OIDC enablement at runtime vs. build time
339 views
Skip to first unread message
Eric Wittmann
Oct 7, 2020, 9:19:43 AM10/7/20
to Quarkus Development mailing list
We've been working on adding Auth to Apicurio Registry recently using Quarkus OIDC to integrate with Keycloak/RHSSO. Everything is working rather nicely and the set of config properties available are great. One thing we're trying to figure out is how best to offer a "auth disabled" option without building additional docker images. The docs indicate that "quarkus.oidc.enabled" is a build time property, and if that is set to true, then it seems that the OIDC server URL must be configured and actually available when the app starts up, otherwise it fails.
Everything else is configurable at runtime, including which endpoints to secure (or not). We were hoping to be able to e.g. disable authentication at runtime by simply setting all endpoints to be non-secured. But we still need an OIDC server even though it won't be used.
Is there a recommended way to enable the OIDC feature but have a runtime config that effectively turns it off?
Sergey Beryozkin
Oct 7, 2020, 9:30:37 AM10/7/20
to ewit...@redhat.com, Quarkus Development mailing list
Hi Eric
Thanks for the feedback, this one, `quarkus.oidc.tenant-enabled=false` should help, give it a try please.
It is also possible to use this property to disable/enable individual tenants if needed, ex
# default tenant
quarkus.oidc.tenant-enabled=true/false
# tenant-a
quarkus.oidc.tenant-a.tenant-enabled=true/false
etc
Cheers, Sergey
--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/8f4db209-bdd6-46d4-97a4-3ae73e5915a0n%40googlegroups.com.
Eric Wittmann
Oct 7, 2020, 10:26:07 AM10/7/20
to Quarkus Development mailing list
Ah I see - thanks. We'll give that a try!
Emmanuel Bernard
Oct 8, 2020, 6:31:36 AM10/8/20
to Siarhei Biarozkin, Eric Wittmann, Quarkus Development mailing list
How can we improve the doc to Eric from the alternative universe does not talk to us?
Maybe a sideline block for that specific use case?
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAMsYBfXOwVWEn6vdwZ-iCzuSqnB9AN0wFmBTchYyx9U41cNs6g%40mail.gmail.com.
Sergey Beryozkin
Oct 8, 2020, 6:41:46 AM10/8/20
to Emmanuel Bernard, Eric Wittmann, Quarkus Development mailing list
Sure, we are updating the docs now with the various hints, so maybe the OIDC Multitenancy doc can be updated, I can try to during the next docs PR...
Thanks, Sergey
Emmanuel Bernard
Oct 8, 2020, 8:57:55 AM10/8/20
to Sergey Beryozkin, Eric Wittmann, Quarkus Development mailing list
Multitenancy?
It looked like Eric was after being able to disable at startup time auth.
Sergey Beryozkin
Oct 8, 2020, 9:12:22 AM10/8/20
to Emmanuel Bernard, Eric Wittmann, Quarkus Development mailing list
The usual OIDC configuration without `tenant-a`/etc is a default tenant config and the property to disable it is `quarkus.oidc.tenant-enabled=false` :-), so I thought of adding it to the OIDC multitenancy doc which is also linked to from the other 2 OIDC independent guides.
But adding a small section/note to all the OIDC guides would be fine too - there is no `central` OIDC page yet available, the central one is `security.adoc` which is the Quarkus Security entry page.
Thanks, Sergey
Eric Wittmann
Oct 8, 2020, 10:04:40 AM10/8/20
to Quarkus Development mailing list
By the way - we've tried this and it's looking good. Thanks for the tip!
Reply all
Reply to author
Forward
0 new messages