Disabling OAuth2 at runtime

[gwitsch]

Hello,

I have implemented a rest service that is secured by Client Credentials grant flow by using the quarkus-elytron-security-oauth2 package to replace an old service that used Basic Auth. However, some integrators still want to use Basic Auth only and don't want to provide the required OAuth config like introspection url, client id and client secret.
Enabling Basic Auth besides OAuth2 is straight forward and has already been tested successfully. But I could not find a solution to disable OAuth2 at runtime. The configuration quarkus.oauth2.enabled can be used to disable it, but that's a build time switch and not what I am looking for.

Is anyone aware of a solution to achieve this?
Any hints or recommandations are highly welcome.

I've already browsed the implementation and the biggest show stopper for my requirement is the startup validation and initialization of the OAuth module.

Best regards,
Gotthard

[sberyozkin]

@gwitsch Hi, for some extensions like OIDC we have a tenant-enabled property to do it at runtime, so I think something similar, may be quarkus.oauth2.active=false can be done to switch it off. @loicmathieu what do you think, would you have any cycles to add the property ? @gwitsch, if you can look into a PR it would be great too

thanks

[loicmathieu]

I'll need to check wether it's possible or not to move all logic from build time to run time. I didn't remember why it's a build time property.

The first step would be to open an issue so we don't loose track to this.