Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to use micronaut to login to AKHQ #1886

Open
haraldott opened this issue Dec 5, 2024 · 2 comments
Open

Not able to use micronaut to login to AKHQ #1886

haraldott opened this issue Dec 5, 2024 · 2 comments
Labels
status: awaiting feedback

Comments

@haraldott
Copy link

haraldott commented Dec 5, 2024
edited
Loading

Issue description

Hi all,

we switched from our cookie-based authentication to idtoken-based authentication in our AKHQ service which is using micronaut. While most of the flow appears to work correctly, we are encountering an issue during the SSO callback. Our application logs show the following warning:

openIdToken should be present in user details attributes to use micronaut.security.authentication:idtoken

Below is the configuration we are currently using:

micronaut:
  security:
    authentication: idtoken
    enabled: true
    oauth2:
      enabled: true
      clients:
        sso:
          client-id: #censored#
          client-secret: #censored#
          openid:
            issuer: "#censored#"
            authorization:
              acr-values:
                - "gas:strong"
            configuration-path: ".well-known/openid-configuration"
            scope:
              - "openid"
              - "profile"
              - "email"
    token:
      jwt:
        signatures:
          secret:
            generator:
              secret: #censored#

We also tried the bearer authentication method where we are getting the following error:

{ "message":"Page Not Found", "_links":{ "self":{ "href":"/oauth/login/sso", "templated":false } } }

with the following configuration:

  micronaut:
    server:
      netty:
        max-header-size: 100000
    security:
      authentication: bearer
      enabled: true
      oauth2:
        enabled: true
        clients:
          sso:
            client-id: <path:dev/sso/akhq#ClientID>
            client-secret: <path:dev/sso/akhq#ClientSecret>
            openid:
              issuer: "#censored#"
              authorization:
                acr-values:
                  - "gas:strong"
              configuration-path: ".well-known/openid-configuration"
      token:
        jwt:
          signatures:
            secret:
              generator:
                secret: #censored#

We are wondering if there are any configurations that we are missing here?
@sdelamo
Copy link
Contributor

sdelamo commented Dec 18, 2024

@haraldott can you provide a sample app? I am new to AKHQ

@smasilamani-cfins
Copy link

I am facing the same issue with AKHQ. We use AWS Cognito as our OIDC provider and we can see from the logs that the user gets authenticated successfully but later throws the same error as @haraldott . Cognito issues the claims via id token and we need that map our AD groups to AKHQ groups to grant proper permission.

