Disabling gRPC Authentication using a configuration property

[jonsnowseven]

Hello.

I have the a GrpcService (without a separate server) with authenticated methods using the @Authenticated annotation.

I was wondering if there is a way to bypass this authentication using a configuration property. Does Quarkus support that out-of-the-box?

Thank you in advance.

[quarkus-bot[bot]]

/cc @alesj (grpc), @cescoffier (grpc), @radcortez (config)

[sberyozkin]

@jonsnowseven Since it works over HTTP, you can probably use HTTP security policy instead of @Authenticated and use %prod. to have the policy enabled in prod only.

[michalvavrik]

Which paths should I specify in quarkus.http.auth.permission."permissions".paths for a gRPC service?

That depends on your gRPC service right? It's still HTTP request so you can add route handler and log normalized path from RoutingContext, or maybe you can read gRPC specs that should determine it.

If I provide an empty bearer token, I still get an UNAUTHENTICATED response when I disable the authentication (using policy=permit). Is this expected?

I don't know what unauthenticated mean, to my knowledge it is not something that exists. However if you mean that authorization fails, see Sergey's suggestion, you can just use permit policy. If there is no security annotation, you will be allowed to access.

@jonsnowseven This is due to the proactive authentication... As far as I recall, for JAX-RS, it is possible to delay HTTP policy evaluation until the JAX-RS method is found, but I'm not sure it is possible to do for gRPC, Michal, @michalvavrik, please comment when you get a chance

I don't think that is necessary. You need proactive authentication to happen before gRPC starts, but if you don't provide credentials, your identity will be anonymous. Then you said it yourself, just use permit policy or don't create any policy for environment which you don't want to have secured (which by the way is IMHO bad idea).

[michalvavrik]

I was wondering if there is a way to bypass this authentication using a configuration property. Does Quarkus support that out-of-the-box?

I have already answered that before: #44414 (comment)

[michalvavrik]

@sberyozkin I wonder if the whole problem here is not that If I provide an empty bearer token, doesn't it mean that authentication is going to fail because credentials are wrong? If so, when you don't need to authenticate, you can set quarkus.http.auth.proactive=false. However, I think the simplest thing would be to not send invalid credentials if you don't want to authenticate.

[sberyozkin]

However, I think the simplest thing would be to not send invalid credentials if you don't want to authenticate.

Definitely, I guess sometimes users expect it to work differently on different paths...

[jonsnowseven]

@sberyozkin I wonder if the whole problem here is not that If I provide an empty bearer token, doesn't it mean that authentication is going to fail because credentials are wrong? If so, when you don't need to authenticate, you can set quarkus.http.auth.proactive=false. However, I think the simplest thing would be to not send invalid credentials if you don't want to authenticate.

Thank you for the answer!