Support several authentication mechanisms for a specific path

[sberyozkin]

Description

Sometimes, users would like to have path-based authentication for more than one authentication mechanism.

If it were possible to do, then we could let users enable it with either HttpSecurityPolicy

quarkus.http.auth.permission.mtls-basic.paths: /a
quarkus.http.auth.permission.mtls-basic.auth-mechanism: mtls.basic

or annotations:

@HttpAuthenticationMechanisms(mechanisms = {MTLS, BasicAuthentication})
@Path("/a")
@GET
public String getA() {}

Implementation ideas

No response

[quarkus-bot]

/cc @pedroigor (bearer-token)

[mschorsch]

There was also #40952

[michalvavrik]

There was also #40952

I completely forgot about it :-) but at least I am consistent #40952 (comment) - I still think it adds complexity, but this can be done for sure..

[sberyozkin]

Yeah, sorry, I forgot about #40952. So we now have 2 users asking for it :-)

My comment fragment from #40952 is still relevant IMHO

...allowing multiple HTTP auth mechanism annotations would allow duplicate annotations like @BasicAuthentication @BasicAuthentication...

This duplication can be detected though...

[michalvavrik]

I had a very quick look what would this mean and how difficult:

• for HTTP Security Policies this can be done without big difficulties, just little complexity added
• for annotation-based auth mechanism selection, I suggest that we allow to combine @BasicAuthentication @MTLSAuthentication, @Bearer.... etc. together on one endpoint, but not that we make annotations repeatable. Currently you can't combine them because I added build-time validation, but they are not one annotation, therefore they don't need to be repeatable:

@AuthorizationCodeFlow
@BearerTokenAuthentication
@Path("hello")
public String sayHello() {
 return "Hello";
}

• @HttpAuthenticationMechanisms(mechanisms = {MTLS, BasicAuthentication}) that sounds good as well

annotation-based solution will be more difficult, I think we may just start with HTTP Security Policy and follow up later, but implement both.

[sberyozkin]

Hi Michal, @michalvavrik, thanks, it is not a super urgent issue to deal with :-), let's indeed start with supporting it at the policy level first, but please consider an impact of the inclusive authentication as the reason it is currently ignored is that the path based authentication is a single mechanism only. Please add it to your queue, but do take your time with this issue

[michalvavrik]

Hi Michal, @michalvavrik, thanks, it is not a super urgent issue to deal with :-), let's indeed start with supporting it at the policy level first, but please consider an impact of the inclusive authentication as the reason it is currently ignored is that the path based authentication is a single mechanism only. Please add it to your queue, but do take your time with this issue

good point about inclusive authentication, I didn't think of that, thanks