Wrong behavior in Using JWT RBAC guide

[filippobuletto]

Following the Using JWT RBAC guide section "finally-secured-access-to-securedroles-allowed" the expected curl result is hello + jdoe@quarkus.io, isSecure: false, authScheme: MP-JWT, hasJWT: true but the outcome differs.

Also this warning is reported: WARN: Unrecognized configuration key "quarkus.smallrye-jwt.auth-mechanism" provided

Expected behavior

Expected authScheme: MP-JWT and no WARN report.

Actual behavior

authScheme: BASIC in resource report and warning about unrecognized configuration key.

To Reproduce
Steps to reproduce the behavior:

1. git clone https://github.com/quarkusio/quarkus-quickstarts.git
2. run integratest unit test
3. test pass but unexpected behavior

Configuration
The one provided in quickstart

Environment (please complete the following information):

• Output of uname -a or ver: Linux 2018-00002 4.4.0-18362-Microsoft #1-Microsoft Mon Mar 18 12:02:00 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
• Output of java -version: openjdk version "1.8.0_222" OpenJDK Runtime Environment (Zulu 8.40.0.25-CA-linux64) (build 1.8.0_222-b10) OpenJDK 64-Bit Server VM (Zulu 8.40.0.25-CA-linux64) (build 25.222-b10, mixed mode)
• Quarkus version or git rev: 0.24.0

[gsmet]

@sberyozkin could you have a look at that one?

[sberyozkin]

@loicmathieu ping me please if needed, thanks

[sberyozkin]

@filippobuletto FYI, I'm going to update the guide to refer to Basic, MP-JWT was not really an authentication scheme, it is used to configure the login modules in some cases, but it is a really a Basic authentication scheme which is used to pass the bearer JWT token

[filippobuletto]

@sberyozkin looks good to me, the configuration key quarkus.smallrye-jwt.auth-mechanism has been superseded by another one or has been removed?

[sberyozkin]

@filippobuletto yes. I should've made sure it was mentioned in the 0.25.0 release notes :-)

[sberyozkin]

@filippobuletto I've no idea what I was talking about. Hmm, it must be a Bearer scheme

[filippobuletto]

@sberyozkin that’s true, I’ve been biased by your statement.
So, it’s a bug of the extension or of the smallrye implementation?
May this be a security issue? Reporting the wrong scheme may lead to wrong authentication behavior

[sberyozkin]

@filippobuletto I'm looking into it. I think it is just somewhere on the call path the fact that it was Bearer is ignored and the wrong auth scheme reported (I'm still kicking myself for the fact I've so convincingly typed earlier about the Basic scheme used to pass the Bearer tokens - this is the worst line I've ever typed :-), I'll blame the demo for confusing me with reporting Basic :-) )

[sberyozkin]

Really a lol at myself moment :-), given how many times I wrote the code parsing the bearer schemes :-)