Endpoints with different authentication schemes

[sNiXx]

Is there any way to expose endpoints with different authentication schemes with Quarkus? For instance,

• /endpoint1: HTTP Basic authentication
• /endpoint2: server authentication (TLS)
• /endpoint3: client and server authentication (mTLS)

I would really appreciate any pointers on how this could be possible.

Thanks a lot 😃

[sberyozkin]

@sNiXx As far as endpoint 2 is concerned, there is no client authentication, so I'd touch on endpoint 1 and 3, see https://quarkus.io/guides/security-authentication-mechanisms#use-http-security-policy-to-enable-path-based-authentication.

For the mtls, the the mechanism name is mtls I believe.

If endpoints 2 is public then just make the policy permitted, that should do

[sNiXx]

@sberyozkin Thank you for the pointer, and you are right about endpoint 2 of course.

Another follow-up question: Is there any way to offer multiple authentication schemes for the same endpoint? So that, for instance, endpoint1 would accept HTTP Basic authentication as well as mTLS?

[sberyozkin]

@sNiXx For the MTLS and basic authentication it will just work out of the box because MTLS is done at the transport level, but in general, the inclusive authentication will support any combination where all the registered mechanisms must authenticate the request, see https://quarkus.io/guides/security-authentication-mechanisms#combining-authentication-mechanisms

[sNiXx]

Good to know! I guess I will have to tinker a little bit to find out how I could make use of inclusive authentication.

Thanks a lot, @sberyozkin!

[sberyozkin]

Np, thanks @sNiXx, give it a try please