gabriel-farache opened a new issue, #1894: URL: https://github.com/apache/incubator-kie-issues/issues/1894
SonataFlow can't rely on the OpenAPI Generator for this use case since it's specifically for service orchestration. The workflow can't rely on the injected JWT in the security context since it can call multiple third-party services during its execution, requiring different tokens for each call. Instead, SonataFlow should offer a custom OIDC Filter that interacts with the OpenAPI Generator generated REST Clients. For each REST Client that has Token Exchange enabled, this new extension should register the custom filter and turn off the security filters generated by the OpenAPI Generator. This extension would be similar to the [AccessTokenRequestFilter](https://github.com/quarkusio/quarkus/blob/main/extensions/oidc-token-propagation/runtime/src/main/java/io/quarkus/oidc/token/propagation/AccessTokenRequestFilter.java) provided by the Quarkus OIDC Client. But, instead of relying on the injected token in the context, it has to extract the token from a custom header in the workflow request. This header must be named "X-Authentication-<security-scheme-name>" by default. Users can optionally change this header key for any other value via properties. Adding the "X-Authentication" suffix is a good practice for signaling to tools that this header is custom. Once the token is extracted, the logic should be near the same as the AccessTokenRequestFilter: Extract the target token from the current request headers context injected by the REST Client in the request properties. Use this token and the workflow application credentials to exchange the token via the OIDC Client. Inject the token into the Authentication Request Header when calling the target service. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
