Something wrong with elytron-oauth2 bearer token authentication after Quarkus 3.13.3 update

[DempseyRoller]

Describe the bug

RestAssured tests fail with 401 authentication error when the endpoint has OAuth2 activated. The test was setup like the example in the Quarkus guide.

I used Wiremock request listener to get some insight of what's happening. In Quarkus versions pre 3.13.3 there's a http request to the exposed stub. After 3.13.3 there's not. Nothing else is different.

Tested with 3.13.3 and 3.14.1

Expected behavior

When the OAuth2 is activated the endpoint should do a request to the specified introspection url when it's called.

Actual behavior

When the OAuth2 is activated the endpoint seems to not do any request to introspection.

How to Reproduce?

1. Use Quarkus 3.13.3 or later, resteasy-multipart and elytron-security-oauth2.
2. Create a small integration test
3. Test

Output of uname -a or ver

Linux 5.15.153.1-microsoft-standard-WSL2 #1 SMP Fri Mar 29 23:14:13 UTC 2024 x86_64 GNU/Linux

Output of java -version

openjdk version "21.0.1" 2023-10-17 LTS OpenJDK Runtime Environment Temurin-21.0.1+12 (build 21.0.1+12-LTS) OpenJDK 64-Bit Server VM Temurin-21.0.1+12 (build 21.0.1+12-LTS, mixed mode, sharing)

Quarkus version or git rev

3.13.3+

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.7 (8b094c9513efc1b9ce2d952b3b9c8eaedaf8cbf0)

Additional information

No response

[quarkus-bot[bot]]

/cc @pedroigor (bearer-token), @sberyozkin (bearer-token)

[gsmet]

Can you make sure you use Bearer thetoken and not Bearer: thetoken in your test? I.e. you shouldn't have a colon.

The guide needs a fix.

If it doesn't fix your problem, please provide a reproducer.

[gsmet]

It was fixed here: https://github.com/quarkusio/quarkus/pull/42707/files but we unfortunately didn't backport the fix. I will do it for tomorrow's release.

[DempseyRoller]

Well I'll be damned! Thank you. Tried to shuffle through the changelog but nothing pointed me to this.