easy quarkus oidc bypass by removing header

[charma]

I have a quarkus app with quarkus.oidc installed/enabled. Also setup an keycloak and everything is working perfectly fine so far.
I am adding the "Authorization"-header (Bearer XXXXX...) to my requests and they get validated against my oidc-server(keycloak).

in my application.properties I have added:
quarkus.oidc.auth-server-url=http://mykeycloakaddress
quarkus.oidc.authentication.verify-access-token=true

Unfortunatly the whole oidc-access-token verification can easily get bypassed by simply removing the "Authorization"-header from the requests.
I would like to simply have ALL incoming requests to my app validated.

What is the proper way to solve this?

[quarkus-bot[bot]]

/cc @pedroigor, @sberyozkin

[charma]

Found the solution by myself. I had to add following to my application properties:

quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated

[sberyozkin]

@charma quarkus.oidc.authentication.verify-access-token=true is not really needed for the bearer authentication, it may be optionally set when the code flow is used where ID token is verified only by default since the access token is not usually used in the endpoint in that case.

Right, if the endpoint is public then the token will be still verified due to the proactive authentication which can be disabled but to protect the endpoint one needs to have it requiring the authentication at least, with the path based config as you did or with @Authenticated