Quarkus: Application using "io.quarkus.security.Authenticated" starts even if "quarkus-keycloak-authorization" is missing

Created on 17 Jan 2020  路  9Comments  路  Source: quarkusio/quarkus

Describe the bug
If a rest resource is annotated with @Authenticated and clean compile quarkus:dev is run the server will start, even if the quarkus-keycloak-authorization plugin is missing.

It does show the following warning though:

2020-01-16 16:22:32,149 WARN  [io.qua.config] (main) Unrecognized configuration key "quarkus.oidc.auth-server-url" was provided; it will be ignored
2020-01-16 16:22:32,149 WARN  [io.qua.config] (main) Unrecognized configuration key "quarkus.keycloak.policy-enforcer.enable" was provided; it will be ignored
2020-01-16 16:22:32,149 WARN  [io.qua.config] (main) Unrecognized configuration key "quarkus.oidc.client-id" was provided; it will be ignored
2020-01-16 16:22:32,149 WARN  [io.qua.config] (main) Unrecognized configuration key "quarkus.oidc.credentials.secret" was provided; it will be ignored

Expected behavior
Fail fast. An error should probably be thrown?

Actual behavior
Server starts without security/auth enabled.

To Reproduce
Steps to reproduce the behavior:

  1. Clone a rest example
  2. Add the @Authenticated annotation to a resource
  3. Start the server

Configuration
N/A

Environment (please complete the following information):

  • Darwin MacBook-Pro 18.7.0 Darwin Kernel Version 18.7.0: Sat Oct 12 00:02:19 PDT 2019; root:xnu-4903.278.12~1/RELEASE_X86_64 x86_64
  • Output of java -version: 
openjdk version "1.8.0_232"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_232-b09)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.232-b09, mixed mode)
  • GraalVM version (if different from Java): N/A
  • Quarkus version or git rev: 1.1.1.Final

Additional context
Perhaps this is expected, but it seems like an error to me.

kinbug triaginvalid
Source
picture evanshortiss

All 9 comments

@evanshortiss I'm not sure it is possible to stop the application if this extension which is only one way to meet the @Authenticated requirement.
What happens when you try to access this resource ?

sberyozkin picture sberyozkin on 17 Jan 2020

@sberyozkin I was able to connect to the endpoint IIRC.

evanshortiss picture evanshortiss on 17 Jan 2020

@evanshortiss I think this is effectively a duplicate of #5485 given that by default the access is anonymous. Can you add in properties what is doc-ed there in Step2 and see if it helps ?

sberyozkin picture sberyozkin on 17 Jan 2020
👍1

@sberyozkin this fails with Caused by: io.quarkus.oidc.OIDCException: Application type [WEB_APP] not supported

It looks like this is not yet implemented (based on a quick look in source code of quarkus), but I changed to service type from web-app and it fails fast with the error below - 馃憤

09:59:34,715 ERROR [io.qua.dev.DevModeMain] Failed to start Quarkus: java.lang.RuntimeException: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
    [error]: Build step io.quarkus.vertx.http.deployment.HttpSecurityProcessor#setupAuthenticationMechanisms threw an exception: java.lang.IllegalStateException: HTTP permissions have been set however security is not enabled

if you are planning to properly protect your application, you don't have to do 2 steps only 1 step

I would agree with this personally, but I am not a Java ecosystem person so it may be my misunderstanding.

evanshortiss picture evanshortiss on 20 Jan 2020

@evanshortiss thanks for trying it out. Not sure what you mean about it not being implemented, web-app is supported. May be there is some type/extra space in that configuration.
But in any case, do you agree that this issue can be considered a duplicate of #5485 ? May be you can comment with your example there.
Yes, I know there is some concern that enabling the security OOB can affect too many developers so for now it will remain anonymous.

sberyozkin picture sberyozkin on 24 Jan 2020

@sberyozkin the error I got seems to be here. It looks like it explicitly doesn't support web app types?

I agree it's a duplicate 馃憤

evanshortiss picture evanshortiss on 25 Jan 2020

@evanshortiss thanks. OK, thanks, let me close this issue shortly.
Re quarkus-keycloak-authorization and web-app types, yes, it is not supported for this extension as it is mainly intended for enforcing the bearer token authorization rules using Keycloak defined policies. For web-app please use quarkus-oidc, or do you have a special requirement for quarkus-keycloak-authorization and web-app combination ?

sberyozkin picture sberyozkin on 31 Jan 2020

@sberyozkin understood, I didn't realise web-app required a different extension. Thanks for the clarification and help!

evanshortiss picture evanshortiss on 31 Jan 2020

@evanshortiss no problems, thanks for all the comments, let me close this issue now, reopen please (or create a new one :-) ) if needed, cheers

sberyozkin picture sberyozkin on 3 Feb 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

halhelal picture halhelal  路  3Comments
dcdh picture dcdh  路  3Comments
nderwin picture nderwin  路  3Comments
lbernardomaia picture lbernardomaia  路  3Comments
MossabTN picture MossabTN  路  3Comments