Getting Supabase Auth to connect to Java Quarkus

[jfslin]

Hello. I apologize if this is a very basic question, but I'm trying to write a Java Quarkus REST API and having trouble figuring out how to think about Supabase Auth. I understand that Supabase Auth will provide my client with a JWT, which I can then validate on the REST using the JWT Secret. I have this working.

It seems like there are other ways I should consider though:

• Quarkus assume that JWTs are signed with RSA256 so I should use public-private key pairs (as per https://quarkus.io/guides/security-jwt). I wasn't able to find public-private key information in Supabase Auth, and while I saw that I can convert JWKs to keys, I also saw that JWKs are not supported in Supabase.
• another way is to use OIDC (as per https://quarkus.io/guides/security-oidc-bearer-token-authentication-tutorial), but I don't think Supabase Auth itself serves as OIDC or OAuth2

Are these routes that I can take with Supabase Auth? Thank you.

[Sebastian-Nielsen]

Did you figure it out?

[jfslin]

Sorry for the late response. I got Supabase Auth to work with Quarkus here: quarkusio/quarkus#42550

There might be an easier method now, I haven't updated this auth system since I first implemented it last year, but it involves setting up this .jwk file then converting it to a encoded string. This link specifically outlines the instruction: quarkusio/quarkus#42550 (comment)

[jfslin]

In case you're still on this, I just migrated to Quarkus 3.26 which didn't like the HS256 setup that was working here. I ended up:

• migrating Supabase Auth JWT to a EC256 key
• archived the old HS256 key (necessary step, or else Supabase will continue to mint HS256 JWTs)

Then updating my application.properties to

mp.jwt.verify.publickey.algorithm = ES256
mp.jwt.verify.publickey.location = https://${SUPABASE_PROJECT}.supabase.co/auth/v1/.well-known/jwks.json
mp.jwt.verify.issuer = https://${SUPABASE_PROJECT}.supabase.co/auth/v1

No more BASE64 parsing.

[jfslin]

Current method as of Quarkus 3.26.4

• Under Supabase Project/Settings/JWT Keys - make sure the current JWT Signing Key method is EC256

Then set application.properties:

mp.jwt.verify.publickey.algorithm = ES256
mp.jwt.verify.publickey.location = https://${SUPABASE_PROJECT}.supabase.co/auth/v1/.well-known/jwks.json
mp.jwt.verify.issuer = https://${SUPABASE_PROJECT}.supabase.co/auth/v1

Can verify this via POST https://{{SUPABASE_PROJECT}}.supabase.co/auth/v1/token?grant_type=password and checking that JWT is indeed ES256. Then in Quarkus,

    @Inject
    JsonWebToken jwt;

should have the JWT populated.