search

tchiotludo / akhq

Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...
https://akhq.io/
Apache License 2.0
3.3k stars 638 forks source link

OIDC Authentication error ¿WINDOWS_CLIENT_AUTHENTICATION? #1561

Open carlosfwrk opened 11 months ago

carlosfwrk commented 11 months ago

Problem Description: I'm currently configuring AKHQ's authentication using OIDC with ADFS but I'm facing an error.

Current Configuration:

configuration:
  micronaut:
    security:
      enabled: true
      oauth2:
        enabled: true
        clients:
          adfs:
            client-id: "asdfasdf-sdfse-seaww245-d223-aaeere333"
            redirect-uri: "https://akhq.dev.company.com/oauth/callback/adfs"
            resource: "api://company/audience/services/akhq/1"
            authorization-uri: "https://fed.company.com/adfs/oauth2/authorize"
            token-uri: "https://fed.company.com/adfs/oauth2/token"
            response_type: code
            grant_type: authorization_code
            scopes:
              - openid
              - read    
            openid:
              issuer: "https://fed.company.com/adfs"
              configuration-path: "/.well-known/openid-configuration"
  akhq:
    security:
      roles:
        topic-reader:
          - resources: [ "TOPIC", "TOPIC_DATA" ]
            actions: [ "READ" ]
          - resources: [ "TOPIC" ]
            actions: [ "READ_CONFIG" ]
        topic-writer:
          - resources: [ "TOPIC", "TOPIC_DATA" ]
            actions: [ "CREATE", "UPDATE" ]
          - resources: [ "TOPIC" ]
            actions: [ "ALTER_CONFIG" ]
      groups:
        productassortment-reader:
          - role: topic-reader
            patterns: [ "productassortment.*" ]
      oidc:
        enabled: true
        providers:
          adfs:
            label: "Login with ADFS"
            username-field: userPrincipalName
            groups-field: group
            groups:
              - name: productassortment-confluent-consumer
                groups:
                  - productassortment-reader

Expected Outcome: Upon clicking the "Login with ADFS" button on the page https://akhq.dev.company.com/ui/login, I expect to be redirected to the organization's ADFS authentication system. After successfully authenticating, the system should return an authorization code (CODE), which should then be used to obtain an access token. The access token will be used to extract the user's groups and match them with the groups configured in AKHQ.

Current Issue: After entering the credentials on the ADFS authentication page, the redirection to the callback URL (redirection-uri) occurs correctly, but the following error is displayed in the browser:

{
  "message": "No enum constant io.micronaut.security.oauth2.endpoint.AuthenticationMethod.WINDOWS_CLIENT_AUTHENTICATION",
  "_links": {
    "self": {
      "href": "/oauth/callback/adfs?code=SFJÑADFIASDI",
      "templated": false
    }
  }
}

It's worth noting that if I take the CODE returned in the URL and manually generate a call to the token URL, the token is generated correctly.

