#Support for OIDC as Relying Party?

I come from the Java world, and the Quarkus framework has excellent support for OIDC, particularly for REST services that are a Relying Party. Right now, I am writing a set of services using Vapor. I really enjoy the framework, but this is a piece that is sorely lacking. I've tried looking around for any OIDC/OAuth2 authenticators or libraries I can incorporate to fill this need. I found the vapor-oauth2 library, but this seems more suited for implementing your own OIDC provider. In my case, I'm using an established Keycloak instance, not writing my own provider.

Does anyone know of a good authenticator or other library that could fill this need?

Have you seen https://github.com/vapor-community/Imperial ?

I took a quick glance at it, but don't see any real documentation. The assumption will be that the user will already be authenticated via a Web UI (SPA written using Vue) and pass the identity/access token to the Vapor services. Is that a supported use case for Imperial? Know of any docs or tutorials for it?

Err I don't know to be honest

@indigo charm @nocturne tiger ?

Do you want to be the OIDC provider or client?

Neither. I want to be the OIDC relying party. The web UI will be the client. Keycloak will be the provider. My services will be a relying party, consuming the OIDC token from the web UI on all API calls

If it’s saved in the session as either access_token or refresh_token you can use the extensions on Request and Session (but if you need only this you don’t really need Imperial, you can DIY)

FYI Imperial supports Keycloak: https://swiftpackageindex.com/vapor-community/Imperial/2.0.0-beta.2/documentation/imperialkeycloak

Does Imperial include extensions or structs for parsing an access token from Keycloak to get things like subject, email, groups/roles, etc.?