openid_connect, SecurityScheme and checker

[zchira]

I am trying to impl SecurityScheme with keycloak and openid_connect.
What I did so far:
I added Security Scheme OpenIdAuth

#[derive(SecurityScheme)]
#[oai(
    ty="openid_connect",
    key_in="cookie",
    key_name="KEYCLOAK_IDENTITY",
    openid_connect_url="http://localhost:8080/realms/myrealm/.well-known/openid-configuration",
    checker = "user_checker"
)]
struct OpenIdAuth(Bearer);

Added user_checker function. It looks like user_checker for ty=open_idconnect must be with Bearer argument and Option as a return type.

async fn user_checker(req: &Request, bearer: Bearer) -> Option<Bearer> {
    println!("USER_CHECKER");
    println!("req: {:#?}", req);
    println!("bearer: {}", bearer.token);
    None
}

I also added endpoints /auth which redirects to keycloak login page, and /auth_redirect where I am able to verify keycloak response and get id_token and user_info.

The problem:
after going through /auth_redirect endpoint a would expect that user is authenticated and able to access protected and point such as:

    #[oai(path="/items", method = "get")]
    async fn get_items(&self, auth: OpenIdAuth) -> Result<Jsone<Items>, Error> {
         ...
    }

but that is not happening.
I just get 401 'authorization error' response, and user_checker function is not called at all.

Am I missing something?
Should I set JWT token in cookie/header in response of /auth_redirect or something like that?
Also, I would expect that in user_checker I should get JWT token and verify it (check if it is valid, expired, etc...)

[zchira]

Not sure if this is the right way:
I modified SecurityScheme:

#[derive(SecurityScheme)]
#[oai(
    ty = "api_key",
    key_in = "cookie",
    key_name="KEYCLOAK_IDENTITY",
    checker = "user_checker"
)]
pub struct OpenIdAuth(pub User);

in /auth_redirect endpoint I am returning custom response with set-cookie:

Ok(CustomResponse::SetCookie(format!("KEYCLOAK_IDENTITY={}", token_response.access_token().secret()).into()))

with ty=api_key the function user_checker is called (also I use openid_connect crate):

pub async fn user_checker(_req: &Request, api_key: ApiKey) -> poem::Result<User, poem::Error> {
    println!("api: {:#?}", api_key);
    let at = openidconnect::AccessToken::new(api_key.key);

    let client = openid_client::get_client().await?;
    let user_info: CoreUserInfoClaims = client.user_info(at, None)
        .unwrap()
        .request_async(async_http_client).await
        .map_err(....))?;

    let user = User {
        username: user_info.name()....,
        email: user_info.email().....
    };

    Ok(user)
}

and this works.
Questions:

1. is it OK to call auth service (keycloak) every time function user_checker is called? I guess I can just decode JWT (api_key) and get info from there?
2. still not sure is this is the right way to implemenent openid_connect auth (since I changed ty=api_key)