LOGS

2023-08-18 15:15:22,686 TRACE pGroup-1-3 mHttpResponseHeadersFilter Adding custom headers to response.
2023-08-18 15:15:22,686 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-08-18 15:15:22,686 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Request GET, /oauth/login/adfs, no token found.
2023-08-18 15:15:22,686 DEBUG pGroup-1-3 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [112.190.2.1]. Continuing request processing.
2023-08-18 15:15:22,687 DEBUG pGroup-1-3 m.s.r.AbstractSecurityRule The given roles [[isAnonymous(), topic/read, topic/insert, topic/delete, topic/config/update, node/read, node/config/update, topic/data/read, topic/data/insert, topic/data/delete, group/read, group/delete, group/offsets/update, group/offsets/delete, registry/read, registry/insert, registry/update, registry/delete, registry/version/delete, acls/read, connect/read, connect/insert, connect/update, connect/delete, connect/state/update]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-08-18 15:15:22,687 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Authorized request GET /oauth/login/adfs. The rule provider org.akhq.modules.SecuredAnnotationRuleWithDefault authorized the request.
2023-08-18 15:15:22,687 TRACE pGroup-1-3 o.r.DefaultOauthController Received login request for provider [adfs]
2023-08-18 15:15:22,687 TRACE pGroup-1-3 .s.o.c.DefaultOpenIdClient Starting authorization code grant flow to provider [adfs]. Redirecting to [https://fed.company.com/adfs/oauth2/authorize/]
2023-08-18 15:15:22,689 TRACE pGroup-1-3 thorizationRedirectHandler Built the authorization URL [https://fed.company.com/adfs/oauth2/authorize/?scope=openid+read&response_type=code&redirect_uri=https%3A%2F%2Fakhq.dev.company.com%2Foauth%2Fcallback%2Fadfs&state=akKKJASFA33aka334&nonce=asdfeer34RTADA&client_id=asdfasdf-sdfse-seaww245-d223-aaeere333]
2023-08-18 15:15:22,689 INFO  pGroup-1-3 org.akhq.log.access        [Date: 2023-08-18T15:15:22.687369Z] [Duration: 1 ms] [Url: GET /oauth/login/adfs] [Status: 302] [Ip: /112.190.2.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-08-18 15:15:22,987 TRACE pGroup-1-3 mHttpResponseHeadersFilter Adding custom headers to response.
2023-08-18 15:15:22,987 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-08-18 15:15:22,987 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Request GET, /oauth/callback/adfs, no token found.
2023-08-18 15:15:22,987 DEBUG pGroup-1-3 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [112.190.2.1]. Continuing request processing.
2023-08-18 15:15:22,988 DEBUG pGroup-1-3 m.s.r.AbstractSecurityRule The given roles [[isAnonymous(), topic/read, topic/insert, topic/delete, topic/config/update, node/read, node/config/update, topic/data/read, topic/data/insert, topic/data/delete, group/read, group/delete, group/offsets/update, group/offsets/delete, registry/read, registry/insert, registry/update, registry/delete, registry/version/delete, acls/read, connect/read, connect/insert, connect/update, connect/delete, connect/state/update]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-08-18 15:15:22,988 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Authorized request GET /oauth/callback/adfs. The rule provider org.akhq.modules.SecuredAnnotationRuleWithDefault authorized the request.
2023-08-18 15:15:22,988 TRACE pGroup-1-3 o.r.DefaultOauthController Received callback from oauth provider [adfs]
2023-08-18 15:15:22,988 TRACE pGroup-1-3 .s.o.c.DefaultOpenIdClient Received a successful authorization response from provider [adfs]
2023-08-18 15:15:22,989 WARN  r-thread-8 org.akhq.log.access        [Date: 2023-08-18T15:15:22.988224Z] [Duration: 1 ms] [Url: GET /oauth/callback/adfs] [Status: 409] [Ip: /112.190.2.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-08-18 15:15:23,082 TRACE pGroup-1-3 mHttpResponseHeadersFilter Adding custom headers to response.
2023-08-18 15:15:23,082 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-08-18 15:15:23,082 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Request GET, /favicon.ico, no token found.
2023-08-18 15:15:23,082 DEBUG pGroup-1-3 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [112.190.2.1]. Continuing request processing.
2023-08-18 15:15:23,083 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/favicon.ico] and method [GET]. Searching in patterns with no defined method.
2023-08-18 15:15:23,083 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule No url map pattern match found for path [/favicon.ico]. Returning unknown.
2023-08-18 15:15:23,083 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Authorized request GET /favicon.ico. No rule provider authorized or rejected the request.
2023-08-18 15:15:23,094 TRACE pGroup-1-3 mHttpResponseHeadersFilter Adding custom headers to response.
2023-08-18 15:15:23,094 DEBUG pGroup-1-3 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-08-18 15:15:23,094 DEBUG pGroup-1-3 s.t.r.DefaultTokenResolver Request GET, /ui/login, no token found.
2023-08-18 15:15:23,094 DEBUG pGroup-1-3 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [112.190.2.1]. Continuing request processing.
2023-08-18 15:15:23,095 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/login] and method [GET]. Searching in patterns with no defined method.
2023-08-18 15:15:23,095 DEBUG pGroup-1-3 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/login]. Comparing roles.
2023-08-18 15:15:23,095 DEBUG pGroup-1-3 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-08-18 15:15:23,095 DEBUG pGroup-1-3 i.m.s.f.SecurityFilter     Authorized request GET /ui/login. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
2023-08-18 15:15:23,095 INFO  pGroup-1-3 org.akhq.log.access        [Date: 2023-08-18T15:15:23.095328Z] [Duration: 0 ms] [Url: GET /ui/login] [Status: 200] [Ip: /112.190.2.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]

Can anyone help me with this error? Am I doing something wrong or could there be an issue with the OIDC configuration for AKHQ's needs?

Thanks.

carlosfwrk commented 11 months ago

I've noticed that in the Micronaut repository, there's a recommendation to update to version 3.9.3 of Micronaut in order to address a similar issue. Considering that AKHQ version 0.24.0 is using Micronaut version 3.7.10, I'm wondering how I can apply this modification locally. Specifically, how can I upgrade to Micronaut version 3.9.3 while using AKHQ version 0.24.0?

