OIDC environment variables being ignored when using Azure AD

Question

OIDC environment variables being ignored when using Azure AD

Closed this issue 21 days ago · 2 comments

dpilin commented a month ago

Description

Registry
Version: 3.0.3
Persistence type: SQL

Environment

Kubernetes 1.26

Steps to Reproduce

Create a new app registration in Azure Entra ID (or use an existent one)
Run both apicurio-registry and apicurio-registry-ui containers locally in Docker using application and tenant id obtained in step 1 using the next commands respectively:

docker run -d -e "QUARKUS_OIDC_TENANT_ENABLED=true" -e "QUARKUS_OIDC_AUTH_SERVER_URL=https://login.microsoftonline.com/<TENANT_ID>/v2.0" -e "QUARKUS_OIDC_CLIENT_ID=<APPLICATION_ID>" -e "APICURIO_OIDC_UI_REDIRECT_URL=https://my-registry.org/explore" -e "APICURIO_OIDC_UI_CLIENT_ID=<APPLICATION_ID>" -e "APICURIO_AUTH_ROLE_BASED_AUTHORIZATION=true" -e "ROLE_BASED_AUTHZ_SOURCE=token" -e "QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH=roles" -e "QUARKUS_HTTP_CORS_ORIGINS=http://localhost:8888" -e "APICURIO_AUTH_ANONYMOUS_READ_ACCESS_ENABLED=true" -p 8080:8080 apicurio/apicurio-registry:3.0.3

docker run -d -e "REGISTRY_API_URL=http://localhost:8080/apis/registry/v3" -e "APICURIO_AUTH_TYPE=oidc" -e "APICURIO_AUTH_URL=https://login.microsoftonline.com/<TENANT_ID>/v2.0" -e "APICURIO_AUTH_REDIRECT_URL=https://my-registry.org/explore" -e "APICURIO_OIDC_UI_CLIENT_ID=<APPLICATION_ID>" -p 8888:8080 apicurio/apicurio-registry-ui:3.0.3

Go to http://localhost:8888 in browser, Apicurio-registry will redirect you to login.microsoftonline.com with correct tenant id but application id and redirect url in the browser's address bar will be set to default ones. Like this:

https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize?client_id=default_client&redirect_uri=http%3A%2F%2Flocalhost%3A8080&response_type=code&scope=openid+profile+email&state=...

After logon with such parameters the next error appears:

AADSTS700016: Application with identifier 'default_client' was not found in the directory "<TENANT_NAME>"

Expected vs Actual Behaviour

It is expected here for both client_id and redirect_uri to be populated from environment variables APICURIO_OIDC_UI_CLIENT_ID and APICURIO_OIDC_UI_REDIRECT_URL respectively as per documentation.

The setup in Azure is correct as everything works smoothly when I substitute default_client and redirect_url in address bar manually and then proceed with login.

I also tried setting environment variables inside registry-ui pod from README.md , such as APICURIO_AUTH_TYPE, APICURIO_AUTH_URL, APICURIO_AUTH_REDIRECT_URL, APICURIO_AUTH_CLIENT_ID. It didn't help as well.

Also, for now it's not obvious which environment variables should be set in apicurio-registry-ui pod and which are apicurio-registry related when it comes to OIDC setup.

Answer 1 · 2024-10-30T16:38:49.000Z

Hello,

Thanks for raising this. This is an error in the documentation. The correct values are:

APICURIO_UI_AUTH_OIDC_CLIENT_ID, APICURIO_UI_AUTH_OIDC_REDIRECT_URI and APICURIO_UI_AUTH_OIDC_LOGOUT-URL all following the same pattern. Everything has to be configured in the backend, since the UI fetches it's configuration from there (you don't even need to setup the auth type).

I'll use this issue to fix the documentation.

Answer 2 · 2024-10-31T07:57:39.000Z

Hello,

Thank you, I've redeployed my backend using APICURIO_UI_AUTH_OIDC_REDIRECT_URI and APICURIO_UI_AUTH_OIDC_CLIENT_ID environment variables. Now OIDC login is working fine.