WebSockets Next: allow to select authentication mechanism and OIDC tenant used for opening WebSocket handshake with annotation

[michalvavrik]

• closes: Quarkus WebSockets Next does not respect @HttpAuthenticationMechanism #46013

[github-actions]

🙈 The PR is closed and the preview is expired.

[michalvavrik]

FYI @mkouba @sberyozkin - I have idea how to allow selecting mechanism or tenant with annotation even though proactive authentication is enabled, but this PR is big enough and it is not a priority. I'll open issue to improve it if this gets in. (also I didn't try the idea with sub-endpoints so no idea if I am not wrong)

[mkouba]

FYI @mkouba @sberyozkin - I have idea how to allow selecting mechanism or tenant with annotation even though proactive authentication is enabled, but this PR is big enough and it is not a priority. I'll open issue to improve it if this gets in. (also I didn't try the idea with sub-endpoints so no idea if I am not wrong)

Does it mean that this only works if quarkus.http.auth.proactive=false?

[michalvavrik]

FYI @mkouba @sberyozkin - I have idea how to allow selecting mechanism or tenant with annotation even though proactive authentication is enabled, but this PR is big enough and it is not a priority. I'll open issue to improve it if this gets in. (also I didn't try the idea with sub-endpoints so no idea if I am not wrong)

Does it mean that this only works if quarkus.http.auth.proactive=false?

Yep, that is how annotation-based authentication features usually works because they need to match request to the endpoint (AKA annotation) and you can't do it based on path for Jakarta REST resources and proactive authentication cannot be postponed. But I think we probably can do it for WS Next, right? Anyway, there is validation in place that fails build if you don't have quarkus.http.auth.proactive=false set and such annotation is registered if that is your concern.

[michalvavrik]

@mkouba also I am not sure if you are aware, but any endpoint annotated with these annotations https://quarkus.io/guides/security-authentication-mechanisms#use-annotations-to-enable-path-based-authentication-for-jakarta-rest-endpoints is also authenticated. This is not a security issue, I think it will give WS Next advantage once I implement this for enabled proactive authentication.

[michalvavrik]

I just resolved merge conflicts and rebased in case you want to review @sberyozkin :-)

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 1c74253.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 1c74253.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

---

Flaky tests - Develocity

⚙️ JVM Tests - JDK 17 Windows

📦 extensions/hibernate-orm/deployment

✖ io.quarkus.hibernate.orm.applicationfieldaccess.PublicFieldAccessInheritanceTest.testFieldAccess - History

• Expecting actual not to be null - java.lang.AssertionError

java.lang.AssertionError: 

Expecting actual not to be null
	at io.quarkus.hibernate.orm.applicationfieldaccess.PublicFieldAccessInheritanceTest$FieldAccessEnhancedDelegate$1.assertValue(PublicFieldAccessInheritanceTest.java:141)
	at io.quarkus.hibernate.orm.applicationfieldaccess.PublicFieldAccessInheritanceTest.doTestFieldAccess(PublicFieldAccessInheritanceTest.java:100)
	at io.quarkus.hibernate.orm.applicationfieldaccess.PublicFieldAccessInheritanceTest.testFieldAccess(PublicFieldAccessInheritanceTest.java:61)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)
	at io.quarkus.test.QuarkusUnitTest.runExtensionMethod(QuarkusUnitTest.java:513)

📦 extensions/micrometer-opentelemetry/deployment

✖ io.quarkus.micrometer.opentelemetry.deployment.compatibility.MicrometerTimedInterceptorTest.testTimeMethod_UniFailed - History

• Stream has no elements - java.lang.IllegalArgumentException

java.lang.IllegalArgumentException: Stream has no elements
	at io.quarkus.micrometer.opentelemetry.deployment.common.MetricDataFilter.lastReadingDataPoint(MetricDataFilter.java:236)
	at io.quarkus.micrometer.opentelemetry.deployment.compatibility.MicrometerTimedInterceptorTest.testTimeMethod_UniFailed(MicrometerTimedInterceptorTest.java:202)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)
	at io.quarkus.test.QuarkusUnitTest.runExtensionMethod(QuarkusUnitTest.java:513)
	at io.quarkus.test.QuarkusUnitTest.interceptTestMethod(QuarkusUnitTest.java:427)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)

---

⚙️ JVM Integration Tests - JDK 17 Windows

📦 integration-tests/grpc-hibernate

✖ com.example.grpc.hibernate.VertxBlockingRawTest.shouldAdd - History

• Condition with Lambda expression in com.example.grpc.hibernate.BlockingRawTestBase was not fulfilled within 30 seconds. - org.awaitility.core.ConditionTimeoutException

org.awaitility.core.ConditionTimeoutException: Condition with Lambda expression in com.example.grpc.hibernate.BlockingRawTestBase was not fulfilled within 30 seconds.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:26)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1006)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:975)
	at com.example.grpc.hibernate.BlockingRawTestBase.shouldAdd(BlockingRawTestBase.java:59)
	at java.base/java.lang.reflect.Method.invoke(Method.java:569)