Would it suffice to make this modification in the build.gradle file? And once I've made the change, how should I go about compiling the code? Any guidance on these steps would be greatly appreciated.

Thanks.

tchiotludo commented 10 months ago

You should try with dev version that is micronaut 3.9.4, reopen if it don't work

carlosfwrk commented 10 months ago

Hi @tchiotludo, I've updated to the DEV version, but I'm still getting the same error.:

{
  "message": "No enum constant io.micronaut.security.oauth2.endpoint.AuthenticationMethod.WINDOWS_CLIENT_AUTHENTICATION",
  "_links": {
    "self": {
      "href": "/oauth/callback/adfs?code=APADKFAHAEIIJJACg&state=PLOEKKTENMALLM",
      "templated": false
    }
  }
}

Here is the complete log (from when the login page loads, I click the "Login with ADFS" button, enter the credentials on my company's ADFS page, and it returns the error I mentioned):

2023-09-26 07:02:48,082 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:48,083 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:48,087 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /, no token found.
2023-09-26 07:02:48,088 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.5.1]. Continuing request processing.
2023-09-26 07:02:48,089 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:48,089 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /. The rule provider org.akhq.security.rule.SecuredAnnotationRuleWithDefault authorized the request.
2023-09-26 07:02:48,093 INFO  r-thread-3 org.akhq.log.access        [Date: 2023-09-26T07:02:48.089765Z] [Duration: 3 ms] [Url: GET /] [Status: 307] [Ip: /100.90.5.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:48,221 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:48,223 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:48,223 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /ui, no token found.
2023-09-26 07:02:48,223 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.5.1]. Continuing request processing.
2023-09-26 07:02:48,224 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui] and method [GET]. Searching in patterns with no defined method.
2023-09-26 07:02:48,224 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui]. Comparing roles.
2023-09-26 07:02:48,224 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:48,224 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /ui. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
2023-09-26 07:02:48,225 INFO  pGroup-1-4 org.akhq.log.access        [Date: 2023-09-26T07:02:48.224805Z] [Duration: 0 ms] [Url: GET /ui] [Status: 200] [Ip: /100.90.5.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:48,308 TRACE pGroup-1-1 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:48,308 DEBUG pGroup-1-1 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:48,308 DEBUG pGroup-1-1 s.t.r.DefaultTokenResolver Request GET, /health, no token found.
2023-09-26 07:02:48,309 DEBUG pGroup-1-1 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.14.1]. Continuing request processing.
2023-09-26 07:02:48,309 DEBUG pGroup-1-1 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/health] and method [GET]. Searching in patterns with no defined method.
2023-09-26 07:02:48,309 DEBUG pGroup-1-1 .m.s.r.InterceptUrlMapRule No url map pattern match found for path [/health]. Returning unknown.
2023-09-26 07:02:48,310 DEBUG pGroup-1-1 .s.r.SensitiveEndpointRule health endpoint is not sensitive. Allowing the request.
2023-09-26 07:02:48,310 DEBUG pGroup-1-1 i.m.s.f.SecurityFilter     Authorized request GET /health. The rule provider io.micronaut.security.rules.SensitiveEndpointRule authorized the request.
2023-09-26 07:02:48,420 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:48,420 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:48,420 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /ui/static/js/main.3815b2bf.js, no token found.
2023-09-26 07:02:48,421 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.5.1]. Continuing request processing.
2023-09-26 07:02:48,422 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/static/js/main.3815b2bf.js] and method [GET]. Searching in patterns with no defined method.
2023-09-26 07:02:48,422 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/static/js/main.3815b2bf.js]. Comparing roles.
2023-09-26 07:02:48,422 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:48,422 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /ui/static/js/main.3815b2bf.js. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
2023-09-26 07:02:48,423 INFO  pGroup-1-4 org.akhq.log.access        [Date: 2023-09-26T07:02:48.422967Z] [Duration: 0 ms] [Url: GET /ui/static/js/main.3815b2bf.js] [Status: 200] [Ip: /100.90.5.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:48,430 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:48,431 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:48,431 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /health, no token found.
2023-09-26 07:02:48,431 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.14.1]. Continuing request processing.
