Describe the bug

I believe I have found a bug in how OpenTelemetry context handling is done in the io.quarkus:quarkus-security library: when it is on the classpath we have observed log messages from QuarkusContextStorage indicating the context in the storage is incorrect and randomly baggage items disappear. When it's removed from the classpath these problems disappear.

2025-08-11 11:53:59,704 INFO [io.qua.ope.run.QuarkusContextStorage] (executor-thread-47) Context in storage not the expected context, Scope.close was not called correctly. Details: OTel context before: ...

Expected behavior

No QuarkusContextStorage logs about scope closure and no missing baggage items.

Actual behavior

We see logs like this:

2025-08-11 11:53:59,704 INFO [io.qua.ope.run.QuarkusContextStorage] (executor-thread-47) Context in storage not the expected context, Scope.close was not called correctly. Details: OTel context before: ...

and baggage items that should be present are randomly missing.

How to Reproduce?

A reproducer project is attached.

To reproduce:

1. Run mvn quarkus:dev
2. Run ./load_test.sh which uses the hey tool to issue many HTTP requests in parallel.
3. Check the logs.

As mentioned above, if one removes the io.quarkus:quarkus-security dependency from the classpath this issue goes away and we see no log messages from QuarkusContextStorage or the error messages regarding the Baggage items disappearing.

The baggage items are managed very simply, as shown in this snippet from the Reproducer class which serves the HTTP endpoint.

   @WithSpan
   @GET
   @Produces(MediaType.TEXT_PLAIN)
   public String get() {
      try(Scope scope = Baggage.current().toBuilder().put("key", "value").build().makeCurrent()) {
         String value = Baggage.current().getEntryValue("key");
         if (!"value".equals(value)) {
            logger.error("Baggage is missing first value!");
         }
      }

      return "Hello, world!";
   }

We'd first discovered this when upgrading to Quarkus 3.15.1 and as shown in the reproducer it's still present in 3.25.2.

Our use of this dependency was leftover from some really old code, so we avoided this problem by cleaning up our dependency tree. I imagine others would run into this problem though, so I wanted to log the issue to help out the community.

quarkus-opentelemetry-reproducer.zip

Output of uname -a or ver

Darwin ... 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:52:00 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6031 arm64

Output of java -version

openjdk version "21.0.6" 2025-01-21 LTS OpenJDK Runtime Environment Corretto-21.0.6.7.1 (build 21.0.6+7-LTS) OpenJDK 64-Bit Server VM Corretto-21.0.6.7.1 (build 21.0.6+7-LTS, mixed mode, sharing)

Quarkus version or git rev

3.25.2

Build tool (ie. output of mvnw --version or gradlew --version)

Maven home: /opt/homebrew/Cellar/maven/3.9.9/libexec Java version: 21.0.6, vendor: Amazon.com Inc., runtime: /.../java/corretto-21.0.6.7.1 Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "15.5", arch: "aarch64", family: "mac"

Additional information

No response