CompositeAuthenticationProvider does not apply always authentication resulting to HTTP 401 responses

[siavelis]

Hello!

There is an issue in the authentication logic, as it is not always applied.

How to reproduce:

• generate a client with operations that need any kind of authentication
• configure the generated Quarkus client with a url prefix, example below:

quarkus.rest-client.external_api_json.url=https://external.api.com/base-url
# enable request/response body logging for debugging
quarkus.rest-client.logging.scope=request-response
quarkus.rest-client.logging.body-limit=1024
quarkus.log.category."org.jboss.resteasy.reactive.client.logging".level=DEBUG

• call an operation that needs authentication

Result:

• authentication is not applied
• HTTP 401 is received

Possible workaround/fixes:

• CompositeAuthenticationProvider:canFilter uses the url path from the Openapi specification to decide whether to apply authentication or not. Hence the suggestion would be to include a case when the rest client has a prefix in the base url path
• Remove the prefix in the base url (not possible in my case)
• Note that using quarkus.openapi-generator.codegen.default-security-scheme will not rectify the issue

Versions used:

• quarkus-openapi-generator: 2.6.0
• Quarkus: 3.16.1
• Java: 17
• Maven: 3.9.3

[ricardozanini]

@siavelis, we recently changed the way we generate the authentication code. Was it working before version 2.5.0?

[siavelis]

@ricardozanini thank you for the follow up! I have tried with versions: 2.4.7 and 2.4.2 but there is the same issue

[ricardozanini]

I'll take a look once I have the time. If you can, please, send a PR to fix it.

[dzwicker]

I am encountering a 401 Error when using Basic Auth and trying to set the password via the property:

quarkus.openapi-generator.[filename].auth.[security_scheme_name].password

Observations:
1. When this property is set in application.properties, its value is used, even if an environment variable is defined with the same name.
2. The Config Log describes this property as Build-time fixed.
3. If the property is not configured in application.properties:
3.1. The password is always empty, even if an environment variable with the same name is present.
3.2. The environment variable is shown in the Config Log as existing and being read, but it is not applied.

Steps to Reproduce

1.	Configure Basic Auth for an OpenAPI client in Quarkus.
2.	Set the password property via an environment variable (e.g., export QUARKUS_OPENAPI_GENERATOR_[FILENAME]_AUTH_[SECURITY_SCHEME_NAME]_PASSWORD=yourpassword).
3.	Do not include the password property in application.properties.
4.	Attempt to make a request with the generated client.

Expected Behavior

•	The password from the environment variable should be applied when the property is not defined in application.properties.

Actual Behavior

•	The password is empty, leading to a 401 Error.

Additional Information

•	Quarkus Version: 3.17.3
•	Relevant Configurations:

Example configuration

quarkus.openapi-generator.myclient.auth.basic.password= # (left empty in application.properties)

•	Logs indicate that the environment variable is detected but not applied.

Let me know if you’d like any modifications or additions to this issue text!

[ricardozanini]

@dzwicker please open another issue.