Keycloak Authorization services with anonymous access
See original GitHub issueDescribe the bug
I am trying to secure Quarkus backend using Keycloak, following https://quarkus.io/guides/security-keycloak-authorization . I’d like to allow anonymous access for some instances, based on Keycloak configuration. However when I set Policy Enforcement Mode to ‘Disabled’ in the client, my requests without Authorization header get rejected with 401 Unauthorized.
Note that I want to configure this centrally in KC, not path-specific in application properties. I’ve tried to change quarkus.keycloak.policy-enforcer.enforcement-mode to PERMISSIVE and it doesn’t help; when I set it to DISABLED it gives me (anonymous) correct response.
There’s a test for public access but that relies on DISABLED mode for given path.
Expected behavior Mode ‘Disabled’ or ‘Permissive’ with no policy defined should not prevent access of anonymous user.
Actual behavior
Anonymous user gets 401 Unauthorized.
To Reproduce Follow https://quarkus.io/guides/security-keycloak-authorization and in Client / Authorization set ‘Policy Enforcement Mode’ to ‘Disabled’.
Environment (please complete the following information): Quarkus 1.0.1.Final, Keycloak 8.0.1
Issue Analytics
- State:
- Created 4 years ago
- Reactions:2
- Comments:21 (19 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@rinaldodev I guess it should be
@rvansa So then it would come down to a single JAX-RS method offering a semi-secured access. I’m not sure it is the right solution, the anonymous access is on the specific path, so you can have 2 JAX-RS methods, one serving the anonymous user, one - the authorized one, both delegating to the common implementation.