Custom authentication mechanism is not invoked when no identity providers are registered #38508
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Describe the bug
Security architecture assumes that the current HTTP Authentication mechanism only extracts the credentials and passes them to the registered identity providers.
It makes total sense but should not be enforced, when a simple mechanism already has the knowledge how to create an identity
Expected behavior
IdentityProviderManager should log when it is invoked and zero providers are available and report an authentication failed exception to protected against such cases but
HttpAuthenticatorshould give a chance to the registered HTTP mechanismsActual behavior
HttpAuthenticationMechanism is ignored when no IdentyProvider is registered
How to Reproduce?
No response
Output of
uname -aorverNo response
Output of
java -versionNo response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --versionorgradlew --version)No response
Additional information
No response
The text was updated successfully, but these errors were encountered: