Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quarkus Oauth2 quarkus.oauth2.enabled doesn't seem to work #10427

Closed
manodupont opened this issue Jul 2, 2020 · 26 comments · Fixed by #10937
Closed

Quarkus Oauth2 quarkus.oauth2.enabled doesn't seem to work #10427

manodupont opened this issue Jul 2, 2020 · 26 comments · Fixed by #10937
Labels
kind/bug Something isn't working
Milestone
1.7.0.CR1

Comments

@manodupont
Copy link

Describe the bug
Setting this quarkus.oauth2.enabled=false doesnt "disable" the oauth2 features. I need to comment out my annotations about "@RolesAllowed" to disable oauth verification.

Expected behavior
Setting this quarkus.oauth2.enabled=false only, would make all security "checks" disabled so i don't need to comment out any other code lines.

Actual behavior
Setting this quarkus.oauth2.enabled=false doesnt "disable" the oauth2 features. I need to comment out my annotations about "@RolesAllowed" to disable oauth verification.

To Reproduce
Steps to reproduce the behavior:

  1. Set this property: quarkus.oauth2.enabled=false
  2. Add a @RolesAllowed("anything") on a route.
  3. Request this route.
  4. You will get a 403.

Environment (please complete the following information):

  • Output of uname -a or ver:
  • Output of java -version: 11
  • GraalVM version (if different from Java): --
  • Quarkus version or git rev: 1.5.2.FINAL
  • Build tool (ie. output of mvnw --version or gradlew --version): 3.6.3
@manodupont manodupont added the kind/bug Something isn't working label Jul 2, 2020
@ejba
Copy link
Contributor

ejba commented Jul 2, 2020

Hi, can I try to fix this?

@geoand
Copy link
Contributor

geoand commented Jul 2, 2020

@manodupont quarkus.oauth2.enabled is a build time property. That means that if you built the application with quarkus.oauth2.enabled=true (or left it out as true is the default), the setting quarkus.oauth2.enabled=false at runtime will have no effect.

Are you sure you are using it properly?

@geoand
Copy link
Contributor

geoand commented Jul 2, 2020

Hi, can I try to fix this?

Le's see first if this is just a misuse issue

@sberyozkin
Copy link
Member

If the method is role protected then the RBAC layer just wants to enforce it, it does not know how Principal was created

@ejba
Copy link
Contributor

ejba commented Jul 2, 2020

@sberyozkin I understand your point. However, it's confusing at first sight to learn what's the expected behavior when disabling the oauth2 extension and have multiple methods as role protected.

At least, it should be documentation that explains in detail how Quarkus behaves in this case.
What do you think?

@manodupont
Copy link
Author

Ok. But im more confused after all that :)

So what is setting it to false actually doing ?

Sorry for my misunderstanding!

@ejba
Copy link
Contributor

ejba commented Jul 2, 2020
edited
Loading

I assume that disables oauth2 support only, not whole RBAC layer from protecting all methods.
You can have multiple authentication mechanism support activated, but you are just disabling one (oauth2). It seems to me the rationale behind it.

@manodupont
Copy link
Author

Oh right. I Didn’t test that... it might be right.

Ok well i guess its a no bug then. Thanks!

@geoand
Copy link
Contributor

geoand commented Jul 2, 2020 via email

@sberyozkin
Copy link
Member

sberyozkin commented Jul 2, 2020
edited
Loading

@ejba

However, it's confusing at first sight to learn what's the expected behavior when disabling the oauth2 extension and have multiple methods as role protected.

Right this or any other extension dealing with the authentication is only populating a Securityidentity. RBAC level is in the next phase.
If one disables oauth2/etc then all what is being achieved is that no auth mechanism is available which can do something meaningful with Bearer sometoken.

I wonder though if the time has come to introduce a property like a default role (someone has suggested it already). Or have a property like disable-role-based-access-control... Or how about proactive-authorization=false which will be disable RBAC if SecurityIdentity is not available...
CC @stuartwdouglas Hi Stuart, what do you think ?

