From 88b92b04d8fa9f285f58055d24a46ef64b0ba51b Mon Sep 17 00:00:00 2001
From: dahoud <dahoud@dgbf.ci>
Date: Sun, 21 Dec 2025 04:19:18 +0000
Subject: [PATCH] Fix: Correct OIDC authentication permissions to allow public
 access to landing page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changes:
- Removed unrecognized property quarkus.oidc.authentication.redirect-path-after-login
- Changed authenticated.paths from /* to /pages/secure/* to allow public landing page
- Added applies-to=JAXRS,SERVLET to both public and authenticated permissions
- Documented importance of permission order (most specific first)

This fixes the 403 Forbidden error on https://unionflow.lions.dev root path.
Now:
- / and /index.xhtml are publicly accessible (landing page)
- /pages/secure/* requires authentication
- After login, restore-path-after-redirect will redirect to originally requested page

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 src/main/resources/application-prod.properties | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/application-prod.properties b/src/main/resources/application-prod.properties
index 53adb10..175762b 100644
--- a/src/main/resources/application-prod.properties
+++ b/src/main/resources/application-prod.properties
@@ -110,7 +110,6 @@ quarkus.oidc.authentication.redirect-path=/auth/callback
 quarkus.oidc.authentication.force-redirect-https-scheme=true
 quarkus.oidc.authentication.restore-path-after-redirect=true
 # Default landing page after successful login
-quarkus.oidc.authentication.redirect-path-after-login=/pages/secure/dashboard.xhtml
 quarkus.oidc.authentication.scopes=openid,profile,email,roles
 quarkus.oidc.token.issuer=https://security.lions.dev/realms/unionflow
 quarkus.oidc.tls.verification=required
@@ -122,13 +121,16 @@ quarkus.oidc.verify-access-token=true
 # Activation de la sécurité
 quarkus.security.auth.enabled=true
 
+# IMPORTANT: L'ordre des permissions compte - les plus spécifiques doivent être EN PREMIER
 # Chemins publics (non protégés par OIDC) - Production
 quarkus.http.auth.permission.public.paths=/,/index.xhtml,/pages/public/*,/auth/*,/q/*,/q/oidc/*,/favicon.ico,/resources/*,/META-INF/resources/*,/images/*,/jakarta.faces.resource/*,/javax.faces.resource/*
 quarkus.http.auth.permission.public.policy=permit
+quarkus.http.auth.permission.public.applies-to=JAXRS,SERVLET
 
 # Tous les autres chemins nécessitent une authentification
-quarkus.http.auth.permission.authenticated.paths=/*
+quarkus.http.auth.permission.authenticated.paths=/pages/secure/*
 quarkus.http.auth.permission.authenticated.policy=authenticated
+quarkus.http.auth.permission.authenticated.applies-to=JAXRS,SERVLET
 
 # Configuration Session - Production
 unionflow.session.timeout=${SESSION_TIMEOUT:1800}