Exclude paths from security when using quarkus-oidc for application type service

[snow-diamond]

I'm having a problem using quarkus-oidc and making public paths work without needing a bearer token. Similar to issue #14001 which did not fix my problems.

I'm using quarkus-oidc and quarkus version 3.25.0.

Is it even possible to have paths that are excluded from the OIDC security and not require a bearer access token or am I doing something wrong?

quarkus:
    http:
        auth:
            permission:
                authenticated:
                    policy: authenticated
                    methods: GET,HEAD,POST,PUT,OPTIONS,PATCH,DELETE
                    paths: /api/*
                public:
                    policy: permit
                    methods: GET,HEAD,POST,PUT,OPTIONS,PATCH,DELETE
                    paths: /public/*
    oidc:
        application-type: service
        auth-server-url: ${keycloak.auth-server-url}/realms/${keycloak.realm}
        client-id: XXX
        credentials:
            secret: XXX
        tls:
            verification: none

Every time I call a public endpoint I get the following message in the console with a 401 response code

2025-08-07 14:13:08,004 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-2) Resolved OIDC tenant id: Default
2025-08-07 14:13:08,004 DEBUG [io.qua.oid.run.BearerAuthenticationMechanism] (vert.x-eventloop-thread-2) Starting a bearer access token authentication
2025-08-07 14:13:08,004 DEBUG [io.qua.oid.run.OidcUtils] (vert.x-eventloop-thread-2) Looking for a token in the authorization header
2025-08-07 14:13:08,004 DEBUG [io.qua.oid.run.BearerAuthenticationMechanism] (vert.x-eventloop-thread-2) Bearer access token is not available

My endpoint:

@Path("/public")
public class PublicResource

    @GET
    @Path("/endpoint")
    @Produces(MediaType.APPLICATION_JSON)

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc,security)

[snow-diamond]

By removing RolesAllowed annotations from all the endpoints made the http auth permissions work

[Andrea-Lombardo-Eng]

Sorry, is this the only solution?
I have a lot of roles allowed around the code. My intent is to allow health probes under the same root path:

quarkus:
  smallrye-health:
    root-path: ${quarkus.http.root-path}/health

[michalvavrik]

I have a lot of roles allowed around the code. My intent is to allow health probes under the same root path:

That is misunderstanding, @Rolesallowed have no effect on your /health probe unless it is annotated with the @RolesAllowed.

[snow-diamond]

If you add a RolesAllowed annotation to any endpoint, the OIDC security runs before HTTP auth permissions, which makes every endpoint require a token (i.e., authentication). I haven’t found a way to make a non-authenticated endpoint while still using RolesAllowed.

The best options seem to be either writing a custom annotation that checks user roles manually, or switching to the quarkus-keycloak-authorization extension, which allows unauthenticated access to public paths.

Reopening the issue in case anyone has a better solution. @pedroigor @sberyozkin

[sberyozkin]

@snow-diamond @Andrea-Lombardo-Eng Let me convert it to Discussion, thanks

[michalvavrik]

hey @Andrea-Lombardo-Eng , no hurry, but if you provide more details, ideally some reproducer, we will either fix it or point where is your issue (in case it is in your setup), but I do not plan to try to reproduce it until then, because I don't have enough details. thanks

[Andrea-Lombardo-Eng]

You're absolutely right. Apologies for not replying earlier.
At the moment, I’ve solved the issue by not customizing the root path of the health endpoints, keeping the default one so that they are exposed under my-root-path/q/health.

Also, I realized that the problem might have been caused by the fact that my requests still included authentication headers.
Probably, disabling the parameter quarkus.http.auth.proactive=false would have fixed it as well?

Anyway, thank you all for the support and the quick responses. Unfortunately, I wasn’t able to provide something reproducible this time.

[michalvavrik]

np @Andrea-Lombardo-Eng, glad you have some working solution, that is all that matter

disabling proactive authentication would cause that authentication only happens when the incoming request must be authenticated, so if there is for example something requiring roles allowed, it wouldn't help

[Andrea-Lombardo-Eng]

Thanks a lot!
But doesn’t having @RolesAllowed(...) implicitly trigger authentication?
Anyway, in my case, all endpoints require authentication with specific roles, except for the health endpoints and the Swagger UI.

[michalvavrik]

But doesn’t having @RolesAllowed(...) implicitly trigger authentication?

sure, I just tried to establish that proactive auth != authentication required, maybe it was unnecessary

Anyway, in my case, all endpoints require authentication with specific roles, except for the health endpoints and the Swagger UI.

yes, so situation is clear