// Comprehensive guide to the JUDO authentication pipeline. Use when you need to understand how authentication works, debug auth issues, configure OAuth2/OpenID Connect, or integrate with identity providers like Keycloak.
| name | judo-runtime:authentication-flow |
| description | Comprehensive guide to the JUDO authentication pipeline. Use when you need to understand how authentication works, debug auth issues, configure OAuth2/OpenID Connect, or integrate with identity providers like Keycloak. |
| metadata | {"author":"BlackBelt Technology","version":"${project.version}"} |
Complete guide to understanding the authentication pipeline in JUDO Runtime Core.
JUDO Security provides a multi-layer authentication system supporting:
graph TB
subgraph "Client"
A[HTTP Request]
end
subgraph "CXF Layer"
B[KeycloakLoginInterceptor]
end
subgraph "Security Core"
C[RealmExtractor]
D[OpenIdConfigurationProvider]
E[UserManager]
end
subgraph "Identity Provider"
F[Keycloak Server]
end
subgraph "Application"
G[Business Logic]
H[DAO Layer]
end
A -->|Authorization: Bearer token| B
B --> C
C -->|Extract actor type| B
B --> D
D -->|Get OIDC config| F
B -->|Validate JWT| F
B -->|Set SecurityContext| G
G --> H
H --> E
E -->|Sync users| F
sequenceDiagram
participant Client
participant Interceptor as KeycloakLoginInterceptor
participant Extractor as RealmExtractor
participant OIDC as OpenIdConfigurationProvider
participant Keycloak
participant App as Application
Client->>Interceptor: HTTP Request + Bearer Token
Interceptor->>Extractor: extractActorType(request)
Extractor-->>Interceptor: Optional<EClass> actorType
alt Actor Type Found
Interceptor->>OIDC: getOpenIdConfiguration(actorType)
OIDC-->>Interceptor: OIDC Config (issuer, jwks_uri, etc.)
Interceptor->>Keycloak: Validate JWT using JWKS
Keycloak-->>Interceptor: Token validation result
alt Valid Token
Interceptor->>Interceptor: Extract claims, map to attributes
Interceptor->>App: SecurityContext with JudoPrincipal
App-->>Client: Response
else Invalid Token
Interceptor-->>Client: 401 Unauthorized
end
else Anonymous Access
Interceptor->>App: No SecurityContext
App-->>Client: Response (if allowed)
end
Provides OpenID Connect configuration for each actor type:
public interface OpenIdConfigurationProvider {
// Get the .well-known/openid-configuration URL for an actor type
String getOpenIdConfigurationUrl(EClass actorType);
// Get parsed OIDC configuration (cached)
Map<String, Object> getOpenIdConfiguration(EClass actorType);
// Get the identity provider server URL
String getServerUrl();
// Get OAuth2 client ID for an actor type
String getClientId(EClass actorType);
// Health check for identity provider
void ping();
}
Extracts actor type from HTTP requests:
public interface RealmExtractor {
// Extract actor type from request (typically from URL path)
Optional<EClass> extractActorType(HttpServletRequest request);
}
Default Implementation: PathInfoRealmExtractor
Extracts actor from URL path:
POST /api/Model/Actor/operationModel.Actor actor typeManages users in the identity provider:
public interface UserManager<ID> {
// Get user by username
Optional<Map<String, Object>> getUser(EClass actor, ID username);
// Get all users for an actor type
List<Map<String, Object>> getAllUsers(EClass actor);
// Create a new user
void createUser(EClass actor, Map<String, Object> user);
// Update existing user
void updateUser(EClass actor, ID username, Map<String, Object> user);
// Delete user
void deleteUser(EClass actor, ID username);
// Get managed actor for a principal type
Optional<EClass> getManagedActorOfPrincipal(EClass principalType);
// Get attribute mapping between principal and Keycloak
Map<String, String> getPrincipalAttributeMapping(EClass principalType);
// Extract username from user data
Optional<ID> getUsername(EClass principalType, Map<String, Object> user);
}
Defines password generation rules:
public interface PasswordPolicy<ID> extends Function<Map<String, Object>, Optional<ID>> {
// Apply policy: user data -> optional generated password
}
Implementations:
NoPasswordPolicy - No automatic password generationSameUsernamePasswordPolicy - Password equals usernameSameEmailPasswordPolicy - Password equals emailgraph LR
subgraph "JWT Token"
A[Header]
B[Payload/Claims]
C[Signature]
end
subgraph "Claim Mapping"
D[preferred_username]
E[email]
F[custom claims]
end
subgraph "JudoPrincipal"
G[name]
H[realm]
I[client]
J[attributes]
end
B --> D
B --> E
B --> F
D --> G
D --> J
E --> J
F --> J
The UserManagedWrappedDao automatically syncs users with the identity provider:
sequenceDiagram
participant App as Application
participant Wrapper as UserManagedWrappedDao
participant DAO as Delegate DAO
participant UserMgr as UserManager
participant Keycloak
App->>Wrapper: create(Actor, payload)
Wrapper->>DAO: create(Actor, payload)
DAO-->>Wrapper: Created entity
Wrapper->>UserMgr: createUser(actor, userData)
UserMgr->>Keycloak: POST /admin/realms/{realm}/users
Keycloak-->>UserMgr: 201 Created
Wrapper-->>App: Created entity
Note over Wrapper,UserMgr: Same flow for update/delete
JudoKeycloakModuleConfiguration.builder()
.keycloakServerUrl("http://localhost:8080/auth")
.keycloakExternalUrl("https://auth.example.com")
.keycloakAdminUser("admin")
.keycloakAdminPassword("admin")
.keycloakClientSecret(null) // Optional for confidential clients
.keycloakUserManagerEnabled(true)
.keycloakUpdateExistingUsers(false)
.keycloakAsyncServiceCall(true) // Async user management calls
.keycloakRetryMaxAttempts(1000)
.keycloakRetryWaitDuration(1000L)
.keycloakRetryExponentialBackoff(true)
.build();
Actor types require these annotations in the ASM model:
@actorType(managed=true) // Enable user management
@realm("my-realm") // Keycloak realm name
@claim("USERNAME") // Attribute mapped to Keycloak username
@claim("EMAIL") // Attribute mapped to Keycloak email
By default, the JWT token's azp (authorized party) claim must match an actor type FQN in the ASM model.
