Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it possible to switch off Authentication on the dev environment easily #10330

Closed
MarcusBiel opened this issue Jun 29, 2020 · 8 comments
Closed

Make it possible to switch off Authentication on the dev environment easily #10330

MarcusBiel opened this issue Jun 29, 2020 · 8 comments
Labels
area/security kind/enhancement New feature or request
Milestone
1.7.0.CR1

Comments

@MarcusBiel
Copy link

In Micronaut, using the @requires annotation, you can define that a mocked security filter is only active when a disable flag
is set to true - this way Authentication can be active on PROD by default, but you can deactivate it on DEV to simplify testing:

@Singleton
@Requires(property = "application.disable-authentication", value = "true", defaultValue = "false")
public AuthenticationFetcher mockAuthFetcher() {
    return new MockAuthFetcher(new MyAuthentication("MOCK_TOKEN", "MOCK_USER", Set.of(
        "User",
        "Admin"
        )));

--
Would love to see something similar in Quarkus.
@MarcusBiel MarcusBiel added the kind/enhancement New feature or request label Jun 29, 2020
@sberyozkin
Copy link
Member

Is this MockAuthFetcher shipped with the main code given the default property value is false ?

@MarcusBiel
Copy link
Author

MarcusBiel commented Jun 29, 2020 via email

@sberyozkin
Copy link
Member

sberyozkin commented Jun 29, 2020
edited

@MarcusBiel thanks.
Ok, as discussed in the forum, we have 2 somewhat more involved but quite functional mechanisms where no live OIDC provider connection is required, 1) use the local verification key 2) use the local test OIDC JAX-RS endpoint.
Every part of the authentication flow is customizable but looks like we don't have an option where we have for example quarkus-oidc enabled but have its identity provider mocked.
The idea above is interesting, however I'm not sure shipping the mock code with the main source will work for Quarkus.
Lets see what Stuart @stuartwdouglas says :-)
Thanks

@stuartwdouglas
Copy link
Member

For HTTP you should be able to include a HttpAuthenticationMechanism (with a CDI scope) in src/test/java and this will be used by the tests to authenticate. If you just make this return a mock user then you can get the same result.

@stuartwdouglas
Copy link
Member

We could also add some kind of simple way to do this automatically, like an @testuser annotation that controls the user the test runs under.

@sberyozkin
Copy link
Member

@stuartwdouglas and may be @testroles...

@stuartwdouglas
Copy link
Member

That would just be part of the user annotation

@sberyozkin
Copy link
Member

#10487 fixes this issue (thanks to Stuart).
@MarcusBiel FYI, I'm going to close the issue, but please reopen if you feel the fix does not address your enhancement request.
Thanks

@gsmet gsmet added this to the 1.7.0 - master milestone Jul 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security kind/enhancement New feature or request
Projects
None yet
Milestone
1.7.0.CR1
Development

No branches or pull requests
4 participants
@stuartwdouglas @sberyozkin @gsmet @MarcusBiel