HTTP 'authenticated' policy returns HTTP 200 for empty SecurityIdentity #10532

sberyozkin · 2020-07-07T14:13:32Z

Describe the bug
This is detected by @Sgitario.

The following configuration results in HTTP 200 and the empty body being returned:

quarkus.http.auth.permission.1.paths=/*
quarkus.http.auth.permission.1.policy=authenticated
quarkus.oidc.enabled=true
quarkus.oidc.tenant-enabled=false

where quarkus-oidc returns an empty Uni SecurityIdentity and Challenge items.

Expected behavior
401 is returned since SecurityIdentity is not available.

The text was updated successfully, but these errors were encountered:

sberyozkin · 2020-07-07T14:14:51Z

Hi @stuartwdouglas Do you agree ?

Fixes quarkusio#10532

sberyozkin added kind/bug Something isn't working area/security labels Jul 7, 2020

sberyozkin mentioned this issue Jul 7, 2020

Disabled default quarkus-oidc tenant blocks access to the public resources #10343

Closed

stuartwdouglas added a commit to stuartwdouglas/quarkus that referenced this issue Jul 8, 2020

If no challenge is generated return 401

76f4a6c

Fixes quarkusio#10532

stuartwdouglas mentioned this issue Jul 8, 2020

If no challenge is generated return 401 #10542

Merged

gastaldi closed this as completed in #10542 Jul 8, 2020

sberyozkin added this to the 1.7.0 - master milestone Jul 8, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HTTP 'authenticated' policy returns HTTP 200 for empty SecurityIdentity #10532

HTTP 'authenticated' policy returns HTTP 200 for empty SecurityIdentity #10532

sberyozkin commented Jul 7, 2020

sberyozkin commented Jul 7, 2020

HTTP 'authenticated' policy returns HTTP 200 for empty SecurityIdentity #10532

HTTP 'authenticated' policy returns HTTP 200 for empty SecurityIdentity #10532

Comments

sberyozkin commented Jul 7, 2020

sberyozkin commented Jul 7, 2020