We are getting a 401 when keycloak policy-enforcer paths is pointing to /health

[pjgg]

Summary:

Using quarkus-keycloak-authorization extension, you could exclude some path to the Authz procedures, through these properties:

quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.health.path=/health/*
quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED

However, when you are pointing to an Openshift /k8s liveness probe, you expected that this policy applies also to auto-redirect path.

curl -vvv http://127.0.0.1:8080/health
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /health HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< location: http://127.0.0.1:8080/q/health
< content-length: 0
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0

Jira Ref

[ghost]

/cc @geoand, @jmartisk, @xstefank

[gsmet]

The /health endpoint has been moved to /q/health in 1.11. That's why you see a redirect.

[rsvoboda]

I think the point is that the redirect is not "working" for quarkus.keycloak.policy-enforcer.paths.health.path
Pablo mentions "expected that this policy applies also to auto-redirect path." in the description.

Atm the end users will notice this breaking change and will have to adapt to it. The idea was that the move to /q will be transparent for users.

[gsmet]

Yeah maybe we should have a compatibility layer for that too. But that means everything security will need it as I could see a ton of apps with specific security rules for Metrics and Health.

/cc @kenfinnigan @geoand @sberyozkin @maxandersen

[sberyozkin]

I'm not sure about treating it transparently at the security level. IMHO the right solution would be to update the migration guide.
Otherwise we'd get the users who have been or started securing /q/ segments opened without them expecting it

[sberyozkin]

I think #15965 should fix it and in general there will be no need to refer to public resources such as

quarkus.keycloak.policy-enforcer.paths.health.path=/health/*
quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED

since keycloak-authorization will only be acting on the resources which have already been authenticated by quarkus-oidc
CC @pedroigor

[sberyozkin]

I've updated #15965 to resolve this issue - as access to the public resources should not require any keycloak-authoriization configuration once it is merged (though http policies may have to be set to permit a public access)