Exclude paths from security when using quarkus-oidc

[codependent]

Description
I'm using Quarkus 1.10.5 with the quarkus-oidc component to enforce the validation of a JWT token. This application is playing the role of a sidecar container that simply validates this security requirement and forwards the request to the next container.

The point is I need to exclude some paths from the oidc validation. On Stackoverflow I was pointed at this documentation resource: https://quarkus.io/guides/security-authorization#matching-on-paths-methods

My full configuration is as follows:

quarkus:
  http:
    port: 8081
    cors: false
    auth:
      permission:
        permit1:
          policy: permit
          paths: /api/public/*
  oidc:
    auth-server-url: ${keycloak.auth-server-url}/realms/${keycloak.realm}
    client-id: XXX
  ssl:
    native: true
  native:
    enable-https-url-handler: true
  log:
    console:
      enable: true
      level: DEBUG

The problem is quarkus.http.auth.permission.permit1.* configuration seems to be ignored, and I keep getting 401 on public paths.

Could you add support for excluding paths from the oidc validation?

/cc @pedroigor, @sberyozkin

[sberyozkin]

@codependent Can you confirm please it is only a problem for the static resources ? I've looked and we have the tests confirming public JAX-RS endpoints can be accessed with quarkus-oidc used to protect other endpoints

[codependent]

@sberyozkin give me a day and I'll provide a Github repository reproducing the issue

[codependent]

In the meantime, I can give you more context about my use case. My Quarkus application is a proxy (sidecar) that captures all paths and HTTP verbs. As you can see the whole RestProxy is @Authenticated:

@Authenticated
@Path("/{var:.+}")
public class RestProxy {

    @GET
    public Response get(@Context UriInfo uriInfo, @Context HttpHeaders httpHeaders) {
        MultivaluedMap<String, String> headers = getHeaderMap(httpHeaders);
        return restClient.get(uriInfo, headers);
    }

    @POST
    public Response post(@Context UriInfo uriInfo, @Context HttpHeaders httpHeaders, InputStream body) {
        MultivaluedMap<String, String> headers = getHeaderMap(httpHeaders);
        return restClient.post(uriInfo, headers, body);
    }
    ...

I need everything to be secured with quarkus-oidc except some configurable paths, eg /api/public/*. I expected this would be enough:

quarkus:
  http:
    ...
    auth:
      permission:
        permit1:
          policy: permit
          paths: /api/public/*

However I see the contradition between having the whole controller @Authenticated and using quarkus.http.auth at the same time.

Is something like this supported in some way?

[codependent]

I'm closing the issue, it can be achieved removing the annotation and configuring everything with properties:

@Path("/{var:.+}")
public class RestProxy {

quarkus:
  http:
    port: 8081
    cors: false
    auth:
      permission:
        permit1:
          policy: permit
          paths: /api/public/*
          methods: GET,HEAD,POST,PUT,OPTION,PATCH
        authenticated:
          policy: authenticated
          paths: /*
          methods: GET,HEAD,POST,PUT,OPTION,PATCH

Thank you for having a look a it

[sberyozkin]

Hi @codependent Cool, thanks, that template wildcard might've been introducing some conflict as well, thanks