@loicmathieu
Copy link
Contributor

Late to the party but yes, quarkus.oauth2.enabled=false only disable the OAuth2 security provider not Quarkus Security in it's entirety.

This is a build time property as the classical use case is to use an embedded security provider in dev/test and the OAuth2 in production. As dev/test re-play build steps you it works.

I don't think there is currently a way to disabled Quarkus security fully, at least it's not documented inside the Security Guide (https://quarkus.io/guides/security). If it's a legitimate use case (but it can also create a security threat to enable bypassing the security layer) maybe we should add it.

When we design the OAuth2 extension we don't offer a way to disable the security layer because we think people will use an embedded provider in dev/test (via the quarkus-elytron-security-properties-file for example) and the Oauth2 security otherwise.

@stuartwdouglas
Copy link
Member

I have implemented something here: #10487

@sberyozkin
Copy link
Member

Hi @stuartwdouglas That looks good, but I'm not sure it is related to this one, here the user would like to disable some authentication module and the authorization check at runtime

@stuartwdouglas
Copy link
Member

I thought the use case here was to disable security in testing?

@sberyozkin
Copy link
Member

@manodupont, Hi, can you confirm please ?

@manodupont
Copy link
Author

No i meant at runtime too. I thought it was a single flag to turn every security and roles checking “off”.

@stuartwdouglas
Copy link
Member

So you can do it at runtime as well, but it requires some custom code:

@Alternative
@Priority(Interceptor.Priority.LIBRARY_AFTER)
@ApplicationScoped
public class DisabledAuthController extends AuthorizationController {

    @Override
    public boolean isAuthorizationEnabled() {
        return false;
    }
}

Including this bean in your application will disable security. If you want to make it configurable just make it inject a configuration property using MP config.

I am a bit hesitant about including this as a general config option, it just feels a bit dangerous.

@manodupont
Copy link
Author

ok. thanks everybody.

@ejba
Copy link
Contributor

ejba commented Jul 9, 2020

It would be great to have this documented somewhere.
What do you think?

@sberyozkin
Copy link
Member

sberyozkin commented Jul 9, 2020
edited
Loading

I'd say so, I believe we've had a good number of similar queries, not sure where, may be at https://quarkus.io/guides/security to start with, have a section How to Disable Authorization. I think it should show the injection of the custom property like authorization-enabled to highlight the point Stuart made, @ejba Hi, are you Ok with doing another PR :-) ?

@ejba
Copy link
Contributor

ejba commented Jul 9, 2020

Of course! :)

@sberyozkin
Copy link
Member

@ejba Hi, I was planning to add this example to the open PR (to do with repurposing security.adoc) but I'm not sure
what is AuthorizationController, @stuartwdouglas, can you clarify please ? I can't see it Quarkus workspace...

@ejba
Copy link
Contributor

ejba commented Jul 23, 2020

Is this one? import io.quarkus.security.spi.runtime.AuthorizationController;

@stuartwdouglas
Copy link
Member

quarkus/extensions/security/runtime-spi/src/main/java/io/quarkus/security/spi/runtime/AuthorizationController.java

Line 9 in fa6cede

public class AuthorizationController {

@sberyozkin
Copy link
Member

@ejba @stuartwdouglas thanks :-), not sure why I'm not seeing it, may be because I have Eclipse workspace bugs. OK, So I'll push the update the proposed security-customization.adoc

@sberyozkin sberyozkin mentioned this issue Jul 24, 2020
Merged
@gsmet gsmet modified the milestone: 1.7.0 - master Jul 28, 2020
@gsmet gsmet added this to the 1.7.0 - master milestone Jul 28, 2020
@abhinavg18
Copy link

abhinavg18 commented Nov 9, 2020
edited
Loading

So you can do it at runtime as well, but it requires some custom code:

@Alternative
@Priority(Interceptor.Priority.LIBRARY_AFTER)
@ApplicationScoped
public class DisabledAuthController extends AuthorizationController {

    @Override
    public boolean isAuthorizationEnabled() {
        return false;
    }
}

Including this bean in your application will disable security. If you want to make it configurable just make it inject a configuration property using MP config.

