Druid pac4j extension skipOnFailure doesn't work

[jakubmatyszewski]

Affected Version

29.0.1

Description

I've set up pac4j authenticator based on druid-pac4j-extension to authenticate with Okta. I have an issue where users that are present in my Okta instance, but are not assigned to the druid app (in Okta app settings) are redirected to following screen:

As you will see in configuration I'll paste below, I have druid.auth.authenticator.pac4j.skipOnFailure=true set - and I would expect this would effectively take such user to the next authenticator in the chain, but this doesn't happen and the screen that user is redirected to is a dead-end.

Configuration in use

druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator", "pac4j", "anonymous"]

druid.auth.authorizers=["opaAuthorizer"]
druid.auth.authorizer.opaAuthorizer.type=opa
druid.auth.authorizer.opaAuthorizer.opaUri={{ .auth.okta.opaUri}}

# Basic authn
druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName=opaAuthorizer
druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword={ "type": "environment", "variable": "ADMIN_PASSWORD" }
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword={ "type": "environment", "variable": "SYSTEM_PASSWORD" }
druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata
druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=true

# Escalator authn
druid.escalator.type=basic
druid.escalator.internalClientUsername=druid_system
druid.escalator.internalClientPassword={ "type": "environment", "variable": "SYSTEM_PASSWORD" }
druid.escalator.authorizerName=opaAuthorizer

# Pac4j
druid.auth.authenticator.pac4j.authorizerName=opaAuthorizer
druid.auth.authenticator.pac4j.type=pac4j
druid.auth.authenticator.pac4j.skipOnFailure=true
druid.auth.pac4j.cookiePassphrase=testpassphrase
druid.auth.pac4j.oidc.clientID={{ .auth.okta.clientID }}
druid.auth.pac4j.oidc.clientSecret={ "type": "environment", "variable": "OIDC_SECRET" }
druid.auth.pac4j.oidc.discoveryURI={{ .auth.okta.discoveryURI }}
druid.auth.pac4j.oidc.scope={{ .auth.okta.oidcScope }}

# Anonymous authn
druid.auth.authenticator.anonymous.type=anonymous
druid.auth.authenticator.anonymous.identity=defaultUser
druid.auth.authenticator.anonymous.authorizerName=opaAuthorizer

druid.auth.allowUnauthenticatedHttpOptions=true
druid.server.http.allowedHttpMethods=["OPTIONS"]
druid.server.http.enableForwardedRequestCustomizer=true

Steps to reproduce the problem

1. To reproduce you need druid-pac4j extension.

   druid.extensions.loadList=["druid-pac4j", (...)]

2. Create an app in Okta that will receive & authenticate traffic from druid
3. Configure druid common config:
   • besides basic pac4j&okta configuration, use anonymous authenticator

     druid.auth.authenticatorChain=["pac4j", "anonymous"]

   • make sure that skipOnFailure option for pac4j is on:

     druid.auth.authenticator.pac4j.skipOnFailure=true

4. Create 2 users in Okta
   • one that will be assigned to the druid app
   • the other one that won't be assigned there; but is a member of your company
5. Try to enter druid dashboard with both users (the other user will be redirected to 401 screen - instead of authenticated with anonymous authenticator)

Errors in logs

In default logging I saw only this line in router logs:

2024-06-10T12:01:46,325 ERROR [qtp1032375822-100] org.pac4j.oidc.credentials.extractor.OidcExtractor - Bad authentication response, error=access_denied

[jakubmatyszewski]

After a while I've noticed that skipOnFailure is not implemented in the pac4j extension. I guess that makes it a feature request and not a bug report.