Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] OIDC - Optional alg field being required in Pulsar causes OIDC authentication to fail #22419

Closed
2 of 3 tasks
slawrencemd opened this issue Apr 3, 2024 · 5 comments · Fixed by #22421
Closed
2 of 3 tasks

[Bug] OIDC - Optional alg field being required in Pulsar causes OIDC authentication to fail #22419

slawrencemd opened this issue Apr 3, 2024 · 5 comments · Fixed by #22421
Assignees
@lhotari
Labels
type/bug The PR fixed a bug or issue reported a bug

Comments

@slawrencemd
Copy link

Search before asking

  • I searched in the issues and found nothing similar.

Read release policy

  • I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

Version

Pulsar v3.1.1

Minimal reproduce step

Goal is to enable OIDC in a standalone Pulsar instance via Azure App Registrations.

  1. Create an App registration in Azure in preparation for OIDC
  2. Bind the necessary args to the standalone.conf file to enable OIDC following official instructions, including admin role binding
  3. Start instance
  4. Configure the pulsar admin/shell to use OAuth2 with a credential and make an admin call (ex: tenants list)

What did you expect to see?

listed tenants

What did you see instead?

A 401/unauthorized on the client/shell side.
image

An error on the Pulsar broker/instance side: Failed to authenticate HTTP request: Failed to authenticate HTTP request: JWK's alg [null] does not match JWT's alg [RS256]

image

Anything else?

The 'alg' header is optional, as per the JWK spec:
image

Azure does not return this as field as part of the well known config, but the Pulsar OIDC implementation requires this. This validation is failing and results in the error I saw in the Pulsar instance logs:

image

It's also possible I've screwed up the OIDC configuration, but my suspicion above seems to make sense... I can share more of my config if needed.

I'll be glad to do anything I can to help fix this; my guess is this behavior would prevent it from functioning with Azure (if the alg field is missing globally). Short of creating a custom OIDC implementation/authorizer myself, is there anything else I can do in the interim to get around this?

Are you willing to submit a PR?

  • I'm willing to submit a PR!
@slawrencemd slawrencemd added the type/bug The PR fixed a bug or issue reported a bug label Apr 3, 2024
@slawrencemd slawrencemd changed the title [Bug] OIDC - Optional alg field causes OIDC auth to fail [Bug] OIDC - Optional alg field being required in Pulsar causes OIDC authentication to fail Apr 3, 2024
@slawrencemd
Copy link
Author

Screenshot of missing 'alg' field in azure ./well-known config:

image

@lhotari
Copy link
Member

lhotari commented Apr 3, 2024

Thanks for the good issue report @slawrencemd ! Would you like to contribute a fix?

@lhotari
Copy link
Member

lhotari commented Apr 4, 2024

I'm working on a fix.

@lhotari lhotari self-assigned this Apr 4, 2024
@lhotari lhotari mentioned this issue Apr 4, 2024
Merged
4 tasks
@michaeljmarshall
Copy link
Member

Great write up, thanks for surfacing this!

@slawrencemd
Copy link
Author

You guys are fast! Thank you.

I'm still setting up my environment and getting the build up and running; once I get those first baby steps done and a bit comfier with the codebase/processes, I'll be glad to contribute in other issues/features.

thanks,
-s

@lhotari lhotari mentioned this issue May 13, 2024
Closed
3 tasks
@bc-ble bc-ble mentioned this issue May 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lhotari lhotari

Labels
type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[fix][broker] Support OIDC providers with JWK without alg field set in keys lhotari/pulsar
3 participants
@lhotari @michaeljmarshall @slawrencemd