I am a bit hesitant about including this as a general config option, it just feels a bit dangerous.

After doing this, I receive the below error. [error]: Build step io.quarkus.arc.deployment.ArcProcessor#validate threw an exception: javax.enterprise.inject.spi.DeploymentException: Found 3 deployment problems: [1] Ambiguous dependencies for type io.quarkus.security.spi.runtime.AuthorizationController and qualifiers [@Default] - java member: io.quarkus.vertx.http.runtime.security.HttpAuthorizer#controller - declared on CLASS bean [types=[io.quarkus.vertx.http.runtime.security.HttpAuthorizer, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkus.vertx.http.runtime.security.HttpAuthorizer] - available beans: - CLASS bean [types=[io.quarkus.security.spi.runtime.AuthorizationController, org.acme.security.keycloak.authorization.DisabledAuthController, java.lang.Object], qualifiers=[@Default, @Any], target=org.acme.security.keycloak.authorization.DisabledAuthController] - CLASS bean [types=[io.quarkus.test.security.TestAuthController, io.quarkus.security.spi.runtime.AuthorizationController, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkus.test.security.TestAuthController] - CLASS bean [types=[io.quarkus.security.spi.runtime.AuthorizationController, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkus.security.spi.runtime.AuthorizationController] [2] Ambiguous dependencies for type io.quarkus.security.spi.runtime.AuthorizationController and qualifiers [@Default] - java member: io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor#controller - declared on INTERCEPTOR bean [bindings=[@RolesAllowed(value = [""])], target=Optional[io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor]] - available beans: - CLASS bean [types=[io.quarkus.security.spi.runtime.AuthorizationController, org.acme.security.keycloak.authorization.DisabledAuthController, java.lang.Object], qualifiers=[@Default, @Any], target=org.acme.security.keycloak.authorization.DisabledAuthController] - CLASS bean [types=[io.quarkus.test.security.TestAuthController, io.quarkus.security.spi.runtime.AuthorizationController, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkus.test.security.TestAuthController] - CLASS bean [types=[io.quarkus.security.spi.runtime.AuthorizationController, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkus.security.spi.runtime.AuthorizationController] [3] Ambiguous dependencies for type io.quarkus.security.spi.runtime.AuthorizationController and qualifiers [@Default] - java member: io.quarkus.security.runtime.interceptor.AuthenticatedInterceptor#controller - declared on INTERCEPTOR bean [bindings=[@Authenticated], target=Optional[io.quarkus.security.runtime.interceptor.AuthenticatedInterceptor]] - available beans: - CLASS bean [types=[io.quarkus.security.spi.runtime.AuthorizationController, org.acme.security.keycloak.authorization.DisabledAuthController, java.lang.Object], qualifiers=[@Default, @Any], target=org.acme.security.keycloak.authorization.DisabledAuthController] - CLASS bean [types=[io.quarkus.test.security.TestAuthController, io.quarkus.security.spi.runtime.AuthorizationController, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkus.test.security.TestAuthController] - CLASS bean [types=[io.quarkus.security.spi.runtime.AuthorizationController, java.lang.Object], qualifiers=[@Default, @Any], target=io.quarkus.security.spi.runtime.AuthorizationController]

The only change I did was to annotate a test with @testsecurity(authorizationEnabled = false) and created a DisabledAuthContoller. When I do mvn clean compile install, I receive the above error that I am inject a bean which is ambiguous
@stuartwdouglas

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
1.7.0.CR1
Development

Successfully merging a pull request may close this issue.

Make security.adoc the main Quarkus Security document sberyozkin/quarkus
8 participants
@stuartwdouglas @sberyozkin @gsmet @loicmathieu @geoand @manodupont @ejba @abhinavg18