New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KeycloakPolicyEnforcerAuthorizer should permit if authentication is not done by OIDC #15965
KeycloakPolicyEnforcerAuthorizer should permit if authentication is not done by OIDC #15965
Conversation
90ae1ac
to
85fb731
Compare
I forgot Keycloak tests were also enabled for the extension itself - so fixed them too. So if we have And if we have a combination like So I'd not be worried about a minor inconsistency about the status in one of the |
Hi Pedro @pedroigor thanks - lets keep an eye on this specific case, we can easily tune if needed |
85fb731
to
67f148f
Compare
Have resolved the conflict, will wait till tomorrow in case @stuartwdouglas has some comments |
@pedroigor |
@pedroigor Makes sense. That flag is used within the policy enforcer to only ignore authorization checks. I can check this better to make sure it won't have any negative impact. |
@pedroigor thanks, we can keep if for now for sure - let me merge this one a bit later today as this update is sensitive enough on its own :-), and I'll open another issue to discuss this property - as it would require some doc updates, etc |
@pedroigor We probably still need it if I understand you correctly - as we may have a case where |
@pedroigor Yeah, for example:
here the token is used - but without a root ( |
67f148f
to
45ddbfa
Compare
@pedroigor, I've updated |
Merging now... |
Fixes #15988.
Fixes #14619.
The user reported that when both
Basic
andOIDC
(pluskeycloak-authorization
) mechanisms are enabled, when the user authenticates with the basic credentials the request is denied - becausekeycloak-authorization
is trying to enforce its rules.So I've updated the code a bit to return
PERMIT
if noAccessTokenCredential
is available (which also avoids a blocking SecurityIdentity check)I was confused a bit when I got
policyEnforcerTest.testPathConfigurationPrecedenceWhenPathCacheNotDefined
failing - it eas expecting401
and with my updates it started getting404
.I've looked into it and saw that since
api2/resource
had an enforcing mode, with themain
branch code it is 401 becauseKeycloakPolicyEnforcerAuthorizer
itself is checking of the token is available and if not - denies the request.However
api2/resource
did not actually exist as the test endpoint resource - and checking the token itself is whatquarkus-oidc
does - so I've addedProtectedResource2
which requires an authenticated access to/api2/resource
which makes sure the test gets its401
@pedroigor does it look correct ?