Disabled default quarkus-oidc tenant blocks access to the public resources

[sberyozkin]

A request to a resource such as http://localhost:8080/graphql fails with

HTTP Request to /graphiql failed, error id: 87310eed-1c56-4103-a292-a32d7d5a3710-1: io.quarkus.oidc.OIDCException: Tenant configuration context has not been resolved
at io.quarkus.oidc.runtime.OidcAuthenticationMechanism.isWebApp(OidcAuthenticationMechanism.java:45)
at io.quarkus.oidc.runtime.OidcAuthenticationMechanism.authenticate(OidcAuthenticationMechanism.java:32)
at io.quarkus.oidc.runtime.OidcAuthenticationMechanism_ClientProxy.authenticate(OidcAuthenticationMechanism_ClientProxy.zig:231)
at io.quarkus.vertx.http.runtime.security.HttpAuthenticator.attemptAuthentication(HttpAuthenticator.java:101)
at io.quarkus.vertx.http.runtime.security.HttpAuthenticator_ClientProxy.attemptAuthentication(HttpAuthenticator_ClientProxy.zig:41)
at io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2.handle(HttpSecurityRecorder.java:93)
at io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2.handle(HttpSecurityRecorder.java:45)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1034)

Despite the following configuration:

quarkus.http.auth.permission.1.paths=/*
quarkus.http.auth.permission.1.policy=permit
quarkus.oidc.tenant-enabled=false

[Sgitario]

This is an example test about how to reproduce this issue: https://github.com/Sgitario/quarkus-oidc-issue
Running the test will fail because of this issue.

[Sgitario]

This issue is fixed as part of #10506

I did check these changes and now it's possible to enable/disable the authentication at runtime:

if the property "quarkus.oidc.tenant-enabled" is false, the tenant won't be checked if the URL is public. Might be an issue when the URL is protected, because it returns HTTP OK with empty response (and it should return 401)
if the property "quarkus.oidc.tenant-enabled" is true, the tenant is checked at startup and fails as expected if it's not provided. If the tenant is properly configured, everything works as expected.

CC @sberyozkin

[sberyozkin]

Hi @Sgitario thanks for verifying it,

if the property "quarkus.oidc.tenant-enabled" is false, the tenant won't be checked if the URL is public. Might be an issue when the URL is protected, because it returns HTTP OK with empty response (and it should return 401)

That is fine - as far as quarkus-oidc is concerned it has been 'asked' not to check anything for a given tenant configuration :-).

But I'm not sure why an empty response, can you clarify please ? What is a protected resource, a file ? If yes - how is it protected (given that quarkus-oidc is effectively disabled) ? Or JAX-RS method ? If we have a JAX-RS method with @RolesAllowed then it will return 401 as the test I've added in another PR confirms.

Also, if you'd like your test added as well, please rebase your PR
Thanks.

[sberyozkin]

Hi @Sgitario I'm closing this issue given that you've confirmed it has been fixed, but lets keep your PR open for now to finalize the discussion there and also in case you'd like to rebase it
Thanks for your help

[sberyozkin]

@Sgitario Sorry I got confused a bit, can you please clarify about the empty response (see my comment above)

[Sgitario]

@Sgitario Sorry I got confused a bit, can you please clarify about the empty response (see my comment above)

Sorry, not to be too clear in my comment. With empty response, I mean that if I configure my endpoint with the next properties:

quarkus.http.auth.permission.1.paths=/*
quarkus.http.auth.permission.1.policy=authenticated
quarkus.oidc.enabled=true
quarkus.oidc.tenant-enabled=false

When I call to my endpoint, I get HTTP OK, but with no content (the service is not invoked, but I still gets 200 OK with literally empty body). And I guess the right behaviour should be to get HTTP 401.

However, when I configure my endpoints with permit:

quarkus.http.auth.permission.1.paths=/*
quarkus.http.auth.permission.1.policy=permit
quarkus.oidc.enabled=true
quarkus.oidc.tenant-enabled=false

It returns HTTP OK with the expected content.

And with security:

quarkus.http.auth.permission.1.paths=/*
quarkus.http.auth.permission.1.policy=authenticated
quarkus.oidc.enabled=true
quarkus.oidc.tenant-enabled=true
quarkus.oidc.auth-server-url=http://localhost:8280/auth
quarkus.oidc.client-id=my-client
quarkus.oidc.credentials.secret=my-secret

It returns the expected HTTP 401 if I call my service. If I need to get redirected to keycloak, I need to add the config:

quarkus.oidc.application-type=web-app

And this is also working fine.

Therefore, I think there is a new issue with this configuration:

quarkus.http.auth.permission.1.paths=/*
quarkus.http.auth.permission.1.policy=authenticated
quarkus.oidc.enabled=true
quarkus.oidc.tenant-enabled=false

But this issue is already fixed and working as expected.

[sberyozkin]

@Sgitario Thanks, yes I've opened #10532, please watch it, thanks