Back-end cannot be properly configured to require authentication without role-based authorization #1619
Comments
|
This has been fixed as part of an overhaul to our authorization implementation. Now it is possible to enable authentication without requiring any sort of authorization. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is an option in
application.propertiesto disable role based authorization. However, when RBAC is disabled, authentication is effectively also disabled, because even when the OIDC feature of Quarkus is enabled, users are not required to provide credentials. So in this mode, if a user provides invalid credentials, then a request will fail. However if a user provides no credentials then the request will succeed on behalf of an anonymous user. And since roles are disabled, no additional checking is done.We need to allow a configuration where authentication is required (only for the majority of REST operations, but not for things like health checks and
/system/info) but roles are not. This is already being fixed onmasterwith our new in-app role mapping support, but we need to consider whether to fix this on the 2.0.x branch.The text was updated successfully, but these errors were encountered: