quarkus: Selecting OIDC tenant via annotation is not working with RESTEasy Reactive

Describe the bug

According to OIDC docs, one can select OIDC tenant via annotation as follows:

@Inherited
@InterceptorBinding
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD, ElementType.TYPE})
public @interface HrTenant {
}

@Interceptor
@HrTenant
public class HrTenantInterceptor {
    @Inject
    RoutingContext routingContext;

    @AroundInvoke
    Object setTenant(InvocationContext context) throws Exception {
        routingContext.put(OidcUtils.TENANT_ID_ATTRIBUTE, "hr");
        return context.proceed();
    }
}

@Path("/hr")
public class HrResource {

    @HrTenant
    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String helloWorld() {
        return "Hello World";
    }
}

Expected behavior

Authentication of /hr endpoint should be based on quarkus.oidc.hr.* configs.

Actual behavior

Authentication of /hr endpoint uses the default tenant configs quarkus.oidc.* as authentication is triggered before HrTenantInterceptor, hence the authentication fails.

Quarkus version or git rev

3.2.0.Final

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 37 (36 by maintainers)

Most upvoted comments

I think I found bit more generic solution in mind, because ability to connect method to request when proactive=false (and RR started processing request) will help us in the future as well. I’ll take my time and look when possible. Thanks for feedback.

+1
michalvavrik on Jul 14, 2023

Hey @michalvavrik Sorry, missed it, for the annotation based tenant id resolution it would not be a problem at all, it being called multiple times. Note if it were TenantResolver (which can check request for some headers/queries) or TenantConfigResolver (likewise - when creating OIDC config dynamically) it would be a problem - we actually have tests verifying a given TenantResolver and TenantConfigResolver is called only once, but for annotation based approach it is just a value - this security check should be able to have RoutingContext injected to be able to set the tenant id on it

+1
sberyozkin on Jul 14, 2023

What I’m not sure about is how you’d do it at the Resteasy Reactive level given that it is an OIDC specific feature, setting its tenant identifiers. The reason it works (at least for classic) with CDI interceptors is they are CDI Interceptor is feature neutral…

I don’t have answer for that - I’m wondering about that as well. Only thing that is clear to me is that at this very point https://github.com/quarkusio/quarkus/blob/65ca2dbf179846a09957e297cfc6f8d7b6c3262c/extensions/resteasy-reactive/quarkus-resteasy-reactive/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler.java#L72 (or little later) we have knowledge of method annotation but security checks didn’t run yet, so we can do there something.

Or, may be we just say, implement RR ServerHandler or something like that… OK, I’ll keep quiet now 😃

I will think, bring suggestions if you have them 😃

+1
michalvavrik on Jul 13, 2023

Thanks Michal

+1
sberyozkin on Jul 13, 2023

@Eng-Fouad can you confirm you are using RESTEasy Reactive?

That’s correct. I am using RESTEasy Reactive:

implementation(“io.quarkus:quarkus-resteasy-reactive-jackson”)

+1
Eng-Fouad on Jul 13, 2023

@Eng-Fouad I’ve opened a PR which will fix this issue - but please reopen it if it will be merged before you get a chance to double check, and provide a reproducer, thanks

+1
sberyozkin on Jul 12, 2023
Read more comments on GitHub
← quarkus: SecurityExceptions thrown in Panache Before/After Listeners result in Internal Server errors
quarkus: Server fails receiving large data over http/2 →