Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT authentication failure responds with Basic Auth challenge when both JWT and basic mechanisms are enabled #13363

Closed
jfrantzius opened this issue Nov 18, 2020 · 3 comments · Fixed by #16446
Closed

JWT authentication failure responds with Basic Auth challenge when both JWT and basic mechanisms are enabled #13363

jfrantzius opened this issue Nov 18, 2020 · 3 comments · Fixed by #16446
Assignees
@sberyozkin
Labels
area/oidc area/security area/smallrye kind/bug Something isn't working
Milestone
2.0.0.Alpha1

Comments

@jfrantzius
Copy link

jfrantzius commented Nov 18, 2020
edited
Loading

Describe the bug
When using quarkus-smallrye-jwt, and on authentication failure of a request, Quarkus responds with the wrong challenge www-authenticate: basic realm= ... instead of www-authenticate: Bearer {token} in the 401 response. This causes the Chrome browser to display a Basic Auth login popup on XHR requests where it shouldn't.

Expected behavior
If multiple HttpAuthenticationMechanism implementations are present, It's not entirely clear how Quarkus should know which HttpAuthenticationMechanism to use for the challenge to respond with. However, it should be possible to prevent Basic Auth from providing the challenge in the response. It should somehow be possible to get Quarkus to use io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism.getChallenge(RoutingContext).

Actual behavior
HttpAuthenticator.sendChallenge(RoutingContext) uses the first mechanism it finds
to send the challenge, and that always seems to be BasicAuthenticationMechanism.

To Reproduce
It's hard to come up with a small reproducer, because it requires some OIDC server. Maybe a custom authentication mechanism with its own getChallenge() implementation could serve to demonstrate that that never gets called.

Environment (please complete the following information):

  • Output of uname -a or ver: Linux + Mac
  • Output of java -version: openjdk version "11.0.4" 2019-07-16
  • GraalVM version (if different from Java): N/A
  • Quarkus version or git rev: 1.8.3-Final
  • Build tool (ie. output of mvnw --version or gradlew --version): Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)

Additional context
Using Keycloak as OIDC server
@jfrantzius jfrantzius added the kind/bug Something isn't working label Nov 18, 2020
@ghost
Copy link

ghost commented Nov 18, 2020

/cc @pedroigor, @sberyozkin

@sberyozkin sberyozkin self-assigned this Nov 18, 2020
@sberyozkin sberyozkin changed the title JWT authentication failure responds with Basic Auth challenge JWT authentication failure responds with Basic Auth challenge when both JWT and basic mechanisms are enabled Nov 18, 2020
@sberyozkin
Copy link
Member

I've done some work on this PR, could not fix the form+basic authentication test, so more time is needed

@jfrantzius
Copy link
Author

Anyone using OIDC will have to workaround this issue by stripping the www-authenticate: from responses, if there hopefully is an upstream proxy that can do this.

@sberyozkin sberyozkin mentioned this issue Apr 12, 2021
Merged
@quarkus-bot quarkus-bot bot added this to the 2.0 - main milestone Apr 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/oidc area/security area/smallrye kind/bug Something isn't working
Projects
None yet
Milestone
2.0.0.Alpha1
Development

Successfully merging a pull request may close this issue.

Do the correct challenge when more than one auth mechanism is used sberyozkin/quarkus
2 participants
@sberyozkin @jfrantzius