Swagger UI does not send Authorization header when using @AuthorizationPolicy on REST resource class instead of @Authenticated

[omasseau]

Describe the bug

I've annotated my REST resource classes with @AuthorizationPolicy.

Example:

@Path(/my-resource)
@AuthorizationPolicy(name = DefaultHttpSecurityPolicy.NAME)
public class MyResource {
    ...
}

I've also enabled Basic Authentication (but I have the same problem with OIDC token authentication) :
quarkus.http.auth.basic=true

The problem is that once authenticated, the Swagger UI does not send the 'Authorization' header on requests.

It seems indeed the OpenAPI security attribute is only added on methods if I annotate my resource classes with @Authenticated.

But Quarkus does not allow to use both the @Authenticated and the @AuthorizationPolicy annotations :

Class 'MyResource' is annotated with 'io.quarkus.vertx.http.security.AuthorizationPolicy' and 'io.quarkus.security.Authenticated' security annotations,
however security annotations cannot be combined.

So it is just impossible to have a working SwaggerUI when using @AuthorizationPolicy annotation

Expected behavior

Using @AuthorizationPolicy on a resource class, should automatically mark its methods as secured in OpenAPI schema so that authentication through SwaggerUI can work.

Actual behavior

Using @AuthorizationPolicy on a resource class, does not automatically mark its methods as secured in OpenAPI schema

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

3.27.1

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot]

/cc @MikeEdgar (swagger-ui), @phillip-kruger (swagger-ui)

[sberyozkin]

SwaggerUI should probably be updated to send the header if also @RolesAllowed or @PermissionsAllowed is present.

But Quarkus does not allow to use both the @authenticated and the @AuthorizationPolicy annotations 👍

Michal, @michalvavrik, do we need to keep this restriction in place ? All authorization permissions imply the authentication in any case...

[michalvavrik]

Michal, @michalvavrik, do we need to keep this restriction in place ?

I put that validation in place because it was easier and in line with how other security annotations work - they cannot be used together.

However, with little work we can make them work together, because in fact, authorization policies always run first, then security checks. So these annotations are independent. That is for a separate feature enhancement request though.

All authorization permissions imply the authentication in any case...

The permit policy and some custom policies may not imply that.

[michalvavrik]

BTW let me have a look what can be done about this issue. I don't know Swagger UI internals, but I presume they must use some security annotation detection in build steps. In which case using the SecurityTransformer I introduced lately should do the trick.

If it is not clear to me or it gets more complicated, I'll leave it to @MikeEdgar .

[michalvavrik]

I've tried it and I think I understand the principle. Once we fixed generated OpenAPI definition, this should work OOTB.