Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP request fails with 401 if more than one IdentityProvider produced no SecurityIdentity but is allowed if a single one is used #17591

Closed
sberyozkin opened this issue Jun 1, 2021 · 2 comments · Fixed by #29479
Closed

HTTP request fails with 401 if more than one IdentityProvider produced no SecurityIdentity but is allowed if a single one is used #17591

sberyozkin opened this issue Jun 1, 2021 · 2 comments · Fixed by #29479
Assignees
@sberyozkin
Labels
area/security kind/bug Something isn't working
Milestone
2.15.0.CR1

Comments

@sberyozkin
Copy link
Member

sberyozkin commented Jun 1, 2021
edited
Loading

Describe the bug

Bill @patriot1burke has spotted that when a matching HttpAuthenticationMechanism requests the request credentials be converted to SecurityIdentity then if only a single IdentityProvider returns null then the request is allowed to continue with an anonymous identity, despite the credentials being available - but will fail with 401 if more than one IdentityProvider has not provided SecurityIdentity

Expected behavior

It has to be consistent in both cases.

And IMHO it has to be 401 because it should be a responsibility of HttpAuthenticationMechanism to decide whether a null SecurityIdentity is returned or not: if it does not recognize the credentials - return null, if it does - then it has to be converted.

Allowing the request to proceed where for example the provided Basic Auth credentials, with the proactive autentication enabled, are represented as an anonymous identity and eventually returning 403 at the RBAC level (as opposed to 401 if the name or password are wrong) is not quite correct.

See also #17192

CC @patriot1burke @stuartwdouglas
@sberyozkin sberyozkin added the kind/bug Something isn't working label Jun 1, 2021
@sberyozkin sberyozkin changed the title HTTP request fails wit 401 if more than one IdentityProvider produced no SecurityIdentity but is allowed if a single one is used HTTP request fails with 401 if more than one IdentityProvider produced no SecurityIdentity but is allowed if a single one is used Jun 1, 2021
@sberyozkin sberyozkin mentioned this issue Feb 16, 2022
Closed
@sberyozkin sberyozkin self-assigned this Feb 16, 2022
@sberyozkin
Copy link
Member Author

@michalvavrik Have a look at this one if it can be of interest please

@michalvavrik
Copy link
Member

Will do, thank you.

michalvavrik added a commit to michalvavrik/quarkus that referenced this issue Nov 24, 2022
@michalvavrik
Fail with 401 if single IdentityProvider produced no SecurityIdentity
5ebaf34 
fixes: quarkusio#17591
@michalvavrik michalvavrik mentioned this issue Nov 24, 2022
Merged
michalvavrik added a commit to michalvavrik/quarkus that referenced this issue Nov 25, 2022
@michalvavrik
Fail with 401 if single IdentityProvider produced no SecurityIdentity
99d680c 
fixes: quarkusio#17591
@quarkus-bot quarkus-bot bot added this to the 2.15 - main milestone Nov 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/security kind/bug Something isn't working
Projects
None yet
Milestone
2.15.0.CR1
Development

Successfully merging a pull request may close this issue.

Fail with 401 if single IdentityProvider produced no SecurityIdentity michalvavrik/quarkus
2 participants
@sberyozkin @michalvavrik