The acceptableClients parameter allows additional Keycloak client IDs to authenticate against specific actor types.
Format: ActorTypeFQN=client1,client2;OtherActorFQN=client3
Client IDs can use either dashes or dots — dashes are automatically converted to dots to match the internal convertClientToActorName() normalization.
Platform (OSGi):
JUDO_PLATFORM_ACCEPTABLE_CLIENTS=MyModel.UserActor=frontend-app,mobile-app;MyModel.AdminActor=admin-tool
Spring Boot (application.properties):
judo.actorResolver.acceptableClients=MyModel.UserActor=frontend-app,mobile-app;MyModel.AdminActor=admin-tool
Guice (JudoDefaultModuleConfiguration):
JudoDefaultModuleConfiguration.builder()
.actorResolverAcceptableClients("MyModel.UserActor=frontend-app,mobile-app")
.build();
1. Token arrives with azp = "frontend-app"
2. KeycloakLoginInterceptor converts to "frontend.app" (dashes → dots)
3. DefaultActorResolver.authenticateByPrincipal() tries:
a. asmUtils.resolve("frontend.app") → empty (not an actor FQN)
b. Look up "frontend.app" in acceptableClients map → found under "MyModel.UserActor"
c. asmUtils.resolve("MyModel.UserActor") → EClass ✓
d. Proceed with MyModel.UserActor as the actor type
IllegalArgumentExceptionAfter successful authentication, JudoPrincipal is available:
// In CXF resource
@Context
SecurityContext securityContext;
public Response myOperation() {
JudoPrincipal principal = (JudoPrincipal) securityContext.getUserPrincipal();
String username = principal.getName();
String realm = principal.getRealm();
String client = principal.getClient(); // Actor FQN
Map<String, Object> claims = principal.getAttributes();
// Use principal for authorization
}
| Error | HTTP Status | Description |
|---|---|---|
| Missing token | Depends on endpoint | Anonymous access (may be allowed) |
| Expired token | 401 | ACCESS_TOKEN_EXPIRED error code |
| Invalid signature | 401 | Token verification failed |
| Unknown realm | N/A | Request processed as anonymous |
<logger name="hu.blackbelt.judo.runtime.core.security" level="DEBUG"/>
<logger name="org.keycloak" level="DEBUG"/>
Token validation fails
User not created in Keycloak
keycloakUserManagerEnabled=true@actorType(managed=true)Claims not mapped
@claim annotations on actor attributesAttributeBinding in Keycloak modeljudo-runtime-core-security-keycloak - Keycloak implementationjudo-runtime-core-security-keycloak-cxf - CXF interceptorsjudo-runtime-core-guice-keycloak - Guice configurationjudo-runtime-core-accessmanager-api - Authorization APIsHelp write tests for JUDO applications using judo-runtime-core-guice-testkit. Use when writing interceptor tests, setting up JudoRuntimeFixture, or troubleshooting testkit issues.
Add Claude skill packages and agent-docs to a JUDO Runtime Core module. Use when making a module self-contained with embedded documentation, creating skills for interceptors/extensions, or packaging agent docs in JARs.
Comprehensive guide to JUDO Access Manager API interfaces. Use when you need to understand operation authorization, implement custom authentication interceptors, work with signed identifiers, or integrate access control into your application.
Comprehensive guide to configuring access control rules in JUDO Runtime. Use when you need to understand actor-based authorization, configure public vs authenticated access, set up exposedBy annotations, or implement custom authentication interceptors.
Detailed guide to the JUDO permission checking flow for CRUD operations. Use when you need to understand how CREATE, UPDATE, DELETE permissions work, debug authorization failures, or implement custom authorizers.
Understand JUDO DAO Core interface patterns including payload processors, statement types, instance collectors, and validation. Use when working with data access operations, implementing custom processors, or understanding the DAO architecture.