search

Apicurio / apicurio-registry

An API/Schema registry - stores APIs and Schemas.
https://www.apicur.io/registry/
Apache License 2.0
607 stars 269 forks source link

Redundant trailing slash for AUTH_TOKEN_ENDPOINT #5339

Open omersiar opened 1 month ago

omersiar commented 1 month ago

Description

Apicurio OIDC client adds trailing slash to OIDC endpoint which breaks if the SSO provider does not support that

I was testing the special OIDC Basic Authentication mechanism of Apicurio Registry. When REGISTRY_AUTH_TOKEN_ENDPOINT property is set to "http://sso-provider.local/token" Apicurio calls ""http://sso-provider.local/token/" instead, which breaks it for me because my SSO provider simply responds with a 404 to that url.

This function is making the call https://github.com/Apicurio/apicurio-common-rest-client/blob/main/rest-client-common/src/main/java/io/apicurio/rest/client/auth/request/TokenRequestsProvider.java#L15

Registry Version: 2.5.11.Final Persistence type: kafkasql

Environment

OpenShift 4 Apicurio Operator 1.1.2

Steps to Reproduce

apiVersion: registry.apicur.io/v1
kind: ApicurioRegistry
metadata:
  name: registry
  namespace: default
spec:
  configuration:
    env:
      - name: REGISTRY_API_URL
        value: >-
          apiurl
      - name: CLIENT_CREDENTIALS_BASIC_AUTH_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_TOKEN_ENDPOINT
        value: 'https://mock-server-mws-kafka-uat.apps.openshit.local/token'
      - name: QUARKUS_OIDC_AUTH_SERVER_URL
        value: 'realmurl'
      - name: QUARKUS_OIDC_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: api-username
            name: apicurio-sso-client-secret
      - name: QUARKUS_OIDC_TOKEN_PATH
        value: >-
          https://tokenpath/token
      - name: APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED
        value: 'true'
      - name: REGISTRY_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED
        value: 'true'
      - name: REGISTRY_UI_AUTH_TYPE
        value: oidc
      - name: CORS_ALLOWED_ORIGINS
        value: >-
          corsoirgin
      - name: REGISTRY_OIDC_UI_REDIRECT_URL
        value: >-
          redirecturl
      - name: REGISTRY_OIDC_UI_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: ui-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_URL_CONFIGURED
        value: 'authrealmurl'
      - name: ROLE_BASED_AUTHZ_SOURCE
        value: token
      - name: REGISTRY_AUTH_OBAC_ENABLED
        value: 'true'
      - name: AUTH_ENABLED
        value: 'true'
      - name: ROLE_BASED_AUTHZ_ENABLED
        value: 'true'
      - name: KEYCLOAK_API_CLIENT_SECRET
        valueFrom:
          secretKeyRef:
            key: api_password
            name: apicurio-sso-client-secret
      - name: QUARKUS_TLS_TRUST_ALL
        value: 'true'
      - name: QUARKUS_TLS_HOSTNAME_VERIFICATION_ALGORITHM
        value: none
      - name: QUARKUS_OIDC_TLS_VERIFICATION
        value: none
      - name: KEYCLOAK_UI_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: ui-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_AUTHENTICATED_READS_ENABLED
        value: 'true'
      - name: KEYCLOAK_API_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: api-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_ANONYMOUS_READ_ACCESS_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_ENABLED
        value: 'true'
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_CLAIM
        value: sub
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_CLAIM_VALUE
        valueFrom:
          secretKeyRef:
            key: api-username
            name: apicurio-sso-client-secret
      - name: REGISTRY_AUTH_ADMIN_OVERRIDE_TYPE
        value: claim
    kafkasql:
      bootstrapServers: 'bootstrap'
      security:
        tls:
          keystoreSecretName: user
          truststoreSecretName: secret
    persistence: kafkasql
  deployment:
    host: host
    managedResources:
      disableIngress: true
      disableNetworkPolicy: true

Expected vs Actual Behaviour

Expected to POST data to a proper endpoint. Instead Apicurio rest client adds a trailing slash to this endpoint resulting a 404 error

Logs

WARN <> [io.apicurio.common.apps.auth.authn.AppAuthenticationMechanism] (executor-thread-33) Exception trying to get an access token with client credentials with client id: apicruioclient: io.apicurio.rest.client.auth.exception.AuthException:

apicurio-bot[bot] commented 1 month ago

Thank you for reporting an issue!

Pinging @carlesarnal to respond or triage.

omersiar commented 1 month ago

https://github.com/Apicurio/apicurio-common-rest-client/blob/main/rest-client-vertx/src/main/java/io/apicurio/rest/client/VertxHttpClient.java#L45

Vert.x webclient's APICURIO_CLIENT_AUTO_BASE_PATH also does not work as expected.

https://github.com/Apicurio/apicurio-common-rest-client/blob/main/rest-client-vertx/src/main/java/io/apicurio/rest/client/VertxHttpClient.java#L49

carlesarnal commented 2 weeks ago

I'm interested in knowing which SSO provider are you using, since I tested this with Keycloak, Azure ENTRAID and Auth0 with no issues so far, so I would like to understand a bit more what's the underlying problem and setup.

omersiar commented 4 days ago

Thanks, SSO provider is one of the popular commercial offering for identity management . I have tested the both Apicurio and SSO provider behaviour throughly, OIDC RFC did not enforce or anything about how complete URL should look like for token endpoint it simply refer RFC 3986.

Simply some SSO provider may return 404 for token endpoint if request include the trailing slash, also tested behind load balancer so it is not a rewrite or proxy error.

This is for Apicurio API (vert.x client), UI is working perfectly fine with this SSO provider (which I think uses standard JS library)