Cannot obtain authorization metadata when using org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2

[devinbost]

Tests are passing for PR 278 except when I try to use pulsar-perf with the auth plugin org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2 after enabling OpenID.

Reproduction steps are here:

https://github.com/datastax/pulsar-helm-chart/blob/799bccb505ea72de4e0994349036a157dddfa7f7/examples/kafka/demos/demo.sh

The line in question is this one:

bin/pulsar-perf produce -r 1000 --size 1024 --auth-plugin "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2" --auth-params '{"privateKey":"/pulsar/conf/creds.json","issuerUrl":"https://dev-42506116.okta.com/oauth2/aus3thh6rqs3FU45X697","scope":"pulsar_client_m2m","audience":"api://pulsarClient"}' --service-url pulsar://pulsar-proxy.pulsar.svc.cluster.local:6650/ persistent://public/default/test

The exception I'm getting is:

2023-02-14T01:39:33,221+0000 [pulsar-perf-producer-exec-1-1] ERROR org.apache.pulsar.client.impl.auth.oauth2.FlowBase - Unable to retrieve OAuth 2.0 server metadata java.io.IOException: Cannot obtain authorization metadata from https://dev-42506116.okta.com/oauth2/aus3thh6rqs3FU45X697/.well-known/openid-configuration at org.apache.pulsar.client.impl.auth.oauth2.protocol.DefaultMetadataResolver.resolve(DefaultMetadataResolver.java:85) ~[com.datastax.oss-pulsar-client-original-2.10.3.1.jar:2.10.3.1] at org.apache.pulsar.client.impl.auth.oauth2.FlowBase.initialize(FlowBase.java:50) ~[com.datastax.oss-pulsar-client-original-2.10.3.1.jar:2.10.3.1] at org.apache.pulsar.client.impl.auth.oauth2.ClientCredentialsFlow.initialize(ClientCredentialsFlow.java:72) ~[com.datastax.oss-pulsar-client-original-2.10.3.1.jar:2.10.3.1] at org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2.start(AuthenticationOAuth2.java:96) ~[com.datastax.oss-pulsar-client-original-2.10.3.1.jar:2.10.3.1] at org.apache.pulsar.client.impl.PulsarClientImpl.(PulsarClientImpl.java:192) ~[com.datastax.oss-pulsar-client-original-2.10.3.1.jar:2.10.3.1] at org.apache.pulsar.client.impl.PulsarClientImpl.(PulsarClientImpl.java:150) ~[com.datastax.oss-pulsar-client-original-2.10.3.1.jar:2.10.3.1] at org.apache.pulsar.client.impl.ClientBuilderImpl.build(ClientBuilderImpl.java:67) ~[com.datastax.oss-pulsar-client-original-2.10.3.1.jar:2.10.3.1] at org.apache.pulsar.testclient.PerformanceProducer.runProducer(PerformanceProducer.java:498) ~[com.datastax.oss-pulsar-testclient-2.10.3.1.jar:2.10.3.1] at org.apache.pulsar.testclient.PerformanceProducer.lambda$main$1(PerformanceProducer.java:384) ~[com.datastax.oss-pulsar-testclient-2.10.3.1.jar:2.10.3.1] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[?:?] at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty-netty-common-4.1.86.Final.jar:4.1.86.Final] at java.lang.Thread.run(Thread.java:829) ~[?:?] Caused by: java.io.FileNotFoundException: https://dev-42506116.okta.com/oauth2/aus3thh6rqs3FU45X697/.well-known/openid-configuration at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1920) ~[?:?] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520) ~[?:?] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250) ~[?:?] at org.apache.pulsar.client.impl.auth.oauth2.protocol.DefaultMetadataResolver.resolve(DefaultMetadataResolver.java:79) ~[com.datastax.oss-pulsar-client-original-2.10.3.1.jar:2.10.3.1] ... 14 more

[devinbost]

It looks like the metadata URI in Okta ends in .well-known/oauth-authorization-server, but the client is expecting .well-known/openid-configuration It appears that the DefaultMetadataResolver has hardcoded the path as /.well-known/openid-configuration: https://github.com/apache/pulsar/blob/d11147616aa6cc7888420f6325bb71cd7f7ab065/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth/oauth2/protocol/DefaultMetadataResolver.java#L107

[devinbost]

I created an issue in Pulsar upstream: https://github.com/apache/pulsar/issues/19518

[michaeljmarshall]

I think something might be wrong with the Okta URL. The /.well-known/openid-configuration endpoint is part of the spec. Ultimately, this is a potential issue with Apache Pulsar, and not with this chart, so I am going to close this issue since there is no action needed in this project.