[SOLVED] Quarkus: 401 for permitted route when request contains Bearer token

Quarkus: 401 for permitted route when request contains Bearer token

I got the following scenario:

I'm migrating a legacy application into a new Quarkus based application. For routes addressing the legacy API, Quarkus is dealing as a proxy.

The requirement is, that all routes that point to the legacy API, are permitted and not checked by OIDC check of Quarkus, since the legacy API has it's own auth mechanism.

When making requests to that specific route they are correctly forwarded to the legacy API and are not rejected with 401.

BUT: as soon as a request for that specific route contains a Bearer token like e.g.: "Bearer eyJhb...." in the "Authorization" header, Quarkus OIDC kicks in and rejects this request with 401.

If I omit the "Bearer " from the beginning of the header (since the legacy API can handle that as well), then the quarkus OIDC check does not happen and the request is forwarded.

My current solution is using a RouteFilter with high priority and remove the "Beraer " from the beginning of the Auth header. Which as a result does then not trigger OIDC check of Quarkus.

But I would prefer to have a more cleaner solution without header manipulation, that gives me the possibility to skip the Quarkus OIDC check for a certain route.

I wonder if this is a bug in Quarkus, that it still checks the Bearer token, also for routes that are permitted in the application.properties like that:

quarkus.http.auth.permission.permit1.paths=/legacyapi/*
quarkus.http.auth.permission.permit1.policy=permit
quarkus.http.auth.permission.permit1.methods=GET,POST,PUT,DELETE,PATCH,HEAD

I tried so many ways to get around the OIDC check with filters and interceptors but didn't find a way to avoid OIDC check kicking in before my filters / interceptors where called.

Does somebody have a working hint how I get around the OIDC check for a specific path?

I'm currently on Quarkus version: 2.16.7.Final

I'm expecting that the permit configuration in the application.properties file does not depend on whether a request contains Bearer token or not - but maybe I'm wrong?

Solution

Problem was solved thanks to the help by @iabughosh and @SergeyBeryozkin By setting the property: quarkus.http.auth.proactive to false my permitted paths were not rejected anymore - Thanks