Closed Traivor closed 2 years ago
/cc @pedroigor, @sberyozkin
I've tried combining with the elytron-security-properties-file extension and embedded users, but it seems to completely take over auth. I.e. any un-authed request gets a Basic challenge rather than redirecting to Keycloak.
I should clarify that my app provides both REST endpoints and normal UI, so I need OIDC to do redirects on normal browser access while allowing Basic.
@Traivor Hi, quarkus-oidc
is not going to deal with Basic Authentication, quarkus-oidc
is about dealing with tokens, so making it a conduit for forwarding basic credentials to Keycloak seems wrong to me. But indeed you can combine OIDC with other mechanisms.
When no credentials are provided and basic and OIDC mechanisms are enabled, Basic one takes priority. It may seem wrong for your case but we have users for whom it seems wrong the other way around.
You can customize it a few ways:
BasicAuthenticationMechanism
and OidcAuthenticationMechanism
injected and delegate to the latter when the challenge is required and no Authorization
header with Basic
or Bearer
schemes is availableOidcAuthenticationMechanism
but which will have a priority higher than the one used by BasicAuthenticationMechanism
HTH, thanks
I'm going to close this issue
@Traivor Also, I'd recommend https://quarkus.io/guides/security-openid-connect-dev-services, instead of testing manually
It will take care of getting the tokens for you and you can have Swagger UI seamlessly integrated into it
The first two options look plausible. Thanks!
The third...before I read through the whole page, do you know if it is possible to adapt this to production? I provide the swagger ui as an end user service.
@Traivor Unfortunately DevServices
are only available at dev-mode time.
But the first 2 options can be used in the production for sure
Ah. Seeing reference to using an already running OIDC provider got my hopes up. Bummer.
I'll bend one of the other options to my will. Thanks for the help!
@Traivor Np at all; We can try to optimize/improve further how multiple auth mechanims are combined - but IMHO it is the right approach for such cases
Cheers
Ping us please with new issues if you see some options for improving the way the mechanisms are combined
Description
It doesn't appear the OIDC extension supports Basic auth. This is supported by the Keycloak adapter and the generic OIDC adapter which is now in Wildfly.
My use case is that for testing it is way easier to type in a user/pass into swagger/Postman/whatever than constantly grabbing new tokens separately.
Implementation ideas
No response