How to integrate internal SSO login (OAuth2)?

[hustlibraco]

I have read the guide SSO configuration, and have checked history issues about sso login.
People asked about some open sso about G suite or AWS etc, I can not find the solution to integrate internal sso login.
Is it possiable to integrate kafka-ui with my company's SSO(oauth2)?

I have tried, but no success. this is my docker-compose.yml:

version: '2'
services:
  kafka-ui:
    image: provectuslabs/kafka-ui
    container_name: kafka-ui
    ports:
      - "8080:8080"
    restart: always
    volumes:
      - ./cert:/opt/cert
    environment:
      - SECURITY_BASIC_ENABLED=true
      - SERVER_SSL_KEY_STORE_TYPE=PKCS12
      - SERVER_SSL_KEY_STORE=/opt/cert/ui-for-apache-kafka.p12
      - SERVER_SSL_KEY_STORE_PASSWORD=Fvck2022!
      - SERVER_SSL_KEY_ALIAS=ui-for-apache-kafka
      - SERVER_SSL_ENABLED=true
      - TRUST_STORE=/opt/cert/ui-for-apache-kafka.p12
      - TRUST_STORE_PASSWORD=Fvck2022!
      - AUTH_TYPE=OAUTH2
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTID=yatn6oqzb97l3q7qjg7h
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTSECRET=ets169splsw02ctj1p9e6559460ox1gmkteahdql
      - SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_ISSUER_URI=https://test-sso.xxx.net/oauth2/authorize
      - SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_SCOPE=read
      - KAFKA_CLUSTERS_0_NAME=ember
      - KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS=ember-apac-kafka-1.xxx.net:9092,ember-apac-kafka-2.xxx.net:9092,ember-apac-kafka-3.xxx.net:9092
      - KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_PLAINTEXT
      - KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=SCRAM-SHA-512
      - KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin_password";
    extra_hosts:
      - "ember-apac-kafka-1.xxx.net:10.66.17.35"
      - "ember-apac-kafka-2.xxx.net:10.66.17.36"
      - "ember-apac-kafka-3.xxx.net:10.66.17.37"
      - "ember-apac-zk-1.xxx.net:10.66.17.35"
      - "ember-apac-zk-2.xxx.net:10.66.17.36"
      - "ember-apac-zk-3.xxx.net:10.66.17.37" 

and this is docker-compose up stdout:

kafka-ui    | Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository]: Factory method 'clientRegistrationRepository' threw exception; nested exception is java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://test-sso.xxx.net/oauth2/authorize"
kafka-ui    |   at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
kafka-ui    |   at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
kafka-ui    |   ... 81 common frames omitted
kafka-ui    | Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://test-sso.xxx.net/oauth2/authorize"
kafka-ui    |   at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:223)
kafka-ui    |   at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromIssuerLocation(ClientRegistrations.java:144)
kafka-ui    |   at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesRegistrationAdapter.java:83)
kafka-ui    |   at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistration(OAuth2ClientPropertiesRegistrationAdapter.java:59)
kafka-ui    |   at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.lambda$getClientRegistrations$0(OAuth2ClientPropertiesRegistrationAdapter.java:53)
kafka-ui    |   at java.base/java.util.HashMap.forEach(HashMap.java:1339)
kafka-ui    |   at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistrations(OAuth2ClientPropertiesRegistrationAdapter.java:52)
kafka-ui    |   at org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientConfigurations$ReactiveClientRegistrationRepositoryConfiguration.clientRegistrationRepository(ReactiveOAuth2ClientConfigurations.java:56)
kafka-ui    |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
kafka-ui    |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
kafka-ui    |   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
kafka-ui    |   at java.base/java.lang.reflect.Method.invoke(Method.java:567)
kafka-ui    |   at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
kafka-ui    |   ... 82 common frames omitted

[github-actions]

Hello there hustlibraco! 👋

Thank you and congratulations 🎉 for opening your very first issue in this project! 💖

In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀

[Haarolean]

Hey, thanks for reaching out. That should work actually.
Have you tried this url without /authorize?
There's probably gonna be a path named .well-known/openid-configuration if the URL is correct.

