Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redundant trailing slash for AUTH_TOKEN_ENDPOINT #5339

Open
omersiar opened this issue Oct 14, 2024 · 4 comments
Open

Redundant trailing slash for AUTH_TOKEN_ENDPOINT #5339

omersiar opened this issue Oct 14, 2024 · 4 comments

Comments

@omersiar
Copy link

Description

Apicurio OIDC client adds trailing slash to OIDC endpoint which breaks if the SSO provider does not support that

I was testing the special OIDC Basic Authentication mechanism of Apicurio Registry.
When REGISTRY_AUTH_TOKEN_ENDPOINT property is set to "http://sso-provider.local/token" Apicurio calls ""http://sso-provider.local/token/" instead, which breaks it for me because my SSO provider simply responds with a 404 to that url.

This function is making the call
https://github.com/Apicurio/apicurio-common-rest-client/blob/main/rest-client-common/src/main/java/io/apicurio/rest/client/auth/request/TokenRequestsProvider.java#L15

Registry Version: 2.5.11.Final
Persistence type: kafkasql

Environment

OpenShift 4
Apicurio Operator 1.1.2

Steps to Reproduce

apiVersion: registry.apicur.io/v1
kind: ApicurioRegistry
metadata:
  name: registry
  namespace: default
spec:
  configuration:
    env:
      - name: REGISTRY_API_URL
        value: >-
          apiurl
      - name: CLIENT_CREDENTIALS_BASIC_AUTH_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_TOKEN_ENDPOINT
        value: 'https://mock-server-mws-kafka-uat.apps.openshit.local/token'
      - name: QUARKUS_OIDC_AUTH_SERVER_URL
        value: 'realmurl'
      - name: QUARKUS_OIDC_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: api-username
            name: apicurio-sso-client-secret
      - name: QUARKUS_OIDC_TOKEN_PATH
        value: >-
          https://tokenpath/token
      - name: APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED
        value: 'true'
      - name: REGISTRY_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED
        value: 'true'
      - name: REGISTRY_UI_AUTH_TYPE
        value: oidc
      - name: CORS_ALLOWED_ORIGINS
        value: >-
          corsoirgin
      - name: REGISTRY_OIDC_UI_REDIRECT_URL
        value: >-
          redirecturl
      - name: REGISTRY_OIDC_UI_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: ui-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_URL_CONFIGURED
        value: 'authrealmurl'
      - name: ROLE_BASED_AUTHZ_SOURCE
        value: token
      - name: REGISTRY_AUTH_OBAC_ENABLED
        value: 'true'
      - name: AUTH_ENABLED
        value: 'true'
      - name: ROLE_BASED_AUTHZ_ENABLED
        value: 'true'
      - name: KEYCLOAK_API_CLIENT_SECRET
        valueFrom:
          secretKeyRef:
            key: api_password
            name: apicurio-sso-client-secret
      - name: QUARKUS_TLS_TRUST_ALL
        value: 'true'
      - name: QUARKUS_TLS_HOSTNAME_VERIFICATION_ALGORITHM
        value: none
      - name: QUARKUS_OIDC_TLS_VERIFICATION
        value: none
      - name: KEYCLOAK_UI_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: ui-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_AUTHENTICATED_READS_ENABLED
        value: 'true'
      - name: KEYCLOAK_API_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: api-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_ANONYMOUS_READ_ACCESS_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_CLAIM
        value: sub
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_CLAIM_VALUE
        valueFrom:
          secretKeyRef:
            key: api-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_TYPE
        value: claim
    kafkasql:
      bootstrapServers: 'bootstrap'
      security:
        tls:
          keystoreSecretName: user
          truststoreSecretName: secret
    persistence: kafkasql
  deployment:
    host: host
    managedResources:
      disableIngress: true
      disableNetworkPolicy: true

Expected vs Actual Behaviour

Expected to POST data to a proper endpoint.
Instead Apicurio rest client adds a trailing slash to this endpoint resulting a 404 error

Logs

WARN <> [io.apicurio.common.apps.auth.authn.AppAuthenticationMechanism] (executor-thread-33) Exception trying to get an access token with client credentials with client id: apicruioclient: io.apicurio.rest.client.auth.exception.AuthException:

@apicurio-bot
Copy link

apicurio-bot bot commented Oct 14, 2024

Thank you for reporting an issue!

Pinging @carlesarnal to respond or triage.

@carlesarnal
Copy link
Member

I'm interested in knowing which SSO provider are you using, since I tested this with Keycloak, Azure ENTRAID and Auth0 with no issues so far, so I would like to understand a bit more what's the underlying problem and setup.

@carlesarnal carlesarnal modified the milestones: 3.0.4, 2.6.x Nov 14, 2024
@omersiar
Copy link
Author

omersiar commented Nov 25, 2024

Thanks, SSO provider is one of the popular commercial offering for identity management . I have tested the both Apicurio and SSO provider behaviour throughly, OIDC RFC did not enforce or anything about how complete URL should look like for token endpoint it simply refer RFC 3986.

Simply some SSO provider may return 404 for token endpoint if request include the trailing slash, also tested behind load balancer so it is not a rewrite or proxy error.

This is for Apicurio API (vert.x client), UI is working perfectly fine with this SSO provider (which I think uses standard JS library)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Backlog
Development

No branches or pull requests

3 participants