4.x: Security propagation is now disabled with not configured

microprofile/jwt-auth/src/main/java/io/helidon/microprofile/jwt/auth/JwtAuthProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -154,7 +154,7 @@ public class JwtAuthProvider implements AuthenticationProvider, OutboundSecurity
     private JwtAuthProvider(Builder builder) {
         this.optional = builder.optional;
         this.authenticate = builder.authenticate;
-        this.propagate = builder.propagate;
+        this.propagate = builder.propagate && builder.outboundConfig.targets().size() > 0;
         this.allowImpersonation = builder.allowImpersonation;
         this.subjectType = builder.subjectType;
         this.atnTokenHandler = builder.atnTokenHandler;
@@ -368,7 +368,8 @@ static JsonWebTokenImpl buildPrincipal(SignedJwt signedJwt) {
     public boolean isOutboundSupported(ProviderRequest providerRequest,
                                        SecurityEnvironment outboundEnv,
                                        EndpointConfig outboundConfig) {
-        return propagate;
+        // only propagate if we have an actual target configured
+        return propagate && this.outboundConfig.findTarget(outboundEnv).isPresent();
     }
 
     @Override
@@ -622,7 +623,7 @@ public static class Builder implements io.helidon.common.Builder<Builder, JwtAut
                 .tokenHeader("Authorization")
                 .tokenPrefix("bearer ")
                 .build();
-        private OutboundConfig outboundConfig;
+        private OutboundConfig outboundConfig = OutboundConfig.builder().build();
         private LazyValue<JwkKeys> verifyKeys;
         private LazyValue<JwkKeys> decryptionKeys;
         private LazyValue<Jwk> defaultJwk;

microprofile/jwt-auth/src/test/java/io/helidon/microprofile/jwt/auth/JwtAuthProviderTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -228,6 +228,53 @@ public void testEcBothWays() {
                 }, () -> fail("User must be present in response"));
     }
 
+    @Test
+    public void testOutboundNotSupportedWithoutConfiguration() {
+        String username = "user1";
+        String userId = "user1-id";
+        String email = "user1@example.org";
+        String familyName = "Novak";
+        String givenName = "Standa";
+        String fullName = "Standa Novak";
+        Locale locale = Locale.CANADA_FRENCH;
+
+        Principal principal = Principal.builder()
+                .name(username)
+                .id(userId)
+                .addAttribute("email", email)
+                .addAttribute("email_verified", true)
+                .addAttribute("family_name", familyName)
+                .addAttribute("given_name", givenName)
+                .addAttribute("full_name", fullName)
+                .addAttribute("locale", locale)
+                .addAttribute("roles", Set.of("role1", "role2"))
+                .build();
+
+        Subject subject = Subject.builder()
+                .principal(principal)
+                .addGrant(Role.create("group1"))
+                .addGrant(Role.create("group2"))
+                .addGrant(Role.create("group3"))
+                .build();
+
+        JwtAuthProvider provider = JwtAuthProvider.create(Config.create().get("jwt-no-outbound"));
+
+        SecurityContext context = Mockito.mock(SecurityContext.class);
+        when(context.user()).thenReturn(Optional.of(subject));
+
+        ProviderRequest request = mock(ProviderRequest.class);
+        when(request.securityContext()).thenReturn(context);
+        SecurityEnvironment outboundEnv = SecurityEnvironment.builder()
+                .path("/ec")
+                .transport("http")
+                .targetUri(URI.create("http://localhost:8080/ec"))
+                .build();
+
+        EndpointConfig outboundEp = EndpointConfig.create();
+
+        assertThat(provider.isOutboundSupported(request, outboundEnv, outboundEp), is(false));
+    }
+
     @Test
     public void testOctBothWays() {
         String userId = "user1-id";

microprofile/jwt-auth/src/test/resources/application.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2018, 2020 Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024 Oracle and/or its affiliates.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -70,4 +70,13 @@ security:
             - name: "asIs"
               paths:
                 - "/asis"
-    - abac:
+    - abac:
+
+
+jwt-no-outbound:
+  propagate: "true"
+  # Token extraction
+  atn-token:
+    # Expected audience (if not defined, any audience is accepted - security issue...)
+    jwt-audience: "audience.application.id"
+    default-key-id: "verify-rsa"