Closed devinbost closed 1 year ago
It looks like the metadata URI in Okta ends in .well-known/oauth-authorization-server
, but the client is expecting .well-known/openid-configuration
It appears that the DefaultMetadataResolver has hardcoded the path as /.well-known/openid-configuration
: https://github.com/apache/pulsar/blob/d11147616aa6cc7888420f6325bb71cd7f7ab065/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth/oauth2/protocol/DefaultMetadataResolver.java#L107
I created an issue in Pulsar upstream: https://github.com/apache/pulsar/issues/19518
I think something might be wrong with the Okta URL. The /.well-known/openid-configuration
endpoint is part of the spec. Ultimately, this is a potential issue with Apache Pulsar, and not with this chart, so I am going to close this issue since there is no action needed in this project.
Tests are passing for PR 278 except when I try to use pulsar-perf with the auth plugin
org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2
after enabling OpenID.Reproduction steps are here:
https://github.com/datastax/pulsar-helm-chart/blob/799bccb505ea72de4e0994349036a157dddfa7f7/examples/kafka/demos/demo.sh
The line in question is this one:
bin/pulsar-perf produce -r 1000 --size 1024 --auth-plugin "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2" --auth-params '{"privateKey":"/pulsar/conf/creds.json","issuerUrl":"https://dev-42506116.okta.com/oauth2/aus3thh6rqs3FU45X697","scope":"pulsar_client_m2m","audience":"api://pulsarClient"}' --service-url pulsar://pulsar-proxy.pulsar.svc.cluster.local:6650/ persistent://public/default/test
The exception I'm getting is: