search

open-metadata / OpenMetadata

OpenMetadata is a unified metadata platform for data discovery, data observability, and data governance powered by a central metadata repository, in-depth column level lineage, and seamless team collaboration.
https://open-metadata.org
Apache License 2.0
5.2k stars 987 forks source link

Openmetadata cannot get key from Keycloak #7567

Closed cuongthh closed 2 years ago

cuongthh commented 2 years ago

Describe the bug When I enable sercurity by Keycloak SSO following docs: https://docs.open-metadata.org/deployment/security/keycloak Affer login with Keycloak user account, the openmetadata throw an exception as: "An exception with message [No key found in with kid xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] was thrown while processing request."

My configuration: AUTHORIZER_CLASS_NAME: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.catalog.security.DefaultAuthorizer} AUTHORIZER_REQUEST_FILTER: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.catalog.security.JwtFilter} AUTHORIZER_ADMIN_PRINCIPALS: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]} AUTHORIZER_INGESTION_PRINCIPALS: ${AUTHORIZER_INGESTION_PRINCIPALS:-[ingestion-bot, service-account-open-metadata]} AUTHORIZER_PRINCIPAL_DOMAIN: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"} AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false} AUTHORIZER_ENABLE_SECURE_SOCKET: ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false} AUTHENTICATION_PROVIDER: ${AUTHENTICATION_PROVIDER:-custom-oidc} CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME: ${CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME:-"KeyCloak"} AUTHENTICATION_PUBLIC_KEYS: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8080/realms/mfrealm/protocol/openid-connect/certs]} AUTHENTICATION_AUTHORITY: ${AUTHENTICATION_AUTHORITY:-http://localhost:8080/realms/mfrealm} AUTHENTICATION_CLIENT_ID: ${AUTHENTICATION_CLIENT_ID:-"open-metadata"}

My keycloak setting: image

Expected behavior Login successfully

Version:

vivekratnavel commented 2 years ago

Hi @cuongthh, can you check if you are able to access this url from within the openmetadata server container? http://localhost:8080/realms/mfrealm/protocol/openid-connect/certs

cuongthh commented 2 years ago

Hi @vivekratnavel , yes, I can access the url http://localhost:8080/realms/mfrealm/protocol/openid-connect/certs

the result is {"keys":[{"kid":"TtXyx5bjMMPH45qyPnBT3phWVRSqZaJI2_mXRhOw7cg","kty":"RSA","alg":"RS256","use":"sig","n":"wVb0kyMSjzXjnrcOBlh6LjQg5cW_M3S0cgA5tVIPjxjIM3cN2dUFle_uW6r-bPb2R5KEGKIgbxi9_1ZF3yhIENeN4maN2CoEtuqtryPryC7LBIDXPJtGeI-ucHuTJh_fDkDyUVUw2iGHm1eWQfPK1pGOi3fc7YllWVSFK-Uj8LLiTQ9mjxEBrc3nfwICgw1X4nl0FfrveYiFYKUaf70cLMh3vqbcrcKo6pSvQNNhEAi1Ofsme4kFgE8pvUc_zWECrTSn2NsmsL_hkTbryBLwisbt51-1YodC9Qaq-RyKlelujaf5KGe6_2PREUUehlQri3auv3P6IqVEsIVxKeYChw","e":"AQAB","x5c":["MIICnTCCAYUCBgGDWWLv/zANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZnJlYWxtMB4XDTIyMDkyMDA1MzEzOVoXDTMyMDkyMDA1MzMxOVowEjEQMA4GA1UEAwwHbWZyZWFsbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFW9JMjEo814563DgZYei40IOXFvzN0tHIAObVSD48YyDN3DdnVBZXv7luq/mz29keShBiiIG8Yvf9WRd8oSBDXjeJmjdgqBLbqra8j68guywSA1zybRniPrnB7kyYf3w5A8lFVMNohh5tXlkHzytaRjot33O2JZVlUhSvlI/Cy4k0PZo8RAa3N538CAoMNV+J5dBX673mIhWClGn+9HCzId76m3K3CqOqUr0DTYRAItTn7JnuJBYBPKb1HP81hAq00p9jbJrC/4ZE268gS8IrG7edftWKHQvUGqvkcipXpbo2n+Shnuv9j0RFFHoZUK4t2rr9z+iKlRLCFcSnmAocCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEApJvhNQ4UfZbTOTFa0Io9UtlHRsqz8ugc8CYC34x7nhh0wJyL26Zbtdf1XuDQ39YJ/qDttN1DLPSXpPmUs3E/UA8KPZ/ONlRXFBQFlWWFQkxnnFVEgi1Rkpok+G7pxE2Y28A3awI3zCQs7jA5T9mVlmC+p5ukQxpUu1lrqZzw1Rgk5d+ngz+pXcCd6TOIFnbT57sE6XtpaoqzyX9cX42Y3x6ECCPM412yq8Emgz6n7b9NKuCTcvMy0l7OwVxJe5xB9HN3iRShLGOR7kvYM2C2M3Ou/rnlJzgf2p8Qi3wsrb/6RZF79dMNYvQklDggRv5QoX+/mstkG2mMEvIrFe/3PA=="],"x5t":"rEUmfIpjhmMucq3U1Ud0Ljd8-2I","x5t#S256":"EWXd8Py5kZ7WBcLuTcFdBH5h-jkHonuBf1LvaDoiIcM"},{"kid":"9sZSQA0LV4Z9Aei7xPzau_v7rDGlXV1iPp6lTMuyvMw","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"vmKB9iBrVxZflDLtbmNNci1Om3BjSSPeanI2yNn1Ys0MFFOx6A4sqg2heMVMSfpaEekUR1zvvaLegTLQEJz7sWqCfSJyf-4o4dZ5BmoyOwrwejEh8wzuyo6jJT_zLbL5Rn3o3HIpGXRHVEVEOtjZ0DYsHQ2S2g1_pGV8G_ZS0GFeuIHksoeqZnTNhsMrOTFrwB35dxNYs_vN3YLJJp8lKpu1n8ZmXT-cH8MpiQc-r4dmqCI7C_jPy3Hky3r68-UFc0TmyBNrpsBYYhU-35LmJYvxgqrg3ylfs_qoPIRzFMyVa6bDenNZcHCIy4UckXi4893PbUbLKiG6VNuM76kMKw","e":"AQAB","x5c":["MIICnTCCAYUCBgGDWWLxMTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdtZnJlYWxtMB4XDTIyMDkyMDA1MzE0MFoXDTMyMDkyMDA1MzMyMFowEjEQMA4GA1UEAwwHbWZyZWFsbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5igfYga1cWX5Qy7W5jTXItTptwY0kj3mpyNsjZ9WLNDBRTsegOLKoNoXjFTEn6WhHpFEdc772i3oEy0BCc+7Fqgn0icn/uKOHWeQZqMjsK8HoxIfMM7sqOoyU/8y2y+UZ96NxyKRl0R1RFRDrY2dA2LB0NktoNf6RlfBv2UtBhXriB5LKHqmZ0zYbDKzkxa8Ad+XcTWLP7zd2CySafJSqbtZ/GZl0/nB/DKYkHPq+HZqgiOwv4z8tx5Mt6+vPlBXNE5sgTa6bAWGIVPt+S5iWL8YKq4N8pX7P6qDyEcxTMlWumw3pzWXBwiMuFHJF4uPPdz21GyyohulTbjO+pDCsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAEIA5jpW3vxtqw0/KSaT21q6ObhTdHiRHa2t9QxOaw+0osp2h6AQIiiFtSoeZErt5EqOUXWhyGjsjLr18DY3h8/WnJhyuOTVwVzjU3qsIij1R4Q9Q7PNHuDlVVPbTw5UPMW/tiK5x3LS6RRlhrLtxM7AgwCB8ePAB/y4gRAcY1WmerhKa/njXUU7+ofaFFOSpoGW7ru2eTmr/++3L57TCgLztsi4m/j4sz1oRfFbLtggEHdC1SHJc18YPPXaS9YZalJ1aE+VhCN1uXWXc4cWVP3Tpniy/yVtOS0NhIZPsyjVNu6toRDJy1VrsLo9wgytGuFpCRyUbiXQ9EkeKDU+ZEQ=="],"x5t":"oe1OovSlXf655ruTE7IvO3V0ZTc","x5t#S256":"Ujlpl-Xm9gWDQJp6rGbpTkd_ERVebrdD3ahEB23D6JU"}]}

vivekratnavel commented 2 years ago

Hi @cuongthh, can you please verify if jwks_uri in the well known configuration points to the correct certs URL?

http://localhost:8080/realms/mfrealm/.well-known/openid-configuration
cuongthh commented 2 years ago

Hi @vivekratnavel The result for http://localhost:8080/realms/mfrealm/.well-known/openid-configuration:

{"issuer":"http://localhost:8080/realms/mfrealm","authorization_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/auth","token_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/token","introspection_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/userinfo","end_session_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/logout","frontchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"jwks_uri":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/certs","check_session_iframe":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials","urn:ietf:params:oauth:grant-type:device_code","urn:openid:params:grant-type:ciba"],"acr_values_supported":["0","1"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"userinfo_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"userinfo_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"request_object_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"response_modes_supported":["query","fragment","form_post","query.jwt","fragment.jwt","form_post.jwt","jwt"],"registration_endpoint":"http://localhost:8080/realms/mfrealm/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"introspection_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"authorization_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"authorization_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","phone","roles","profile","email","microprofile-jwt","web-origins","address","acr","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"revocation_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/revoke","revocation_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"device_authorization_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/auth/device","backchannel_token_delivery_modes_supported":["poll","ping"],"backchannel_authentication_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/ext/ciba/auth","backchannel_authentication_request_signing_alg_values_supported":["PS384","ES384","RS384","ES256","RS256","ES512","PS256","PS512","RS512"],"require_pushed_authorization_requests":false,"pushed_authorization_request_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/ext/par/request","mtls_endpoint_aliases":{"token_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/token","revocation_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/revoke","introspection_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/token/introspect","device_authorization_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/auth/device","registration_endpoint":"http://localhost:8080/realms/mfrealm/clients-registrations/openid-connect","userinfo_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/userinfo","pushed_authorization_request_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/ext/par/request","backchannel_authentication_endpoint":"http://localhost:8080/realms/mfrealm/protocol/openid-connect/ext/ciba/auth"}}

harshach commented 2 years ago

@cuongthh can you join our slack here https://slack.open-metadata.org easier to help there

vivekratnavel commented 2 years ago

Hi @cuongthh, I am not able to reproduce this issue. As @harshach mentioned, please join the community slack and ping me. I should be able to quickly help you unblock there.

cuongthh commented 2 years ago

This issue has been sovled by changing: AUTHENTICATION_PUBLIC_KEYS: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8080/realms/mfrealm/protocol/openid-connect/certs]} to AUTHENTICATION_PUBLIC_KEYS: ${AUTHENTICATION_PUBLIC_KEYS:-[http://host.docker.internal:8080/realms/mfrealm/protocol/openid-connect/certs]}