[hustlibraco]

Hey, thanks for reaching out. That should work actually. Have you tried this url without /authorize? There's probably gonna be a path named .well-known/openid-configuration if the URL is correct.

still not working. all url below is 404 not found.
https://test-sso.xxx.net/.well-known/openid-configuration
https://test-sso.xxx.net/oauth2/.well-known/openid-configuration
https://test-sso.xxx.net/oauth2/authorize/.well-known/openid-configuration

I checked internal sso document, there is no issue_uri, and it only support Authorization Code Flow, all open api from internal SSO are listed below:

• Get a license:/oauth2/authorize
• Get access token:/oauth2/access_token
• refresh access token:/oauth2/access_token
• Get user information:/oauth2/userinfo
• User logged out:/oauth2/logout

I successfully integrated internal SSO with Portainer before, so I think internal SSO is available in some level, so what kind of Oauth Provider is required by kafka-ui?

Looking forward to your reply.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[gaddam1987]

@hustlibraco You dont haveto configure issuer-uri instead of that configure these fileds, it should work
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_AUTHORIZATION_URI
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_TOKEN_URI
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_USER_INFO_URI
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_JWK_SET_URI

[viettran-yum]

@hustlibraco You dont haveto configure issuer-uri instead of that configure these fileds, it should work SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_AUTHORIZATION_URI SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_TOKEN_URI SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_USER_INFO_URI SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_JWK_SET_URI

Hi, I tried but it still throws the error : authorizationGrantType cannot be null
Do you know how to set the grant type, I'm using docker compose latest image version

[Haarolean]

@hustlibraco You dont haveto configure issuer-uri instead of that configure these fileds, it should work SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_AUTHORIZATION_URI SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_TOKEN_URI SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_USER_INFO_URI SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_JWK_SET_URI

Hi, I tried but it still throws the error : authorizationGrantType cannot be null Do you know how to set the grant type, I'm using docker compose latest image version

@viettran-yum
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_AUTHORIZATION_GRANT_TYPE, possible values are:

authorization_code
implicit
refresh_token
client_credentials
password
urn:ietf:params:oauth:grant-type:jwt-bearer

[S1M0NM]

Hello,

I did the configuration according to these instructions, but the property for the grant type must be:

SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_AUTHORIZATION_GRANT_TYPE

[DECsystem20]

I was able to make it work with on-premise GitLab using these settings:

  auth:
    type: OAUTH2
  kafka:
    clusters:
    - bootstrapServers: redacted
      name: redacted
      properties:
        security:
          protocol: SSL
        ssl:
          keystore:
            location: redacted
            password: redacted
          truststore:
            location: redacted
            password: redacted
  management:
    health:
      ldap:
        enabled: false
  spring:
    security:
      oauth2:
        client:
          registration:
            gitlab:
              client-id: redacted
              client-secret: redacted
              authorization-grant-type: authorization_code
              redirect-uri: https://kafka-ui_address/login/oauth2/code/gitlab
              scope: read_user
              clientName: GitLab
          provider:
            gitlab:
              authorization-uri: https://gitlab_address/oauth/authorize
              token-uri: https://gitlab_address/oauth/token
              user-info-uri: https://gitlab_address/api/v4/user
              jwk-set-uri: https://gitlab_address/oauth/discovery/keys
              user-name-attribute: username

In Gitlab -> Admin Area -> Applications I created new application with name "KafkaUI", set callback url to "https://kafka-ui_address/login/oauth2/code/gitlab" and enabled scope "read_user".

[Haarolean]

Closing this issue as it became an offtopic collection of replies.
Please raise a separate discussions/issues if you encounter any problems.