1 of 19

SSO made easy with� Quarkus OIDC

Willem Jan Glerum

Devoxx Morocco 2025

Conference

2025-11-13

2 of 19

Today’s

Topic

2 / 17

  • Why SSO?
  • What is OIDC?
  • ID Tokens vs Access Tokens
  • How to use Quarkus OIDC
  • Dev Services
  • Testing
  • Production

3 of 19

Willem Jan

Glerum

3 / 17

  • Principal Software Engineer @ Lunatech
  • Delft - The Netherlands
  • Using Quarkus since 2019

4 of 19

Why SSO?

  • Building user registration is complex and tedious
  • Users don’t have to create yet another account
  • Manage roles & rights in one place (RBAC)
  • For example Azure AD, Okta, Google, Keycloak, etc.
  • Stateless token validation

4 / 17

5 of 19

What is

OIDC?

  • OpenID Connect
  • Open authentication protocol
  • Extends OAuth 2.0 with an identity layer
    • Adds the ID token

5 / 17

6 of 19

What is

OIDC?

6 / 17

https://www.cncf.io/blog/2023/05/17/securing-cloud-native-microservices-with-role-based-access-control-using-keycloak/

7 of 19

  • OIDC -> OpenID Connect
  • OAuth -> Open Authorization
  • IdP -> Identity Provider
  • JWT -> JSON Web Token
  • JWS -> JSON Web Signature
  • JWK -> JSON Web Key
  • RBAC -> Role Based Access Control

More abbreviations

7 / 17

8 of 19

Service Application

Bearer token authentication

Great for SPA and service-to-service

Web Application

Authorization Code Flow

Great for server side apps

Service App vs Web App

8 / 17

9 of 19

Bearer token authentication

9 / 17

https://quarkus.io/guides/security-oidc-bearer-token-authentication

10 of 19

Authorization Code flow

10 / 17

https://quarkus.io/guides/security-oidc-code-flow-authentication

11 of 19

ID Token

The user has been authenticated

Specs: OpenID Connect

Do

  • Assume the user is authenticated
  • Get user profile data

Don’t

  • Call another API
  • Check user access

ID Tokens vs Access Tokens

11 / 17

12 of 19

ID Tokens vs Access Tokens

Access Token

The app has been authorised

Specs: OAuth

Do

  • Call another API
  • Check user access

Don’t

  • Inspect the token

12 / 17

13 of 19

Inspecting Tokens

13 / 17

14 of 19

  • Add the extension
  • Profit!
  • Demo

How to use Quarkus OIDC?

14 / 17

15 of 19

Quarkus

Dev Services

  • Automatically starts a Keycloak server
  • Zero configuration needed
  • Define test users with configuration

  • Alternatively use OIDC dev services
    • No Keycloak container needed

15 / 17

16 of 19

  • How to test?
  • Using dev services with Keycloak
  • Using test extension

Testing

16 / 17

17 of 19

  • Define OIDC provider
  • Set environment variables and secrets
  • Some require extra configuration
  • Multi tenancy
  • User federation

Production

17 / 17

https://quarkus.io/guides/security-openid-connect-providers

18 of 19

Token

Propagation

  • Send access tokens downstream
  • OIDC Clients
  • MCP Servers

18 / 17

19 of 19

Willem Jan Glerum

willem.jan.glerum@lunatech.nl

https://github.com/wjglerum

https://bsky.app/profile/wjglerum.nl

Feedback &

Thank you!

19 / 17