Technology stack:
- payara micro 5.2021.1
- jakarta 8
- microprofile 4.1
I'm trying to create a simple microservice with authentication in place. I created a simple angular application that only uses the google API's service with the implicit flow to generate a jwt token.
Microprofile has a library that can be used for authentication and authorization. I tried to use it (microprofile-jwt-auth-api) and I would like to achieve authentication without any kind of authorization.
For that I'm using the annotation @LoginConfig(authMethod = "MP-JWT") in the class that extends the Application class, combined with mp.jwt configurations in microprofile.properties.
Not sure if I'm doing anything wrong, but my expectation was that any call to any resource without the authorization header should retrieve an unauthorized error.
The authentication seems to not work without the @AllowedRoles. If I add the @AllowedRoles in my controllers, the authentication starts to work. After googling, I got the idea that the @LoginConfig(authMethod = "MP-JWT") only works combined with the @AllowedRoles, which seems to be strange to me...
Also, it seems that it is possible to disable the allowed roles mechanism (https://docs.payara.fish/community/docs/5.2020.3/documentation/microprofile/jwt.html#_switching_off_rolesallowed_support_in_jax_rs) but it didn't work.
Do you have any idea? The workaround would be to create a filter and explicitly call the google API to validate and introspect the token, but I want to avoid this scenario (if possible).
