KeycloakPolicyEnforcerAuthorizer should permit if authentication is n…

…ot done by OIDC
quarkusio · Mar 23, 2021 · 90ae1ac · 90ae1ac
1 parent 206ca5f
commit 90ae1ac
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 20 deletions.
diff --git a/...ntime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java b/...ntime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java
@@ -18,11 +18,13 @@
 import org.keycloak.representations.adapters.config.AdapterConfig;
 import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
 
+import io.quarkus.oidc.AccessTokenCredential;
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.common.runtime.OidcCommonConfig.Tls.Verification;
 import io.quarkus.oidc.runtime.OidcConfig;
 import io.quarkus.runtime.TlsConfig;
 import io.quarkus.security.AuthenticationFailedException;
+import io.quarkus.security.credential.TokenCredential;
 import io.quarkus.security.identity.SecurityIdentity;
 import io.quarkus.security.runtime.QuarkusSecurityIdentity;
 import io.quarkus.vertx.http.runtime.HttpConfiguration;
@@ -51,7 +53,17 @@ public CheckResult apply(RoutingContext routingContext, SecurityIdentity identit
                     "Keycloak Policy Enforcer has not been initialized - please make sure 'quarkus.oidc.enabled' is not set to 'false'");
             throw new AuthenticationFailedException();
         }
-        VertxHttpFacade httpFacade = new VertxHttpFacade(routingContext, readTimeout);
+
+        TokenCredential credential = identity.getCredential(AccessTokenCredential.class);
+
+        if (credential == null) {
+            // If SecurityIdentity has been created by the authentication mechanism other than quarkus-oidc then do not block
+            // the request.
+            return CheckResult.PERMIT;
+        }
+
+        String token = credential.getToken();
+        VertxHttpFacade httpFacade = new VertxHttpFacade(routingContext, token, readTimeout);
         AuthorizationContext result = delegate.authorize(httpFacade);
 
         if (result.isGranted()) {

diff --git a/...-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/VertxHttpFacade.java b/...-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/VertxHttpFacade.java
@@ -19,11 +19,7 @@
 import org.keycloak.representations.AccessToken;
 
 import io.netty.handler.codec.http.HttpHeaderNames;
-import io.quarkus.oidc.AccessTokenCredential;
-import io.quarkus.security.credential.TokenCredential;
-import io.quarkus.security.identity.SecurityIdentity;
 import io.quarkus.vertx.http.runtime.VertxInputStream;
-import io.quarkus.vertx.http.runtime.security.QuarkusHttpUser;
 import io.vertx.core.buffer.Buffer;
 import io.vertx.core.http.HttpServerRequest;
 import io.vertx.core.http.HttpServerResponse;
@@ -35,13 +31,15 @@ public class VertxHttpFacade implements OIDCHttpFacade {
     private final Response response;
     private final RoutingContext routingContext;
     private final Request request;
+    private final String token;
     private final long readTimeout;
 
-    public VertxHttpFacade(RoutingContext routingContext, long readTimeout) {
+    public VertxHttpFacade(RoutingContext routingContext, String token, long readTimeout) {
         this.routingContext = routingContext;
+        this.token = token;
         this.readTimeout = readTimeout;
-        request = createRequest(routingContext);
-        response = createResponse(routingContext);
+        this.request = createRequest(routingContext);
+        this.response = createResponse(routingContext);
     }
 
     @Override
@@ -222,18 +220,6 @@ public void end() {
 
     @Override
     public KeycloakSecurityContext getSecurityContext() {
-        SecurityIdentity identity = QuarkusHttpUser.getSecurityIdentityBlocking(routingContext, null);
-        if (identity == null) {
-            return null;
-        }
-        TokenCredential credential = identity.getCredential(AccessTokenCredential.class);
-
-        if (credential == null) {
-            return null;
-        }
-
-        String token = credential.getToken();
-
         try {
             return new KeycloakSecurityContext(token, new JWSInput(token).readJsonContent(AccessToken.class), null, null);
         } catch (JWSInputException e) {

diff --git a/...tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/ProtectedResource2.java b/...tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/ProtectedResource2.java
@@ -0,0 +1,17 @@
+package io.quarkus.it.keycloak;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+
+import io.quarkus.security.Authenticated;
+
+@Path("/api2/resource")
+@Authenticated
+public class ProtectedResource2 {
+
+    @GET
+    public String testResource() {
+        // This method must not be invoked
+        throw new RuntimeException();
+    }
+}