Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OAuth2 url .well-known not parsed correctly

See original GitHub issue

When trying to make Pulsar work with Keycloak (supporting multiple realms) I get this:

# bin/pulsar-admin --admin-url https://localhost:8080 --auth-plugin org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2 --auth-params '{"privateKey":"file:///pulsar_test.json","issuerUrl": "https://*****/auth/realms/***/", "audience":"localhost"}' tenants list
#19:29:25.154 [main] ERROR org.apache.pulsar.client.impl.auth.oauth2.FlowBase - Unable to retrieve OAuth 2.0 server metadata Cannot obtain authorization metadata from https://***/.well-known/openid-configuration
        at org.apache.pulsar.client.impl.auth.oauth2.protocol.DefaultMetadataResolver.resolve( ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.client.impl.auth.oauth2.FlowBase.initialize( ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.client.impl.auth.oauth2.ClientCredentialsFlow.initialize( ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2.start( ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.client.admin.PulsarAdmin.<init>( ~[org.apache.pulsar-pulsar-client-admin-original-2.6.1.jar:2.6.1]
        at ~[org.apache.pulsar-pulsar-client-admin-original-2.6.1.jar:2.6.1]
        at org.apache.pulsar.admin.cli.PulsarAdminTool.lambda$main$2( ~[org.apache.pulsar-pulsar-client-tools-2.6.1.jar:2.6.1]
        at org.apache.pulsar.admin.cli.PulsarAdminTool.setupCommands( [org.apache.pulsar-pulsar-client-tools-2.6.1.jar:2.6.1]
        at [org.apache.pulsar-pulsar-client-tools-2.6.1.jar:2.6.1]
        at org.apache.pulsar.admin.cli.PulsarAdminTool.main( [org.apache.pulsar-pulsar-client-tools-2.6.1.jar:2.6.1]
Caused by:
        at ~[?:1.8.0_252]
        at ~[?:1.8.0_252]
        at ~[?:1.8.0_252]
        at org.apache.pulsar.client.impl.auth.oauth2.protocol.DefaultMetadataResolver.resolve( ~[org.apache.pulsar-pulsar-client-original-2.6.1.jar:2.6.1]
        ... 9 more
class org.apache.pulsar.client.api.PulsarClientException$AuthenticationException: Unable to retrieve OAuth 2.0 server metadata

So it appears that extra path after the base URL is ignored and stripped. It would be really useful to have it respect full path and work with Keycloak. As visible, /auth/realms/{RELAM_NAME} is ignored and it’s trying to access base URL by appending /.well-known/openid-configuration instead of appending it at the end of provided issuer

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

EronWrightcommented, Sep 4, 2020

Regarding the openid configuration document location, @cuzyoucant is correct that the base path of the issuerUrl should be preserved, to better interoperate with Keycloak and others. The following expression would work robustly: URI.create(issuerUrl.toExternalForm() + "/.well-known/openid-configuration").normalize().toURL();

Regarding the CPP client issue, I believe the token endpoint should be obtained from the openid configuration document, specifically the token_endpoint value, as documented here:

The overarching idea is, from the configured issuerUrl we get the openid configuration document, and from that we get the token endpoint.

cuzyoucantcommented, Sep 2, 2020


We ran into the same problem as you described above. The better solution would be to have a config somewhere where we can set what gets appended to the issuerURL.

I implemented a small ghetto fix for myself and build pulsar from source until this gets officially implemented. If this is something you want to do, here is what you need to change:

To “fix” your problem you need to change the line 100 in the from this: return new URL(issuerUrl, "/.well-known/openid-configuration"); to this: return new URL(issuerUrl.toString() + "/.well-known/openid-configuration");

Now the URL gets appended correctly and it works as expected.

To also get the client(producer/consumer) to work you need to change the following since they also do not work with keycloak URLs:

  1. In the file /pulsar-client-cpp/lib/auth/ in line 187 comment out the line. issuerUrl_.append("/oauth/token");

  2. Now you need to specify the full token endpoint from keycloak as the issuer_url in your client. example:

The reason you need to do that is that after the first token expires, it tries to get a new one with the settings from the /.well-known configuration and it appends /oauth/token again to the tokenURL which obviously doesnt work.

I know its kind of a bad fix for now but i am to inexperienced to add a complete feature myself. We just want it to work for now and we will not be using it for production anytime soon. Just want to test features and infrastructure stuff and for that it works fine.

Hope it helps!

Read more comments on GitHub >

github_iconTop Results From Across the Web

[GitHub] [pulsar] cuzyoucant commented on issue #7952: OAuth2 url ...
toString() + "/.well-known/openid-configuration");` Now the URL gets appended correctly and it works as expected. To also get the client(producer/consumer) ...
Read more >
Why authorization or endpoint endpoints not working?
I am trying to get the end points for my application via okta. I am able to hit the below ones and see...
Read more >
Unable to obtain configuration from well-known/openid ...
When I consume API I am getting following exception and Web API returns 500 internal server error. Does your webapi have access to...
Read more >
4.3 Troubleshooting
To confirm that the authentication service is running, you can check the following URL: https://<myserver>/web.oauth2/.well-known/openid-configuration.
Read more >
How do you discover the OAuth2 server configuration?
Then, the OAuth2 working group generalised the OpenID Connect ... defines the following URL format based on IETF Defining Well-Known Uniform ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found