Quarkus path based authentication

[vishalgoel1988]

Describe the bug
Hi,

It seems that path based authentication policy does not work. I have following in my application.properties.
#authn
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
#allow /health/* always for probeness
quarkus.http.auth.permission.health.paths=/health/*
quarkus.http.auth.permission.health.policy=permit
quarkus.http.auth.permission.health.methods=GET
#authz/policy enforcer
#quarkus.keycloak.policy-enforcer.enable=true

When I am browsing /health/ready, it is still giving me 401. I tried many diff-2 combinations, but nothing worked out.
Though, I use policy enforcer and DISABLE /health/* in policy enforcer, it works out.

Expected behavior
/health/* should return with 200 without policy-enforcer too.

Actual behavior
/health/* returns 401

To Reproduce
Steps to reproduce the behavior:

1. Create quarkus project with quarkus-keycloak-oidc plugin.
2. Connect project to keycloak.
3. Try /health with below configs.

Configuration

# Add your application.properties here, if applicable.
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
#allow /health/* always for probeness
quarkus.http.auth.permission.health.paths=/health/*                            
quarkus.http.auth.permission.health.policy=permit
quarkus.http.auth.permission.health.methods=GET

Screenshots
(If applicable, add screenshots to help explain your problem.)

Environment (please complete the following information):

• Output of uname -a or ver:
• Output of java -version:
• GraalVM version (if different from Java):
• Quarkus version or git rev:
• Build tool (ie. output of mvnw --version or gradlew --version):

Additional context
(Add any other context about the problem here.)

[sberyozkin]

@vishalgoel1988 I think it was fixed for 1.6.0, hi Pedro @pedroigor can you check please ?

[vishalgoel1988]

Hi,

Is there any expected release time for 1.6.0?

[sberyozkin]

CR1 will be coming shortly, however I'm not 100% sure about the fix. Are you using quarkus-keycloak-authorization and would like some resources be public, /health/* etc ? If yes then I'm pretty sure it was resolved but you'd likely need to use keycloak-authorization policy, Pedro @pedroigor can confirm

[vishalgoel1988]

I have keycloak-authorization-policy in my pom, but I have disabled policy-enforcer in application.properties.
I want to allow /health/* outside of authentication. Obviously it is out of authorization as policy-enforcer is off.

[sberyozkin]

/* covers /health/*, I think a wildcard needs to be replaced with more specific path policies.
The only other alternative is for Quarkus to start sorting path expressions and come up with a path selection algorithm when multiple path expressions overlap. But the URI space is typically not unlimited for a given service endpoint. So try to avoid using a wildcard...
CC @stuartwdouglas

[vishalgoel1988]

Hi,

Acc. to https://quarkus.io/guides/security#matching-multiple-paths-longest-wins, support is already there and it should work,
Also, path can be have dynamic content, so it is not feasible to put exact path.

[sberyozkin]

@vishalgoel1988 Yeah, you are right. How do you disable the keycloak-authorization ?

[sberyozkin]

#quarkus.keycloak.policy-enforcer.enable=true does not disable it, it should be quarkus.keycloak.policy-enforcer.enable=false

[vishalgoel1988]

https://quarkus.io/guides/security-keycloak-authorization#quarkus-keycloak-keycloak-policy-enforcer-config_configuration
is quarkus.keycloak.policy-enforcer.enable not false by default?

[stuartwdouglas]

You can't really mix the policy enforcer and fine grained permissions. If you use the policy enforcer it will check every URL, so both the enforcer and the path based security will need to allow if (i.e. a deny from path based security will always deny, but an allow will still be checked by KC).

We could maybe add the options for KC to be a named security policy, so it could be used with path based auth, i.e. instead of quarkus.http.auth.permission.authenticated.policy=authenticated you would have quarkus.http.auth.permission.authenticated.policy=keycloak-policy-enforcer

I don't really know if this is a good idea though, as I thought the intention with the policy enforcer is that it controls everything.

[vishalgoel1988]

But I have policy enforcer off in my configs. Are you saying I should not even have authorization extension?

[stuartwdouglas]

#quarkus.keycloak.policy-enforcer.enable=true is not off.

[stuartwdouglas]

Oh, it is commented out.

[vishalgoel1988]

Yes exactly

[stuartwdouglas]

Do you have spaces after /health/* in your config file? I just copy/pasted for my test and it failed because it ends with a space and not a *.

[vishalgoel1988]

Urghhh....
Yes, this was the space issue. I should have seen it before. However, I think quarkus should take care of this also.
Anyway, thanks for your help.

[stuartwdouglas]

The linked pr should fix it