New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression Issue: Secured endpoints are exposed when no token is provided using Keycloak-Authorization extension #17164
Comments
/cc @sberyozkin |
@Sgitario Interesting, |
@Sgitario See this PR. CC @pedroigor |
@sberyozkin this is the resource that the test is consuming: https://github.com/Sgitario/quarkus-examples/blob/main/quarkus-keycloak-authz/src/main/java/io/quarkus/qe/UserResource.java As you can see, no |
@Sgitario OK, you linked to it above :-). I agree this change is important - but I also think it has to be It has to be made clear in the docs that You were seeing |
I can confirm that adding |
@Sgitario Thanks, I'll keep this issue open until I'll update the keycloak-authorization docs with a few clarifications (and will update the migration guide alongside it) |
@Sgitario If you'd like you can also add something like
and verify it is blocked even without |
Never mind - Authentication is a pre-requisite |
I'll check if it is consistent with the way HTTP configuration policies are enforced (ex, if the policy is |
@sberyozkin this sounds like a pretty major bug. If there is a policy in effect it should not be skipped because the user in not authenticated. |
@stuartwdouglas there is no policy in effect in this case - it is a no token access to a public resource with no policy around this public resource - so I've opened a linked PR to ensure a policy, if provided, is effective for anonymous requests. |
@stuartwdouglas I'm also about to add a test to that PR to verify that if a token is provided then if it is a proactive authentication then KC authz will reject the call unless the public access is allowed |
@stuartwdouglas the fact |
@sberyozkin to sum up, using the keycloak-authz extension, we need to explicitly define the policies for the resources which is the major change as from now on, when no explicit policies about the resources, all the resources are considered public, right? However, the behaviour we were observing is:
When it should be:
Can you confirm the above for further clarification? |
Sorry, missed this last comment, let me check |
Absolutely not. Your test uses a public endpoint, not requiring any authentication, and no policies set up. Your description is not a precise observation of the problem - it is presented as if a secured endpoint access is now broken, but it is based on the earlier wrong KC Authz behaviour - where simply having it enabled blocks things - and this is not correct. Does it make clearer ? |
To sum up - if the token is provided then keycloak-authorization, with the proactive authentication will always check it - irrespective of whether the endpoint requires authentication or not. If the token is not provided:
|
Thanks for the clarification! |
Hi @Sgitario No problems at all, let me close this issue now - please reopen as soon as you have some concerns or observer it differently but I'm 99.9% confident you will confirm the above is true with your own tests - it is all tested now in |
@Sgitario Hey Jose, I've decided to reopen it as it appears that some uncertainty still persists around it and I don't want to give an impression I'd just like to move on past the real issue :-). I'd like to add more clarity here and give QE more time to test/verify the above summary and challenge it. So as we've already touched on it a few times above, the only difference you can now observe with As I've already said, IMHO it was actually a bug that by simply enabling a Here is an OIDC Code Flow test - where a public resource is accessed with See the difference ?
Only applies to the anonymous access to the endpoint which has been set up as a public resource. Now, exactly the same it is done for HTTP policies, if one needs to block an access in such case then an enforcing policy should be created for this resource - but I'd recommend to use HTTP policies for it as Please remember I have to admit I'm also finding counter-intuitive that by just enabling But what I'd like to do is to check as part of this issue discussion is how Thanks |
Note that with However - the important point is that, as mentioned earlier above, is that in So, in
|
Will close this issue again since Jose has confirmed we are are in agreement. I'll update the migration guide first and then will close it. We will reopen it if there will be some more questions/uncertainties. |
Added a short note at https://github.com/quarkusio/quarkus/wiki/Migration-Guide-2.0, with the docs also updated in the earlier PR |
Describe the bug
Given a secured endpoint
When we call this endpoint using a invalid token
Then it returns forbidden as expected
When we call this endpoint using a valid token
Then it returns OK as expected
When we call this endpoint with no token
Then it returns OK when it should return 404
We are using the next Quarkus extensions:
To Reproduce
Steps to reproduce the behavior:
https://github.com/Sgitario/quarkus-examples
quarkus-examples/quarkus-keycloak-authz
All the tests should pass, but this test is failing
UserResourceTest.noUser_userResource
:Configuration
Environment (please complete the following information):
Quarkus version or git rev
It worked with
1.13.3.Final
, but started failing with2.0.0.Alpha1
and2.0.0.Alpha2
. Using the latest version in Main, it also fails.The text was updated successfully, but these errors were encountered: