Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fine-grained rules for authentication and authorization #113

Open
dblevins opened this issue Oct 11, 2018 · 3 comments
Open

Fine-grained rules for authentication and authorization #113

dblevins opened this issue Oct 11, 2018 · 3 comments

Comments

@dblevins
Copy link
Contributor

Current rules of MicroProfile-JWT is that when MP-JWT is enabled, all of the application requires a JWT for requests to be successful. It should be possible to allow specific parts (endpoints or paths) of the application to not require a JWT.

While use of javax.annotation.security.PermitAll seems the most obvious, consider this usecase:

@Path
@RolesAllowed("artist")
public ColorsEndpoint {
   
    SecurityContext context;

    @GET
    @Path("red")
    public String red() {
        return context.getCallerPrincipal().getName() + " likes red";
    }

    @GET
    @Path("green")
    @PermitAll
    public Response green() {
        return context.getCallerPrincipal().getName() + " likes green";
    }

    @GET
    @Path("blue")
    public Response blue() {
        return context.getCallerPrincipal().getName() + " likes blue";
    }
}

In the above fictitious scenario, the user clearly intends that red and blue can be invoked by a user with the artist role and green can be invoked by a user regardless of role. In all cases, the code clearly expects there to be an authenticated user.

When we discuss this feature we need to enable users to define:

  • No Authentication: What requires no authentication at all and therefore can be invoked without a JWT
  • No Authorization: What requires authentication (a JWT), but does not require a specific role

The second case is for overriding class-level uses of @RolesAllowed and is the original intent of @permitAll. Whether or not this requires a user to be logged in -- the first case -- is not addressed or covered.

If @RolesAllowed, @permitAll and @Denyall are determined to be strictly for authorization, then new annotations need to be created to denote if authentication is required.
@radcortez
Copy link
Contributor

I think this is related with #124 which could use spec clarification.

Apparently some implementations only authenticate / validate if you have a RolesAllowed annotation.

@radcortez
Copy link
Contributor

#70

@sberyozkin
Copy link
Contributor

@dblevins Hi David, I've suggested to clarify that for the purpose of this spec @PermitAll allows for the authentication-only flow. I'll create a PR and CC to you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dblevins @sberyozkin @radcortez