-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC multi-tenancy @Tenant annotation not selecting tenant #37485
Comments
/cc @pedroigor (oidc), @sberyozkin (oidc) |
@RKaczmarek It is only effective when the proactive authentication is disabled, see the info fragment at https://quarkus.io/guides/security-openid-connect-multitenancy#annotations-tenant-resolver ? Do you have it disabled ? |
Yes, proactive authentication is disabled. Explicitly not using a TenantResolver or TenantConfigResolver. |
I believe you, but your reproducer, citing |
hah @RKaczmarek , I have an idea, are you using some HTTP Security policies like |
Yes. quarkus.oidc.enabled = true
quarkus.oidc.token.allow-jwt-introspection = false
quarkus.oidc.token.allow-opaque-token-introspection = false
quarkus.http.auth.basic = true
quarkus.http.auth.proactive = false
quarkus.security.users.embedded.enabled = true
quarkus.http.auth.policy.prometheus-policy.roles-allowed = prometheus
quarkus.http.auth.permission.prometheus.paths = /q/metrics
quarkus.http.auth.permission.prometheus.policy = prometheus-policy
quarkus.http.auth.permission.prometheus.auth-mechanism = basic
quarkus.http.auth.policy.foo-policy.roles-allowed = foo
quarkus.http.auth.permission.foo-permission.paths = /foo/*
quarkus.http.auth.permission.foo-permission.policy = foo-policy
quarkus.http.auth.policy.bar-policy.roles-allowed = bar, baz
quarkus.http.auth.permission.bar-permission.paths = /bar/*
quarkus.http.auth.permission.bar-permission.policy = bar-policy That're the build properties. At runtime the oidc tenants are defined via environment variables. |
Yeah, HTTP Security policies are applied before endpoint is matched, so annotation can't have effect. Strictly speaking this can be fixed, but it is far from easy to do. I think we should keep this issue open for proper fix and probably also document current implementation limit for policies. @RKaczmarek as long as you need HTTP permissions, it won't work for you. |
I'll put this on my list, but I can't promise quick fix. |
@michalvavrik The interesting situation here is that if the proactive authentication is disabled, then it should apply to policies too, specially to the authorization policy, it should not start before the authentication is completed. Sorry if it is what you did in #36504 (IMHO it has to be split into 2 PRs - one dedicated to everything related to HTTP policies improvements and another one to an annotation based mechanism selection) |
I'm going to fix it now, as it will have positive effect for #36504 as well, but there is one design problem I'm going to describe here that can't be worked around:
^^^ means one thing: There is no way we can safely determine that no other route handler should not be secured by HTTP Security policy beforehand. User needs explicitly mark HTTP Security policy as the policy only applied on Jakarta REST and no other handler. Proposal:
And every
NOTE: default will be ALL which means all route handlers, which is how it works now. It is important to realize that cc @sberyozkin |
@geoand could you kindly confirm that you can't determine inside Vert.x HTTP that random HTTP request will 100 % be RESTEasy Reactive endpoint? That is you can't reasonable create map where key is [path, method, headers] to boolean [endpoint / not endpoint]? TBH even then we couldn't do it as we need to secure other handlers, but I want be certain that my assumptions about RESTEasy Reactive are not wrong, you can look at my comment right above, thank you. |
Theoretically you could run the same matching algorithm to see if you get a match |
So if I can't just extract common parts, because in case anything changes, it will bypass security (postpone authorization to never). I am really worried about such ideas, but if you thing there is sound way to do that, I'll consider it. |
I would not do it if I were you, it's bound to turn into a mess :) |
agreed, thanks for feedback :-) |
🙏🏼 |
Hi @michalvavrik, I'm just feeling that may be we need to take some time to think about it, may be @stuartwdouglas will also contribute. I feel that with The main point IMHO is that authorization must follow authentication. So IMHO it is a bug that HTTP When the proactive authentication is disabled, Quarkus can delay the security check till it has confirmed JAX-RS endpoint does require security. IMHO it is worth thinking a bit more if HttpSecurity policy checks can be delayed at least at the JAX-RS path in a similar way. May be what you have analyzed confirms having a property like this is the best workaround possible, but IMHO it is worth taking some time for more feedback, for now users can use OIDC tenant resolver interfaces |
Quarkus HTTP application is more than some REST endpoints, right now HTTP Security policies secure all route handlers after filter with priority AUTHORIZATION (-100 route order).
I agree.
We are talking about Jakarta common security annotations, it is logical they are only applied on REST resources. How I understand HTTP security policies is that they are applied on HTTP requests and that is potentially greater scope than JAX-RS. I agree users will mostly think of JAX-RS endpoints.
It's fine with me, @sberyozkin or @stuartwdouglas take as much time as needed. I have nothing left to analyze as I know this area well enough. Thanks for a feedback. |
Next sentence has stuck in my head for 2 days now, so I'll share my view on it.
It's security first approach, not a workaround. You can't just stop securing other handlers in belief users are mostly interested in JAX-RS endpoints. This is not a closed world, we don't know what other (Quarkiverse? Custom?) extensions are doing after they expect authorization had happened. Difference with a Jakarta annotations is that they are used to secure Jakarta resources, so hardly anyone could expect them to secure for example non-application endpoint handlers like health probes. |
And I forgot context - so if you want still to secure all handlers with tenant chosen based on JAX-RS resource, it means you would need to run parts of RESTEasy logic without RESTEasy starting processing (because then flow is different you don't use Vert.x failure handlers, you use their fault chain, don't use |
I'm not sure why you are highlighting it, I was not proposing it. Instead I was thinking along the lines of delaying the enforcement of the policies when the proactive authentication is disabled. Can you please give it another quick check, if it is doable, at least in principle: If the proactive authentication is disabled - accumulate all the security requirements - routes, JAX-RS and then run them once everything related to security checks is known. If you already know it is not going to work then it is fine... I can see how restricting a policy to the JAX-RS chain solves the problem, if this is what will have to be done after all, then, can we at least, rather than introducing HTTP security policy specific property (meaning it does not apply to some policies, and it becomes more confusing with shared policies), try a single property like |
Misunderstood you, sorry.
Yes, it is doable.
No:
I think if I'll actually attempt to extract it from RR, though I don't like it the concept of it. Util then. |
Fair enough re the complexity of trying to rework the way HTTP security is matched now...
OK. So then , as far as |
My main concern is that results need to be identical. When matching is happening in RESTEasy Reactive I can see several phases that needs to be taken into consideration like
I'm able to implement it, but they are very sensitive changes for for I see as an edge case. That is why I'd like to go with |
|
Ha hm! I think I can do one better. We know that JAX-RS HTTP Security policies are only required with It also puts new light on the |
Describe the bug
Using
@Tenant
annotation on controller or controller method does not select the OIDC tenant.Expected behavior
GET "/foo"
should resolve tenant foo and use https://example.com/foo as authorization server
Actual behavior
GET "/foo"
resolves default tenant and uses https://example.com as authorization server
How to Reproduce?
see expected behavior
Output of
uname -a
orver
No response
Output of
java -version
11
Quarkus version or git rev
3.4.3,3.6.0
Build tool (ie. output of
mvnw --version
orgradlew --version
)gradle 8.3
Additional information
No response
The text was updated successfully, but these errors were encountered: