Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC fails with 401 if no custom claim containing the roles is found #20694

Closed
sberyozkin opened this issue Oct 12, 2021 · 4 comments · Fixed by #20697
Closed

OIDC fails with 401 if no custom claim containing the roles is found #20694

sberyozkin opened this issue Oct 12, 2021 · 4 comments · Fixed by #20697
Assignees
@sberyozkin
Labels
area/oidc kind/bug Something isn't working
Milestone
2.3.1.Final

Comments

@sberyozkin
Copy link
Member

sberyozkin commented Oct 12, 2021
edited

Describe the bug

If quarkus.oidc.roles.role-claim-path points to a custom claim, ex, quarkus.oidc.roles.role-claim-path=roles and the token has no matching claim then an exception is thrown when the token is verified, and hence the authorization checks have not started yet, 401 is reported.

See https://quarkusio.zulipchat.com/#narrow/stream/187030-users/topic/Client.20gets.20401.20after.20OIDC.20auth.20with.20Azure.20AD

This is confusing but also unnecessary - nothing is failing if no default claim, groups is found, or in case of Keycloak - Keycloak specific claims are found.

Furthermore some Azure clients may have no roles set so for all such clients 401 will be reported even if no RBAC is enforced.

Expected behavior

In this case only a debug message saying that no custom claim exists should be logged. And if the authorization checks are required then a correct 403 will be reported in such cases

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@sberyozkin sberyozkin added kind/bug Something isn't working area/oidc labels Oct 12, 2021
@quarkus-bot
Copy link

quarkus-bot bot commented Oct 12, 2021

/cc @pedroigor

@sberyozkin sberyozkin self-assigned this Oct 12, 2021
@oven
Copy link

oven commented Oct 12, 2021

Steps to reproduce:

  • Create a Quarkus application with OpenID Connect and Resteasy Qute https://code.quarkus.io/?g=no.kantega&a=quarkus-ad&e=resteasy&e=resteasy-qute&e=oidc
  • In Azure AD:
    • Register the application with Azure AD
    • Navigate to App Registrations > Your App > App roles, add a role by selecting Create App Role.
    • Create two users, A and B
    • Navigate to Enterprise Applications > Your App > Assign users and groups
    • Add user A to the role you created above. Do not add B to any roles.
  • In application.properties, set:
    • quarkus.oidc.client-id=<client id>
    • quarkus.oidc.auth-server-url=https://login.microsoftonline.com/<tenant id>/v2.0
    • quarkus.oidc.application-type=web_app
    • quarkus.oidc.roles.role-claim-path=roles <-- this is the critical part, telling Quarkus OIDC where MS Azure puts its roles.
  • In SomePage, add @Authenticated, and @Inject SecurityIdentity identity. Add identity to the returned template data.
  • In page.qute.html, add Roles: {identity.roles}
  • Start mvn quarkus:dev
  • Navigate to http://localhost:8080/some-page
  • You should be redirected to Azure AD for authentication, and returned to the application eventually.

Try to sign in as A.
Expected behavior:

  • /some-page displays a list of roles.

Actual behavior:

  • Same as expected.

Try to sign in as B.
Expected behavior:

  • /some-page displays an empty list of roles

Actual behavior:

  • The server returns 401 Unauthorized

@sberyozkin
Copy link
Member Author

Note the workaround exists, a custom SecurityIdentityAugmentor will need to be registered where the roles will be checked instead

@sberyozkin sberyozkin mentioned this issue Oct 12, 2021
Merged
@oven
Copy link

oven commented Oct 14, 2021

Thanks for fixing it so quickly :)

@quarkus-bot quarkus-bot bot added this to the 2.5 - main milestone Oct 14, 2021
@aloubyansky aloubyansky modified the milestones: 2.5 - main, 2.4.0.Final Oct 18, 2021
@gsmet gsmet modified the milestones: 2.4.0.Final, 2.3.1.Final Oct 18, 2021
oven added a commit to oven/quarkus-ad that referenced this issue Nov 2, 2021
@oven
Upgrade to Quarkus 2.3.1 to receive bug fix for empty roles list
c72afdd 
quarkusio/quarkus#20694
quarkusio/quarkus#20697
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Milestone
2.3.1.Final
Development

Successfully merging a pull request may close this issue.

Do not fail with 401 if OIDC token does not have a custom role claim sberyozkin/quarkus
4 participants
@oven @aloubyansky @sberyozkin @gsmet