quarkus: Quarkus Oauth2 quarkus.oauth2.enabled doesn't seem to work

Describe the bug Setting this quarkus.oauth2.enabled=false doesnt “disable” the oauth2 features. I need to comment out my annotations about “@RolesAllowed” to disable oauth verification.

Expected behavior Setting this quarkus.oauth2.enabled=false only, would make all security “checks” disabled so i don’t need to comment out any other code lines.

Actual behavior Setting this quarkus.oauth2.enabled=false doesnt “disable” the oauth2 features. I need to comment out my annotations about “@RolesAllowed” to disable oauth verification.

To Reproduce Steps to reproduce the behavior:

  1. Set this property: quarkus.oauth2.enabled=false
  2. Add a @RolesAllowed(“anything”) on a route.
  3. Request this route.
  4. You will get a 403.

Environment (please complete the following information):

  • Output of uname -a or ver:
  • Output of java -version: 11
  • GraalVM version (if different from Java): –
  • Quarkus version or git rev: 1.5.2.FINAL
  • Build tool (ie. output of mvnw --version or gradlew --version): 3.6.3

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 26 (21 by maintainers)

Most upvoted comments

Of course! 😃

+1
ejba on Jul 9, 2020

I’d say so, I believe we’ve had a good number of similar queries, not sure where, may be at https://quarkus.io/guides/security to start with, have a section How to Disable Authorization. I think it should show the injection of the custom property like authorization-enabled to highlight the point Stuart made, @ejba Hi, are you Ok with doing another PR 😃 ?

+1
sberyozkin on Jul 9, 2020

So you can do it at runtime as well, but it requires some custom code:

@Alternative
@Priority(Interceptor.Priority.LIBRARY_AFTER)
@ApplicationScoped
public class DisabledAuthController extends AuthorizationController {

    @Override
    public boolean isAuthorizationEnabled() {
        return false;
    }
}

Including this bean in your application will disable security. If you want to make it configurable just make it inject a configuration property using MP config.

I am a bit hesitant about including this as a general config option, it just feels a bit dangerous.

+1
stuartwdouglas on Jul 9, 2020

@ejba

However, it’s confusing at first sight to learn what’s the expected behavior when disabling the oauth2 extension and have multiple methods as role protected.

Right this or any other extension dealing with the authentication is only populating a Securityidentity. RBAC level is in the next phase. If one disables oauth2/etc then all what is being achieved is that no auth mechanism is available which can do something meaningful with Bearer sometoken.

I wonder though if the time has come to introduce a property like a default role (someone has suggested it already). Or have a property like disable-role-based-access-control… Or how about proactive-authorization=false which will be disable RBAC if SecurityIdentity is not available…
CC @stuartwdouglas Hi Stuart, what do you think ?

+1
sberyozkin on Jul 2, 2020

Hi, can I try to fix this?

Le’s see first if this is just a misuse issue

+1
geoand on Jul 2, 2020
Read more comments on GitHub
← quarkus: Quarkus NativeImageBuildStep fails with perm denied with podman 2.x
quarkus: Quarkus OIDC does not work with Auth0 →