Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OAuth2 url .well-known not parsed correctly

See original GitHub issue

When trying to make Pulsar work with Keycloak (supporting multiple realms) I get this:

# bin/pulsar-admin --admin-url https://localhost:8080 --auth-plugin org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2 --auth-params '{"privateKey":"file:///pulsar_test.json","issuerUrl": "https://*****/auth/realms/***/", "audience":"localhost"}' tenants list
#19:29:25.154 [main] ERROR org.apache.pulsar.client.impl.auth.oauth2.FlowBase - Unable to retrieve OAuth 2.0 server metadata
java.io.IOException: Cannot obtain authorization metadata from https://***/.well-known/openid-configuration
        at org.apache.pulsar.client.impl.auth.oauth2.protocol.DefaultMetadataResolver.resolve(DefaultMetadataResolver.java:78) ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.client.impl.auth.oauth2.FlowBase.initialize(FlowBase.java:50) ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.client.impl.auth.oauth2.ClientCredentialsFlow.initialize(ClientCredentialsFlow.java:66) ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2.start(AuthenticationOAuth2.java:96) ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.client.admin.PulsarAdmin.<init>(PulsarAdmin.java:159) ~[org.apache.pulsar-pulsar-client-admin-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.client.admin.internal.PulsarAdminBuilderImpl.build(PulsarAdminBuilderImpl.java:45) ~[org.apache.pulsar-pulsar-client-admin-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.admin.cli.PulsarAdminTool.lambda$main$2(PulsarAdminTool.java:273) ~[org.apache.pulsar-pulsar-client-tools-2.6.1.jar:2.6.1]
        at org.apache.pulsar.admin.cli.PulsarAdminTool.setupCommands(PulsarAdminTool.java:146) [org.apache.pulsar-pulsar-client-tools-2.6.1.jar:2.6.1]
        at org.apache.pulsar.admin.cli.PulsarAdminTool.run(PulsarAdminTool.java:226) [org.apache.pulsar-pulsar-client-tools-2.6.1.jar:2.6.1]
        at org.apache.pulsar.admin.cli.PulsarAdminTool.main(PulsarAdminTool.java:282) [org.apache.pulsar-pulsar-client-tools-2.6.1.jar:2.6.1]
Caused by: java.io.FileNotFoundException: https://zdb-users.azurewebsites.net/.well-known/openid-configuration
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1896) ~[?:1.8.0_252]
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) ~[?:1.8.0_252]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268) ~[?:1.8.0_252]
        at org.apache.pulsar.client.impl.auth.oauth2.protocol.DefaultMetadataResolver.resolve(DefaultMetadataResolver.java:72) ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        ... 9 more
class org.apache.pulsar.client.api.PulsarClientException$AuthenticationException: Unable to retrieve OAuth 2.0 server metadata

So it appears that extra path after the base URL is ignored and stripped. It would be really useful to have it respect full path and work with Keycloak. As visible, /auth/realms/{RELAM_NAME} is ignored and it’s trying to access base URL by appending /.well-known/openid-configuration instead of appending it at the end of provided issuer

Issue Analytics

State:
Created 3 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

2reactions

EronWrightcommented, Sep 4, 2020

Regarding the openid configuration document location, @cuzyoucant is correct that the base path of the issuerUrl should be preserved, to better interoperate with Keycloak and others. The following expression would work robustly: URI.create(issuerUrl.toExternalForm() + "/.well-known/openid-configuration").normalize().toURL();

Regarding the CPP client issue, I believe the token endpoint should be obtained from the openid configuration document, specifically the token_endpoint value, as documented here: https://tools.ietf.org/html/rfc8414#section-2

The overarching idea is, from the configured issuerUrl we get the openid configuration document, and from that we get the token endpoint.

1reaction

cuzyoucantcommented, Sep 2, 2020

Hey.

We ran into the same problem as you described above. The better solution would be to have a config somewhere where we can set what gets appended to the issuerURL.

I implemented a small ghetto fix for myself and build pulsar from source until this gets officially implemented. If this is something you want to do, here is what you need to change:

To “fix” your problem you need to change the line 100 in the DefaultMetadataResolver.java from this: return new URL(issuerUrl, "/.well-known/openid-configuration"); to this: return new URL(issuerUrl.toString() + "/.well-known/openid-configuration");

Now the URL gets appended correctly and it works as expected.

To also get the client(producer/consumer) to work you need to change the following since they also do not work with keycloak URLs:

In the file /pulsar-client-cpp/lib/auth/AuthOauth2.cc in line 187 comment out the line. issuerUrl_.append("/oauth/token");
Now you need to specify the full token endpoint from keycloak as the issuer_url in your client. example: https://example.com/auth/realms/myrealm/protocol/openid-connect/token

The reason you need to do that is that after the first token expires, it tries to get a new one with the settings from the /.well-known configuration and it appends /oauth/token again to the tokenURL which obviously doesnt work.

I know its kind of a bad fix for now but i am to inexperienced to add a complete feature myself. We just want it to work for now and we will not be using it for production anytime soon. Just want to test features and infrastructure stuff and for that it works fine.

Hope it helps!

Top Results From Across the Web

[GitHub] [pulsar] cuzyoucant commented on issue #7952: OAuth2 url ...

toString() + "/.well-known/openid-configuration");` Now the URL gets appended correctly and it works as expected. To also get the client(producer/consumer) ...

Why authorization or endpoint endpoints not working?

I am trying to get the end points for my application via okta. I am able to hit the below ones and see...

Unable to obtain configuration from well-known/openid ...

When I consume API I am getting following exception and Web API returns 500 internal server error. Does your webapi have access to...

4.3 Troubleshooting

To confirm that the authentication service is running, you can check the following URL: https://<myserver>/web.oauth2/.well-known/openid-configuration.

How do you discover the OAuth2 server configuration?

Then, the OAuth2 working group generalised the OpenID Connect ... defines the following URL format based on IETF Defining Well-Known Uniform ...