search

Apicurio / apicurio-registry

An API/Schema registry - stores APIs and Schemas.
https://www.apicur.io/registry/
Apache License 2.0
558 stars 250 forks source link

Azure EntraID login not working #4782

Open ccontino84 opened 3 weeks ago

ccontino84 commented 3 weeks ago

Description

Registry Version: 2.5.11 Persistence type: in-memory

Environment

I'm testing Apicurio in a AKS cluster where I have deployed Strimzi Kafka. Right now I'm just trying to secure Apicurio using EntraID, so that it's not completely open.

Steps to Reproduce

  1. Install Apicurio using the Apicurio operator as described here: https://github.com/Apicurio/apicurio-registry-operator/tree/main/dist-base
  2. setup an App registration in Azure as described here: https://www.apicur.io/registry/docs/apicurio-registry/2.5.x/getting-started/assembly-configuring-registry-security.html#registry-security-azure_registry (see also https://www.apicur.io/blog/2023/07/13/registry-azure-ad)
  3. deploy Apicurio with the following yaml config: 
    kind: ApicurioRegistry
metadata:
name: apicurio-registry
spec:
configuration:
persistence: "mem" # Optional (default value)
logLevel: "DEBUG"
registryLogLevel: "DEBUG"
env:
  - name: "KEYCLOAK_API_CLIENT_ID"
    value: "***"
  - name: "REGISTRY_OIDC_UI_CLIENT_ID"
    value: "***"
  - name: "REGISTRY_AUTH_URL_CONFIGURED"
    value: "https://login.microsoftonline.com/***/v2.0"
  - name: "REGISTRY_AUTH_ENABLED"
    value: "true"
  - name: "REGISTRY_UI_AUTH_TYPE"
    value: "oicd"
  - name: "CORS_ALLOWED_ORIGINS"
    value: "https://my-hostname.com"
  - name: "REGISTRY_OIDC_UI_REDIRECT_URL"
    value: "https://my-hostname.com/ui/"
  - name: "ROLE_BASED_AUTHZ_ENABLED"
    value: "false"
  # - name: "QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH"
  #   value: "roles"
deployment:
host: >-
  my-hostname.com

I tried with roles enabled as well and configured them in the App registration as mentioned in the documentation above.

Expected vs Actual Behaviour

The expected behaviour is that I'm able to login using EntraID in the UI, but it doesn't work and I get a page with the following details:

   "message": "Request failed with status code 401",
   "status": 401,
   "error": {
      "message": "User is not authenticated.",
      "error_code": 401,
      "detail": "UnauthorizedException: User is not authenticated.",
      "name": "UnauthorizedException"
   },
   "jaxrsResponse": null
}

Logs

2024-06-14 15:17:55 DEBUG <_> [io.apicurio.registry.ui.URLUtil] (executor-thread-3) Generating absolute URL: Using X-Forwarded-Host header value for the host.
2024-06-14 15:17:55 DEBUG <_> [io.apicurio.registry.ui.URLUtil] (executor-thread-3) Generating absolute URL: http://my-hostname.com/ui/config.js -> https://my-hostname.com/apis/registry
2024-06-14 15:17:55 DEBUG <_> [io.apicurio.common.apps.config.impl.DynamicConfigSource] (executor-thread-3) Could not get dynamic configuration value for registry.ui.features.readOnly in thread executor-thread-3. Storage returned null.
2024-06-14 15:17:55 DEBUG <_> [io.apicurio.common.apps.config.impl.DynamicConfigSource] (executor-thread-3) Could not get dynamic configuration value for registry.ui.features.readOnly in thread executor-thread-3. Storage returned null.
2024-06-14 15:17:55 DEBUG <_> [io.apicurio.common.apps.config.impl.DynamicConfigSource] (executor-thread-3) Could not get dynamic configuration value for registry.auth.owner-only-authorization in thread executor-thread-3. Storage returned null.
2024-06-14 15:17:55 DEBUG <_> [io.apicurio.common.apps.config.impl.DynamicConfigSource] (executor-thread-3) Could not get dynamic configuration value for registry.auth.owner-only-authorization in thread executor-thread-3. Storage returned null.
2024-06-14 15:17:55 DEBUG <_> [org.jboss.resteasy.core.SynchronousDispatcher] (executor-thread-3) RESTEASY002315: PathInfo: /apis/registry/v2/search/artifacts
2024-06-14 15:17:55 DEBUG <> [io.apicurio.common.apps.config.impl.DynamicConfigSource] (executor-thread-3) Could not get dynamic configuration value for app.authn.basic-auth-client-credentials.enabled in thread executor-thread-3. Storage returned null.
2024-06-14 15:17:55 DEBUG <> [io.apicurio.common.apps.config.impl.DynamicConfigSource] (executor-thread-3) Could not get dynamic configuration value for app.authn.basic-auth-client-credentials.enabled in thread executor-thread-3. Storage returned null.
2024-06-14 15:17:55 DEBUG <_> [io.apicurio.common.apps.config.impl.DynamicConfigSource] (executor-thread-3) Could not get dynamic configuration value for registry.auth.anonymous-read-access.enabled in thread executor-thread-3. Storage returned null.
2024-06-14 15:17:55 DEBUG <_> [io.apicurio.common.apps.config.impl.DynamicConfigSource] (executor-thread-3) Could not get dynamic configuration value for registry.auth.anonymous-read-access.enabled in thread executor-thread-3. Storage returned null.
2024-06-14 15:17:55 WARN <_> [io.apicurio.registry.auth.AuthorizedInterceptor] (executor-thread-3) Authentication credentials missing and required for protected endpoint.
2024-06-14 15:17:55 INFO <_> [io.apicurio.common.apps.logging.audit.AuditLogService] (executor-thread-3) apicurio.audit action="request" result="failure" src_ip="x.x.x.x" x_forwarded_for="x.x.x.x" path="/apis/registry/v2/search/artifacts" response_code="401" method="GET" user="" 
2024-06-14 15:17:55 DEBUG <_> [org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl] (executor-thread-3) MessageBodyWriter: org.jboss.resteasy.core.providerfactory.SortedKey
2024-06-14 15:17:55 DEBUG <_> [org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl] (executor-thread-3) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider
2024-06-14 15:17:55 DEBUG <_> [org.jboss.resteasy.core.ServerResponseWriter] (executor-thread-3) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider
2024-06-14 15:17:55 DEBUG <_> [org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl] (executor-thread-3) MessageBodyWriter: org.jboss.resteasy.core.providerfactory.SortedKey
2024-06-14 15:17:55 DEBUG <_> [org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext] (executor-thread-3) Interceptor Context: org.jboss.resteasy.core.interception.jaxrs.ServerWriterInterceptorContext,  Method : proceed
2024-06-14 15:17:55 DEBUG <_> [org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl] (executor-thread-3) MessageBodyWriter: org.jboss.resteasy.core.providerfactory.SortedKey
2024-06-14 15:17:55 DEBUG <_> [org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext] (executor-thread-3) MessageBodyWriter: org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider
2024-06-14 15:17:55 DEBUG <_> [org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider] (executor-thread-3) Provider : org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider,  Method : writeTo
ccontino84 commented 1 week ago

Any updates on this one? Am I doing something wrong?