.FirebaseToken;
import io.micronaut.context.annotation.Requires;
import io.micronaut.context.env.Environment;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.security.authentication.Authentication;
import io.micronaut.security.token.validator.TokenValidator;
import jakarta.inject.Singleton;
import java.net.http.HttpRequest;
import org.reactivestreams.Publisher;
import reactor.core.publisher.Mono;

@Singleton
//@Requires(notEnv = {Environment.GOOGLE_COMPUTE, Environment.CLOUD})
public class FirebaseTokenValidator implements TokenValidator<HttpRequest> {

  public FirebaseTokenValidator() {
    FirebaseApp.initializeApp();
  }

  @Override
  public @NonNull Publisher<Authentication> validateToken(
      @NonNull String token,
      @Nullable HttpRequest request
  ) {

    if (token.isEmpty()) {
      return Mono.empty();
    }

    try {
      FirebaseToken firebaseToken = FirebaseAuth.getInstance().verifyIdToken(token);
      return Mono.just(Authentication.build(
          firebaseToken.getUid(),
          firebaseToken.getClaims()
      ));
    } catch (FirebaseAuthException e) {
      return Mono.error(e);
    }
  }
}

I have enabled JWT:

micronaut.security.authentication=bearer
micronaut.security.enabled=true

However, when I call my service with an authentication header (Authorization), the custom token validator isn't even instantiated (I know this from step debugging). I have enabled the trace for security, and indeed it looks like this:

11:26:31.398 [virtual-executor1] DEBUG i.m.security.rules.IpPatternsRule - One or more of the IP patterns matched the host address [0:0:0:0:0:0:0:1]. Continuing request processing.
11:26:33.921 [virtual-executor1] DEBUG i.m.s.rules.AbstractSecurityRule - None of the given roles [[isAnonymous()]] matched the required roles [[isAuthenticated()]]. Rejecting the request

The request falls straight through the AbstractSecurityRule without ever touching the TokenValidator. This is on Micronaut 4.5.0.
@sdelamo how exactly are we supposed to configure the TokenValidator?

[Fohlen]

This was solved by using a template type instead of HttpRequest:

package example.app;

import com.google.firebase.FirebaseApp;
import com.google.firebase.auth.FirebaseAuth;
import com.google.firebase.auth.FirebaseAuthException;
import com.google.firebase.auth.FirebaseToken;
import io.micronaut.context.annotation.Requires;
import io.micronaut.context.env.Environment;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.security.authentication.Authentication;
import io.micronaut.security.token.validator.TokenValidator;
import jakarta.inject.Singleton;
import java.net.http.HttpRequest;
import org.reactivestreams.Publisher;
import reactor.core.publisher.Mono;

@Singleton
//@Requires(notEnv = {Environment.GOOGLE_COMPUTE, Environment.CLOUD})
public class FirebaseTokenValidator<T> implements TokenValidator<T> {

  public FirebaseTokenValidator() {
    FirebaseApp.initializeApp();
  }

  @Override
  public @NonNull Publisher<Authentication> validateToken(
      @NonNull String token,
      @Nullable T request
  ) {

    if (token.isEmpty()) {
      return Mono.empty();
    }

    try {
      FirebaseToken firebaseToken = FirebaseAuth.getInstance().verifyIdToken(token);
      return Mono.just(Authentication.build(
          firebaseToken.getUid(),
          firebaseToken.getClaims()
      ));
    } catch (FirebaseAuthException e) {
      return Mono.error(e);
    }
  }
}

I assume this is because Micronaut 3x and above uses ReactiveHttpRequest instead of HttpRequest and thus it is never picked up during class loading.

[sdelamo]

@dileepnaik what Micronaut version are you using? do you have a sample app or instructions about what is needed in firebase to replicate this. I am new to firebase.

[Fohlen]

Hey Sergio and thanks for getting back. This is Micronaut 4.5.0. It is not really related to Firebase. Basically TokenValidator<HttpRequest> instances simply aren't instantiated by Micronaut (any longer?). This is not a problem per-se but it would help if it was reflected in the docs. If we need to access the request content, what is the correct type here? Publisher<HttpRequest>> ?