quarkus: Regression Issue: Secured endpoints are exposed when no token is provided using Keycloak-Authorization extension

Describe the bug

Given a secured endpoint When we call this endpoint using a invalid token Then it returns forbidden as expected When we call this endpoint using a valid token Then it returns OK as expected When we call this endpoint with no token Then it returns OK when it should return 404

We are using the next Quarkus extensions:

<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-keycloak-authorization</artifactId>
</dependency>

To Reproduce

Steps to reproduce the behavior:

  1. git clone https://github.com/Sgitario/quarkus-examples
  2. cd quarkus-examples/quarkus-keycloak-authz
  3. mvn clean verify

All the tests should pass, but this test is failing UserResourceTest.noUser_userResource:

[ERROR] Failures: 
[ERROR]   UserResourceTest.noUser_userResource:76 1 expectation failed.
Expected status code <401> but was <200>.

Configuration

quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/test-realm
quarkus.oidc.client-id=test-application-client
quarkus.oidc.credentials.secret=test-application-client-secret

quarkus.keycloak.policy-enforcer.enable=true

Environment (please complete the following information):

Quarkus version or git rev

It worked with 1.13.3.Final, but started failing with 2.0.0.Alpha1 and 2.0.0.Alpha2. Using the latest version in Main, it also fails.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 24 (23 by maintainers)

Most upvoted comments

@sberyozkin this sounds like a pretty major bug. If there is a policy in effect it should not be skipped because the user in not authenticated.

+1
stuartwdouglas on May 13, 2021
Read more comments on GitHub
← quarkus: Regression issue: Exception when using OpenShift/Kubernetes extensions and having an external Ansi dependency
quarkus: Regression: Programmatic OpenTelemetry spans get ignored →