Authentication fixes #8006
Authentication fixes #8006
Conversation
boring-cyborg
bot
added
area/arc
stuartwdouglas
force-pushed
the
synthetic-bean-runtimeinit
branch
from
244ca3d
to
5ccd864
Compare
|
Hi @stuartwdouglas What is going to happen now when |
...rtx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpAuthenticator.java
Show resolved
Hide resolved
|
authenticate explicitly differentiates between invalid and missing. If you return null the next one is tried, if it fails then no further action is taken. In general you should only mix mechanisms that use different credentials, e.g. form and basic. |
|
@stuartwdouglas Sorry, I glanced and assumed the iteration would continue even if one of the Bearer authentication mechanism fails. |
|
@sberyozkin what's the status of this one? I can't infer it from your last comment. |
|
@gsmet Sorry, I initially assumed that multiple mechanisms will be iterated over even if the current one returns a fault, so Stuart clarified it was not the case, which is good. |
|
@stuartwdouglas I let you check @sberyozkin 's comment and give me the status of this one? If some of the changes are too risky, maybe it warrants extracting the safe fixes so that I can only backport them. |
|
@gsmet @stuartwdouglas I've been thinking that in a way we can't prevent the users adding |
|
Or just mark |
|
They are currently mutually exclusive, in that they will fail if all of them are added. I think this is something we can improve later. One option would be to have some way to express a credential transport type, and check compatibility that way, it's kinda hard to express in a generic way though. Stacking auth mechanisms is already an advanced use case, and I think it should be fairly obvious that you can't mix two that work the same way. |
|
Hi Stuart, @stuartwdouglas, #8138 has just been opened, I haven't looked into it yet, but I think it is related |
|
@stuartwdouglas My understanding is that a user expects an exception when more than one mechanism is present. It makes me think if the user-driven composition is the way to go - otherwise some users will be happy (form+basic case), and some - not |
|
@stuartwdouglas Or just let the users set a property |
|
Guys, I will need a conclusion for this one if you expect it to be part of 1.3.1. |
|
IMHO it would be better to extract the authentication related updates and merge the rest, as it is obvious now different users have different expectations about what should happen when more than one mechanism is available. Though having a property for the users to choose if multiple mechanisms are OK or not seems like an easy way to resolve the ambiguity :-). Not sure if Stuart will agree |
|
Well I stumbled upon #8138 while debugging why multiple mechanisms aren’t supported (my use case is multiple). Now it’s very blackbox if you add multiple and it just doesn’t work without any feedback. I’d be very happy if the next release includes this PR! |
|
@KeesKoffeman OK thanks, I thought you did not want that... |
|
@sberyozkin if that property is false the app just won't work at all. I don't see any reason to have a config flag that serves no purpose other than to stop the users application from working. Basically there are two cases:
|
- Use synthetic beans to configure form and basic auth - Allow multiple authentication mechanisms - Better default behaviour based on what is configured Fixes quarkusio#7768 Fixes quarkusio#5284
stuartwdouglas
force-pushed
the
synthetic-bean-runtimeinit
branch
from
5ccd864
to
53b3b48
Compare
|
I have added a credential transport notion to make sure that incompatible mechanisms are not enabled together. |
|
@sberyozkin can you check that PR in priority? |
|
Hi Stuart @stuartwdouglas
I was just hoping to avoid some unpredictability. At the moment multiple mechanisms don't work, and now they will start working, and it may be worth to give an option to the users and prevent opening up the authentication space by accident. |
| public HttpCredentialTransport getCredentialTransport() { | ||
| //not 100% correct, but enough for now | ||
| //if OIDC is present we don't really want another bearer mechanism | ||
| return new HttpCredentialTransport(HttpCredentialTransport.Type.AUTHORIZATION, "bearer"); |
There was a problem hiding this comment.
That is fine, we can support bearer,code-flow in the future when a given mechanism supports different types
There was a problem hiding this comment.
@stuartwdouglas Thanks a lot, and thanks for the patience. The authentication part looks perfect now :-) The rest looks good for sure too
|
@gsmet HI Guillaume sorry for a delay. Hope everyone is happy with the latest update from Stuart, I certainly am :-). |
Also includes synthetic bean fixes from @mkouba
Fixes #7768
Fixes #5284
Fixes #8138