Cannot disable endpoint security and enable HTTP client credentials filter

[LtTempletonPeck]

I am building a native image lamba with Micronaut that is called via AWS API Gateway (APIG). Auth is handled by APIG so is not required on the apps controller. The app has a client that uses OAUTH2 client credentials to call a secured external API. I cannot find a way to disable endpoint security but enable the HTTP client filter for client credentials ClientCredentialsHttpClientFilter.

Expected Behaviour

The following config should disable the security requirement for controllers and enable OAUTH2 client credentials for the HTTP client.

micronaut:
  http:
    services:
      myClient:
        url: 'api.abc.com'
  security:
    enabled: false
    oauth2:
      enabled: true
      clients:
        abc:
          enabled: true
          client-id: myClientId
          client-secret: myClientSecret
          scopes:
            - myScope
          client-credentials:
            enabled: true
            service-id-regex: 'myClient'
          token:
            url: 'https://login.microsoftonline.com/myAccountID/oauth2/v2.0/token'
            auth-method: client_secret_basic
          grant-type: client_credentials

Actual Behaviour

No ClientCredentialsHttpClientFilter bean is created and the abc client does not login to https://login.microsoftonline.com/myAccountID/oauth2/v2.0/token to get the Bearer token or add it to the client request.

Environment Information

• Operating System: linux
• Micronaut Version: 2.3.0
• JDK Version: 11

At the moment I am leaving security enabled and adding @Secured(SecurityRule.IS_ANONYMOUS) to the controller as a workaround.

  security:
    endpoints:
      login:
        enabled: false

[sdelamo]

Just to be clear, you want all your controller endpoints to be open?

[njimenezotto]

Hello,
I'm also interested on this feature where the endpoints of your services are not secured because AWS or GCP already gives you the security layer. However, the HTTP clients in the service that are used to call other endpoints requires an access token provided by a 3 party.

[sdelamo]

An easy way to achieve this is to create a SecurityRule which allows everything.

@Singleton
public PermitAllSecurityRule implements SecurityRule {
    @Override 
   public  int getOrder() {
        return Ordered.HIGHEST_PRECEDENCE
    }
    
    @Override 
    public Publisher<SecurityRuleResult> check(HttpRequest<?> request, @Nullable RouteMatch<?> routeMatch, @Nullable Authentication authentication) {
        return Publishers.just(ALLOWED);
    }
}