2023-09-26 07:02:48,431 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/health] and method [GET]. Searching in patterns with no defined method.
2023-09-26 07:02:48,432 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern match found for path [/health]. Returning unknown.
2023-09-26 07:02:48,432 DEBUG pGroup-1-4 .s.r.SensitiveEndpointRule health endpoint is not sensitive. Allowing the request.
2023-09-26 07:02:48,432 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /health. The rule provider io.micronaut.security.rules.SensitiveEndpointRule authorized the request.
2023-09-26 07:02:48,544 TRACE pGroup-1-1 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:48,545 DEBUG pGroup-1-1 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:48,545 DEBUG pGroup-1-1 s.t.r.DefaultTokenResolver Request GET, /ui/static/css/main.8e11c20e.css, no token found.
2023-09-26 07:02:48,546 DEBUG pGroup-1-1 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.12.1]. Continuing request processing.
2023-09-26 07:02:48,546 DEBUG pGroup-1-1 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/static/css/main.8e11c20e.css] and method [GET]. Searching in patterns with no defined method.
2023-09-26 07:02:48,546 DEBUG pGroup-1-1 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/static/css/main.8e11c20e.css]. Comparing roles.
2023-09-26 07:02:48,546 DEBUG pGroup-1-1 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:48,547 DEBUG pGroup-1-1 i.m.s.f.SecurityFilter     Authorized request GET /ui/static/css/main.8e11c20e.css. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
2023-09-26 07:02:48,547 INFO  pGroup-1-1 org.akhq.log.access        [Date: 2023-09-26T07:02:48.547255Z] [Duration: 0 ms] [Url: GET /ui/static/css/main.8e11c20e.css] [Status: 200] [Ip: /100.90.12.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:48,630 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:48,630 TRACE pGroup-1-1 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:48,630 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:48,630 DEBUG pGroup-1-1 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:48,631 DEBUG pGroup-1-1 s.t.r.DefaultTokenResolver Request GET, /api/me, no token found.
2023-09-26 07:02:48,631 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /api/auths, no token found.
2023-09-26 07:02:48,631 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.5.1]. Continuing request processing.
2023-09-26 07:02:48,631 DEBUG pGroup-1-1 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.12.1]. Continuing request processing.
2023-09-26 07:02:48,631 DEBUG pGroup-1-1 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:48,631 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:48,631 DEBUG pGroup-1-1 i.m.s.f.SecurityFilter     Authorized request GET /api/me. The rule provider org.akhq.security.rule.SecuredAnnotationRuleWithDefault authorized the request.
2023-09-26 07:02:48,631 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /api/auths. The rule provider org.akhq.security.rule.SecuredAnnotationRuleWithDefault authorized the request.
2023-09-26 07:02:48,927 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:48,928 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:48,928 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /ui/manifest.json, no token found.
2023-09-26 07:02:48,928 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.12.1]. Continuing request processing.
2023-09-26 07:02:48,928 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/manifest.json] and method [GET]. Searching in patterns with no defined method.
2023-09-26 07:02:48,929 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/manifest.json]. Comparing roles.
2023-09-26 07:02:48,929 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:48,929 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /ui/manifest.json. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
2023-09-26 07:02:48,929 INFO  pGroup-1-4 org.akhq.log.access        [Date: 2023-09-26T07:02:48.929565Z] [Duration: 0 ms] [Url: GET /ui/manifest.json] [Status: 200] [Ip: /100.90.12.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:49,168 INFO  r-thread-3 org.akhq.log.access        [Date: 2023-09-26T07:02:48.631878Z] [Duration: 536 ms] [Url: GET /api/auths] [Status: 200] [Ip: /100.90.5.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:49,168 INFO  r-thread-4 org.akhq.log.access        [Date: 2023-09-26T07:02:48.631855Z] [Duration: 536 ms] [Url: GET /api/me] [Status: 200] [Ip: /100.90.12.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:49,280 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:49,280 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:49,281 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /ui/ui/static/media/icon.383e5fd93919da4ccf1b1d78c73ab176.svg, no token found.
2023-09-26 07:02:49,281 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.5.1]. Continuing request processing.
