You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Apicurio OIDC client adds trailing slash to OIDC endpoint which breaks if the SSO provider does not support that
I was testing the special OIDC Basic Authentication mechanism of Apicurio Registry.
When REGISTRY_AUTH_TOKEN_ENDPOINT property is set to "http://sso-provider.local/token" Apicurio calls ""http://sso-provider.local/token/" instead, which breaks it for me because my SSO provider simply responds with a 404 to that url.
Expected to POST data to a proper endpoint.
Instead Apicurio rest client adds a trailing slash to this endpoint resulting a 404 error
Logs
WARN <> [io.apicurio.common.apps.auth.authn.AppAuthenticationMechanism] (executor-thread-33) Exception trying to get an access token with client credentials with client id: apicruioclient: io.apicurio.rest.client.auth.exception.AuthException:
The text was updated successfully, but these errors were encountered:
I'm interested in knowing which SSO provider are you using, since I tested this with Keycloak, Azure ENTRAID and Auth0 with no issues so far, so I would like to understand a bit more what's the underlying problem and setup.
Thanks, SSO provider is one of the popular commercial offering for identity management . I have tested the both Apicurio and SSO provider behaviour throughly, OIDC RFC did not enforce or anything about how complete URL should look like for token endpoint it simply refer RFC 3986.
Simply some SSO provider may return 404 for token endpoint if request include the trailing slash, also tested behind load balancer so it is not a rewrite or proxy error.
This is for Apicurio API (vert.x client), UI is working perfectly fine with this SSO provider (which I think uses standard JS library)
Description
Apicurio OIDC client adds trailing slash to OIDC endpoint which breaks if the SSO provider does not support that
I was testing the special OIDC Basic Authentication mechanism of Apicurio Registry.
When REGISTRY_AUTH_TOKEN_ENDPOINT property is set to "http://sso-provider.local/token" Apicurio calls ""http://sso-provider.local/token/" instead, which breaks it for me because my SSO provider simply responds with a 404 to that url.
This function is making the call
https://github.com/Apicurio/apicurio-common-rest-client/blob/main/rest-client-common/src/main/java/io/apicurio/rest/client/auth/request/TokenRequestsProvider.java#L15
Registry Version: 2.5.11.Final
Persistence type: kafkasql
Environment
OpenShift 4
Apicurio Operator 1.1.2
Steps to Reproduce
Expected vs Actual Behaviour
Expected to POST data to a proper endpoint.
Instead Apicurio rest client adds a trailing slash to this endpoint resulting a 404 error
Logs
WARN <> [io.apicurio.common.apps.auth.authn.AppAuthenticationMechanism] (executor-thread-33) Exception trying to get an access token with client credentials with client id: apicruioclient: io.apicurio.rest.client.auth.exception.AuthException:
The text was updated successfully, but these errors were encountered: