search

Apicurio / apicurio-registry

An API/Schema registry - stores APIs and Schemas.
https://www.apicur.io/registry/
Apache License 2.0
601 stars 266 forks source link

Redundant trailing slash for AUTH_TOKEN_ENDPOINT #5339

Open omersiar opened 1 week ago

omersiar commented 1 week ago

Description

Apicurio OIDC client adds trailing slash to OIDC endpoint which breaks if the SSO provider does not support that

I was testing the special OIDC Basic Authentication mechanism of Apicurio Registry. When REGISTRY_AUTH_TOKEN_ENDPOINT property is set to "http://sso-provider.local/token" Apicurio calls ""http://sso-provider.local/token/" instead, which breaks it for me because my SSO provider simply responds with a 404 to that url.

This function is making the call https://github.com/Apicurio/apicurio-common-rest-client/blob/main/rest-client-common/src/main/java/io/apicurio/rest/client/auth/request/TokenRequestsProvider.java#L15

Registry Version: 2.5.11.Final Persistence type: kafkasql

Environment

OpenShift 4 Apicurio Operator 1.1.2

Steps to Reproduce

apiVersion: registry.apicur.io/v1
kind: ApicurioRegistry
metadata:
  name: registry
  namespace: default
spec:
  configuration:
    env:
      - name: REGISTRY_API_URL
        value: >-
          apiurl
      - name: CLIENT_CREDENTIALS_BASIC_AUTH_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_TOKEN_ENDPOINT
        value: 'https://mock-server-mws-kafka-uat.apps.openshit.local/token'
      - name: QUARKUS_OIDC_AUTH_SERVER_URL
        value: 'realmurl'
      - name: QUARKUS_OIDC_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: api-username
            name: apicurio-sso-client-secret
      - name: QUARKUS_OIDC_TOKEN_PATH
        value: >-
          https://tokenpath/token
      - name: APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED
        value: 'true'
      - name: REGISTRY_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED
        value: 'true'
      - name: REGISTRY_UI_AUTH_TYPE
        value: oidc
      - name: CORS_ALLOWED_ORIGINS
        value: >-
          corsoirgin
      - name: REGISTRY_OIDC_UI_REDIRECT_URL
        value: >-
          redirecturl
      - name: REGISTRY_OIDC_UI_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: ui-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_URL_CONFIGURED
        value: 'authrealmurl'
      - name: ROLE_BASED_AUTHZ_SOURCE
        value: token
      - name: REGISTRY_AUTH_OBAC_ENABLED
        value: 'true'
      - name: AUTH_ENABLED
        value: 'true'
      - name: ROLE_BASED_AUTHZ_ENABLED
        value: 'true'
      - name: KEYCLOAK_API_CLIENT_SECRET
        valueFrom:
          secretKeyRef:
            key: api_password
            name: apicurio-sso-client-secret
      - name: QUARKUS_TLS_TRUST_ALL
        value: 'true'
      - name: QUARKUS_TLS_HOSTNAME_VERIFICATION_ALGORITHM
        value: none
      - name: QUARKUS_OIDC_TLS_VERIFICATION
        value: none
      - name: KEYCLOAK_UI_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: ui-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_AUTHENTICATED_READS_ENABLED
        value: 'true'
      - name: KEYCLOAK_API_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: api-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_ANONYMOUS_READ_ACCESS_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_CLAIM
        value: sub
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_CLAIM_VALUE
        valueFrom:
          secretKeyRef:
            key: api-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_TYPE
        value: claim
    kafkasql:
      bootstrapServers: 'bootstrap'
      security:
        tls:
          keystoreSecretName: user
          truststoreSecretName: secret
    persistence: kafkasql
  deployment:
    host: host
    managedResources:
      disableIngress: true
      disableNetworkPolicy: true

Expected vs Actual Behaviour

Expected to POST data to a proper endpoint. Instead Apicurio rest client adds a trailing slash to this endpoint resulting a 404 error

Logs

WARN <> [io.apicurio.common.apps.auth.authn.AppAuthenticationMechanism] (executor-thread-33) Exception trying to get an access token with client credentials with client id: apicruioclient: io.apicurio.rest.client.auth.exception.AuthException:

apicurio-bot[bot] commented 1 week ago

Thank you for reporting an issue!

Pinging @carlesarnal to respond or triage.

omersiar commented 1 week ago

https://github.com/Apicurio/apicurio-common-rest-client/blob/main/rest-client-vertx/src/main/java/io/apicurio/rest/client/VertxHttpClient.java#L45

Vert.x webclient's APICURIO_CLIENT_AUTO_BASE_PATH also does not work as expected.

https://github.com/Apicurio/apicurio-common-rest-client/blob/main/rest-client-vertx/src/main/java/io/apicurio/rest/client/VertxHttpClient.java#L49