2023-09-26 07:02:49,281 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule No url map pattern exact match found for path [/ui/ui/static/media/icon.383e5fd93919da4ccf1b1d78c73ab176.svg] and method [GET]. Searching in patterns with no defined method.
2023-09-26 07:02:49,282 DEBUG pGroup-1-4 .m.s.r.InterceptUrlMapRule Url map pattern found for path [/ui/ui/static/media/icon.383e5fd93919da4ccf1b1d78c73ab176.svg]. Comparing roles.
2023-09-26 07:02:49,282 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:49,282 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /ui/ui/static/media/icon.383e5fd93919da4ccf1b1d78c73ab176.svg. The rule provider io.micronaut.security.rules.ConfigurationInterceptUrlMapRule authorized the request.
2023-09-26 07:02:49,282 INFO  pGroup-1-4 org.akhq.log.access        [Date: 2023-09-26T07:02:49.282436Z] [Duration: 0 ms] [Url: GET /ui/ui/static/media/icon.383e5fd93919da4ccf1b1d78c73ab176.svg] [Status: 200] [Ip: /100.90.5.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:51,675 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:51,675 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:51,676 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /oauth/login/adfs, no token found.
2023-09-26 07:02:51,676 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.5.1]. Continuing request processing.
2023-09-26 07:02:51,676 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:51,677 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /oauth/login/adfs. The rule provider org.akhq.security.rule.SecuredAnnotationRuleWithDefault authorized the request.
2023-09-26 07:02:51,677 TRACE pGroup-1-4 o.r.DefaultOauthController Received login request for provider [adfs]
2023-09-26 07:02:51,692 TRACE pGroup-1-4 .s.o.c.DefaultOpenIdClient Starting authorization code grant flow to provider [adfs]. Redirecting to [https://fed.company.com/adfs/oauth2/authorize/]
2023-09-26 07:02:51,734 TRACE pGroup-1-4 thorizationRedirectHandler Built the authorization URL [https://fed.company.com/adfs/oauth2/authorize/?scope=openid+read&response_type=code&redirect_uri=https%3A%2F%2Fakhq.dev.company.com%2Foauth%2Fcallback%2Fadfs&state=PLOEKKTENMALLM&nonce=98akdh1PL39858789&client_id=asdfasdf-sdfse-seaww245-d223-aaeere333]
2023-09-26 07:02:51,735 INFO  pGroup-1-4 org.akhq.log.access        [Date: 2023-09-26T07:02:51.677207Z] [Duration: 58 ms] [Url: GET /oauth/login/adfs] [Status: 302] [Ip: /100.90.5.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:51,928 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:51,929 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:51,929 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /oauth/callback/adfs, no token found.
2023-09-26 07:02:51,929 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.5.1]. Continuing request processing.
2023-09-26 07:02:51,929 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:51,929 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /oauth/callback/adfs. The rule provider org.akhq.security.rule.SecuredAnnotationRuleWithDefault authorized the request.
2023-09-26 07:02:51,930 TRACE pGroup-1-4 o.r.DefaultOauthController Received callback from oauth provider [adfs]
2023-09-26 07:02:51,933 TRACE pGroup-1-4 .s.o.c.DefaultOpenIdClient Received a successful authorization response from provider [adfs]
2023-09-26 07:02:51,945 WARN  r-thread-3 org.akhq.log.access        [Date: 2023-09-26T07:02:51.930077Z] [Duration: 15 ms] [Url: GET /oauth/callback/adfs] [Status: 409] [Ip: /100.90.5.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]
2023-09-26 07:02:52,273 TRACE pGroup-1-4 mHttpResponseHeadersFilter Adding custom headers to response.
2023-09-26 07:02:52,274 DEBUG pGroup-1-4 .t.r.HttpHeaderTokenReader Looking for bearer token in Authorization header
2023-09-26 07:02:52,274 DEBUG pGroup-1-4 s.t.r.DefaultTokenResolver Request GET, /oauth/callback/adfs, no token found.
2023-09-26 07:02:52,274 DEBUG pGroup-1-4 i.m.s.rules.IpPatternsRule One or more of the IP patterns matched the host address [100.90.5.1]. Continuing request processing.
2023-09-26 07:02:52,275 DEBUG pGroup-1-4 m.s.r.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2023-09-26 07:02:52,275 DEBUG pGroup-1-4 i.m.s.f.SecurityFilter     Authorized request GET /oauth/callback/adfs. The rule provider org.akhq.security.rule.SecuredAnnotationRuleWithDefault authorized the request.
2023-09-26 07:02:52,275 TRACE pGroup-1-4 o.r.DefaultOauthController Received callback from oauth provider [adfs]
2023-09-26 07:02:52,276 TRACE pGroup-1-4 .s.o.c.DefaultOpenIdClient Received a successful authorization response from provider [adfs]
2023-09-26 07:02:52,278 WARN  r-thread-3 org.akhq.log.access        [Date: 2023-09-26T07:02:52.275576Z] [Duration: 2 ms] [Url: GET /oauth/callback/adfs] [Status: 409] [Ip: /100.90.5.1] [User-Agent: Anonymous] [Referer: {}] [User: {}]

Thanks.

carlosfwrk commented 10 months ago

Sorry, I can't reopen the issue, perhaps due to a lack of permissions.

carlosfwrk commented 10 months ago

You should try with dev version that is micronaut 3.9.4, reopen if it don't work

In the build.gradle file appears micronaut version 3.7.10: image