New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC fails with 401 if no custom claim containing the roles is found #20694
Comments
/cc @pedroigor |
Steps to reproduce:
Try to sign in as A.
Actual behavior:
Try to sign in as B.
Actual behavior:
|
Note the workaround exists, a custom |
Thanks for fixing it so quickly :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
If
quarkus.oidc.roles.role-claim-path
points to a custom claim, ex,quarkus.oidc.roles.role-claim-path=roles
and the token has no matching claim then an exception is thrown when the token is verified, and hence the authorization checks have not started yet, 401 is reported.See https://quarkusio.zulipchat.com/#narrow/stream/187030-users/topic/Client.20gets.20401.20after.20OIDC.20auth.20with.20Azure.20AD
This is confusing but also unnecessary - nothing is failing if no default claim,
groups
is found, or in case ofKeycloak
- Keycloak specific claims are found.Furthermore some Azure clients may have no roles set so for all such clients 401 will be reported even if no RBAC is enforced.
Expected behavior
In this case only a debug message saying that no custom claim exists should be logged. And if the authorization checks are required then a correct
403
will be reported in such casesActual behavior
No response
How to Reproduce?
No response
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response
The text was updated successfully, but these errors were encountered: