Disabled proactive authentication and @testsecurity does not work

Fixes #12882

integration-tests/oidc-code-flow/pom.xml

@@ -32,6 +32,11 @@
             <artifactId>quarkus-micrometer</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-test-security</artifactId>
+            <scope>test</scope>
+        </dependency>
         <!-- test dependencies -->
         <dependency>
             <groupId>io.quarkus</groupId>
@@ -209,7 +214,9 @@
                                 </goals>
                                 <configuration>
                                     <systemPropertyVariables>
-                                        <native.image.path>${project.build.directory}/${project.build.finalName}-runner</native.image.path>
+                                        <native.image.path>
+                                            ${project.build.directory}/${project.build.finalName}-runner
+                                        </native.image.path>
                                     </systemPropertyVariables>
                                 </configuration>
                             </execution>

integration-tests/oidc-code-flow/src/main/java/io/quarkus/it/keycloak/ProtectedResource.java

@@ -5,6 +5,8 @@
 import javax.ws.rs.InternalServerErrorException;
 import javax.ws.rs.Path;
 import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
 
 import org.eclipse.microprofile.jwt.JsonWebToken;
 
@@ -40,6 +42,15 @@ public class ProtectedResource {
     @Inject
     RefreshToken refreshToken;
 
+    @Context
+    SecurityContext securityContext;
+
+    @GET
+    @Path("sec")
+    public String hello() {
+        return securityContext.getUserPrincipal().getName();
+    }
+
     @GET
     public String getName() {
         if (!idTokenCredential.getToken().equals(idToken.getRawToken())) {

integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/TestSecurityLazyAuthTest.java

@@ -0,0 +1,23 @@
+package io.quarkus.it.keycloak;
+
+import static org.hamcrest.Matchers.is;
+
+import org.junit.jupiter.api.Test;
+
+import io.quarkus.test.common.http.TestHTTPEndpoint;
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.security.TestSecurity;
+import io.restassured.RestAssured;
+
+@QuarkusTest
+@TestHTTPEndpoint(ProtectedResource.class)
+public class TestSecurityLazyAuthTest {
+
+    @Test
+    @TestSecurity(user = "user1", roles = "viewer")
+    public void testWithDummyUser() {
+        RestAssured.when().get("sec").then()
+                .body(is("user1"));
+    }
+
+}

test-framework/security/src/main/java/io/quarkus/test/security/TestIdentityAssociation.java

@@ -26,7 +26,7 @@ public void check() {
         }
     }
 
-    SecurityIdentity testIdentity;
+    volatile SecurityIdentity testIdentity;
 
     /**
      * A request scoped delegate that allows the system to function as normal when
@@ -64,8 +64,15 @@ public Uni<SecurityIdentity> getDeferredIdentity() {
 
     @Override
     public SecurityIdentity getIdentity() {
-        if (testIdentity != null) {
-            return testIdentity;
+        //we check the underlying identity first
+        //in most cases this will have been set by the TestHttpAuthenticationMechanism
+        //this means that all the usual auth process will run, including augmentors and
+        //the identity ends up in the routing context
+        SecurityIdentity underlying = delegate.getIdentity();
+        if (underlying.isAnonymous()) {
+            if (testIdentity != null) {
+                return testIdentity;
+            }
         }
         return delegate.getIdentity();
     }