Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-720

We are getting a 401 when keycloak policy-enforcer paths is pointing to /health

XMLWordPrintable

    • Hide

      Test scenario

      Summary:

      Using `quarkus-keycloak-authorization` extension, you could exclude some path to the Authz procedures, through these properties:

      quarkus.keycloak.policy-enforcer.enable=true
quarkus.keycloak.policy-enforcer.paths.health.path=/health/*
quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED

      However when you are pointing to an openshift /k8s liveness probe, you expected that this policy applies also to auto-redirect path. 

      curl -vvv http://127.0.0.1:8080/health
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /health HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< location: http://127.0.0.1:8080/q/health
< content-length: 0
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0

      Note: was working on 1.7

       

      Show
      Test scenario Summary: Using `quarkus-keycloak-authorization` extension, you could exclude some path to the Authz procedures, through these properties: quarkus.keycloak.policy-enforcer.enable= true quarkus.keycloak.policy-enforcer.paths.health.path=/health/* quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED However when you are pointing to an openshift /k8s liveness probe, you expected that this policy applies also to auto-redirect path.  curl -vvv http: //127.0.0.1:8080/health * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) > GET /health HTTP/1.1 > Host: 127.0.0.1:8080 > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 301 Moved Permanently < location: http: //127.0.0.1:8080/q/health < content-length: 0 < * Connection #0 to host 127.0.0.1 left intact * Closing connection 0 Note: was working on 1.7  
    • Undefined
    • ---

      Priority: critical -> is critical because we are breaking backward compatibility

      quarkus.keycloak.policy-enforcer.paths.health.path must include "/q" path.

      Quarkus Version 1.7:

      quarkus.keycloak.policy-enforcer.paths.health.path=/health/*

      Quarkus Version 1.11:

      quarkus.keycloak.policy-enforcer.paths.health.path=/q/health/*

      There should be "auto-redirect" (or allow access) for such cases. 

      GH ref 

       

            psilva@redhat.com Pedro Igor Craveiro
            rhn-support-pagonzal Pablo Gonzalez Granados (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: