OIDC 401 (Unauthorized) error when configured with Keycloak or Azure AD in EKS

[gkkdfkk]

Description

Registry
Version: latest / 3.0.3
Persistence type: in-memory

When OIDC is configured, and you enter the apicurio-registry url, it doesn't route you to keycloak or azure ad to authenticate. Instead it already shows you're authenticated with "User" and the UI fails to fetch anything from the registry server.

Environment

EKS - Kubernetes v1.30.5

Steps to Reproduce

1. OIDC

Keycloak:
Created 2 oidc clients - apicurio-registry with standard flow enabled, apicurio-api as bearer-only
Created roles: sr-admin, sr-developer, sr-readonly
Created a user and assigned sr-admin role to him
Changed "User Realm Role" mapper to add roles to ID token

Azure AD:
Create app registration according to - https://www.apicur.io/blog/2023/07/13/registry-azure-ad

2. Run apicurio-registry and apicurio-registry-ui deployments in EKS cluster with these environment variables:

Deployment files:
apicurio-registry-deployment.zip

Keycloak configuration environment variables: apicurio-registry

• name: QUARKUS_HTTP_CORS_ORIGINS
  value: "http://apicurio-registry-ui-address"
• name: QUARKUS_OIDC_TENANT_ENABLED
  value: "true"
• name: QUARKUS_OIDC_AUTH_SERVER_URL
  value: "https://keycloak-address/realms/apicurio"
• name: QUARKUS_OIDC_CLIENT_ID
  value: "apicurio-api"
• name: APICURIO_UI_AUTH_OIDC_CLIENT_ID
  value: "apicurio-registry"
• name: APICURIO_UI_AUTH_OIDC_REDIRECT_URI
  value: "http://apicurio-registry-ui-address"
• name: APICURIO_AUTH_ROLE_BASED_AUTHORIZATION
  value: "true"
• name: APICURIO_AUTH_OWNER_ONLY_AUTHORIZATION
  value: "true"
• name: "REGISTRY_UI_AUTH_TYPE"
  value: "oidc"

Azure AD configuration environment variables: apicurio-registry

• name: QUARKUS_HTTP_CORS_ORIGINS
  value: "http://apicurio-registry-ui-address"
• name: QUARKUS_OIDC_TENANT_ENABLED
  value: "true"
• name: QUARKUS_OIDC_AUTH_SERVER_URL
  value: "https://login.microsoftonline.com/tenant_id/v2.0"
• name: QUARKUS_OIDC_CLIENT_ID
  value: "client-id"
• name: APICURIO_UI_AUTH_OIDC_CLIENT_ID
  value: "client-id"
• name: APICURIO_UI_AUTH_OIDC_REDIRECT_URI
  value: "http://apicurio-registry-ui-address"
• name: APICURIO_AUTH_ROLE_BASED_AUTHORIZATION
  value: "true"
• name: APICURIO_AUTH_OWNER_ONLY_AUTHORIZATION
  value: "true"
• name: "REGISTRY_UI_AUTH_TYPE"
  value: "oidc"
• name: APICURIO_UI_AUTH_OIDC_LOGOUT_URL
  value: "https://login.microsoftonline.com/tenant-id/oauth2/v2.0/logout"

3. Go to http://apicurio-registry-ui-address and depending which OIDC is configured it should route you to either keycloak or microsoft to authenticate, then redirect back to the http://apicurio-registry-ui-address, but it shows a message in the screenshot above.

Expected vs Actual Behaviour

The keycloak env vars configuration works with docker locally, so it is expected that it would work on kubernetes also. But I get an unauthenticated 401 error.

Logs

apicurio-registry logs:
2024-11+00-06 11:07:59 WARN [io.apicurio.registry.auth.AuthorizedInterceptor] (executor-thread-16) Authentication credentials missing and required for protected endpoint.
2024-11+00-06 11:07:59 ERROR [io.apicurio.registry.services.http.CoreRegistryExceptionMapperService] (executor-thread-16) [500 ERROR DETECTED] : User is not authenticated.: io.quarkus.security.Unauthorized

Browser console logs:
GET http://<apicurio-registry-api-address>/apis/registry/v3/admin/config/artifactTypes 401 (Unauthorized)
GET http://<apicurio-registry-api-address>/apis/registry/v3/search/artifacts?limit=10&name=&offset=0&order=asc&orderby=name 401 (Unauthorized)
index-CCvHZ5iI.js:241 [PageDataLoader] Handling an error loading page data.
index-CCvHZ5iI.js:241 [PageDataLoader] Error searching for artifacts.
[PageDataLoader] FC: the server returned an unexpected status code and no error class is registered for this code 401

[gkkdfkk]

Was using some wrong env variables. Correct ones that works with both keycloak and azure ad:

        - name: QUARKUS_HTTP_CORS_ORIGINS
          value: "https://apicurio-registry-ui-address/"
        - name: QUARKUS_OIDC_TENANT_ENABLED
          value: "true"
        - name: QUARKUS_OIDC_AUTH_SERVER_URL
          value: "https://login.microsoftonline.com/tenant_id/v2.0"
        - name: APICURIO_UI_AUTH_OIDC_CLIENT_ID
          value: "client-id"
        - name: KEYCLOAK_API_CLIENT_ID
          value: "client-id"
        - name: APICURIO_UI_AUTH_OIDC_REDIRECT_URI
          value: "https://apicurio-registry-ui-address/"
        - name: ROLE_BASED_AUTHZ_ENABLED
          value: "true"
        - name: QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH
          value: "roles"
        - name: "REGISTRY_UI_AUTH_TYPE"
          value: "oidc"
        - name: APICURIO_UI_AUTH_OIDC_LOGOUT_URL
          value: "https://apicurio-registry-ui-address/"

Closing issue