2025-01-11T13:53:58.700000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:58,699 TRACE default-nioEventLoopGroup-1-6 i.m.s.o.client.DefaultOpenIdClient Starting authorization code grant flow to provider [saml]. Redirecting to [https://kafka-test.auth.us-east-1.amazoncognito.com/oauth2/authorize]
2025-01-11T13:53:58.701000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:58,701 TRACE default-nioEventLoopGroup-1-6 .DefaultAuthorizationRedirectHandler Built the authorization URL [https://test.auth.us-east-1.amazoncognito.com/oauth2/authorize?scope=openid+email+profile&response_type=code&redirect_uri=https%3A%2F%2Fakhq.test.io%2Foauth%2Fcallback%2Fsaml&state=eyJyZWRpcmVjdFVyaSI6Imh0dHBzOi8vdGVzdC1ha2hxLmNmaW5zLmlvL29hdXRoL2NhbGxiYWNrL2NydW0tc2FtbCIsIm5vbmNlIjoiYjNjNGFmMDYtZWM5NC00ZGFiLWEwYjktNWNiOWIyZTZmMzNhIn0%3D&nonce=f09d4e2a-8e39-4985-b3a2-49a4b7e1fc79&client_id=*******************]
2025-01-11T13:53:58.702000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:58,702 INFO default-nioEventLoopGroup-1-6 org.akhq.log.access [Date: 2025-01-11T13:53:58.702166017Z] [Duration: 3 ms] [Url: GET /oauth/login/saml] [Status: 302] [Ip: /172.28.201.5] [User:Anonymous]
2025-01-11T13:53:59.115000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,115 DEBUG default-nioEventLoopGroup-1-6 i.m.s.t.reader.HttpHeaderTokenReader Looking for bearer token in Authorization header
2025-01-11T13:53:59.116000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,116 DEBUG default-nioEventLoopGroup-1-6 i.m.s.t.reader.DefaultTokenResolver Request GET, /oauth/callback/saml, no token found.
2025-01-11T13:53:59.116000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,116 DEBUG default-nioEventLoopGroup-1-6 i.m.security.rules.IpPatternsRule One or more of the IP patterns matched the host address [172.28.201.5]. Continuing request processing.
2025-01-11T13:53:59.116000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,116 DEBUG default-nioEventLoopGroup-1-6 i.m.s.rules.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
2025-01-11T13:53:59.117000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,116 DEBUG default-nioEventLoopGroup-1-6 i.m.security.filters.SecurityFilter Authorized request GET /oauth/callback/saml. The rule provider org.akhq.security.rule.SecuredAnnotationRuleWithDefault authorized the request.
2025-01-11T13:53:59.117000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,117 TRACE default-nioEventLoopGroup-1-6 i.m.s.o.r.DefaultOauthController Received callback from oauth provider [saml]
2025-01-11T13:53:59.117000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,117 TRACE default-nioEventLoopGroup-1-6 i.m.s.o.client.DefaultOpenIdClient Received a successful authorization response from provider [saml]
2025-01-11T13:53:59.117000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,117 TRACE default-nioEventLoopGroup-1-6 ltOpenIdAuthorizationResponseHandler Validating state found in the authorization response from provider [saml]
2025-01-11T13:53:59.118000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,118 TRACE default-nioEventLoopGroup-1-6 s.o.e.t.r.DefaultTokenEndpointClient Sending request to token endpoint [https://kafka-test.auth.us-east-1.amazoncognito.com/oauth2/token]
2025-01-11T13:53:59.118000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,118 TRACE default-nioEventLoopGroup-1-6 s.o.e.t.r.DefaultTokenEndpointClient The token endpoint supports [[client_secret_basic, client_secret_post]] authentication methods
2025-01-11T13:53:59.118000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,118 TRACE default-nioEventLoopGroup-1-6 s.o.e.t.r.DefaultTokenEndpointClient Using client_secret_basic authentication. Adding an Authorization header
2025-01-11T13:53:59.120000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,119 TRACE default-nioEventLoopGroup-1-6 .p.ClientCredentialsHttpClientFilter Did not find any OAuth 2.0 client which should decorate the request with an access token received from client credentials request
2025-01-11T13:53:59.344000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,344 TRACE io-executor-thread-2 ltOpenIdAuthorizationResponseHandler Token endpoint returned a success response. Validating the JWT
2025-01-11T13:53:59.344000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,344 TRACE io-executor-thread-2 .DefaultOpenIdTokenResponseValidator Validating the JWT signature using the JWKS uri [https://cognito-idp.us-east-1.amazonaws.com/us-east-1_zkIPzLZKN/.well-known/jwks.json]
2025-01-11T13:53:59.344000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,344 DEBUG io-executor-thread-2 i.m.s.t.jwt.validator.JwtValidator Validating signed JWT
2025-01-11T13:53:59.344000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,344 DEBUG io-executor-thread-2 i.m.s.t.j.s.jwks.JwksSignatureUtils JWT Key ID: eQO7jdmMikPAZvjFmYfbbNyEiMkGkHHZcRSi7WKNgGQ=
2025-01-11T13:53:59.345000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,345 DEBUG io-executor-thread-2 i.m.s.t.j.s.jwks.JwksSignatureUtils JWK Set Key IDs: eQO7jdmMikPAZvjFmYfbbNyEiMkGkHHZcRSi7WKNgGQ=,msoiFtk4sZnxg/qWXAdBJJbykSpxRlLrUs4vCfviy/Q=
2025-01-11T13:53:59.345000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,345 DEBUG io-executor-thread-2 i.m.s.t.j.s.jwks.JwksSignatureUtils Found 1 matching JWKs
2025-01-11T13:53:59.346000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,346 TRACE io-executor-thread-2 .DefaultOpenIdTokenResponseValidator JWT signature validation succeeded. Validating claims...
2025-01-11T13:53:59.347000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,347 TRACE io-executor-thread-2 i.m.s.o.c.IdTokenClaimsValidator azp claim is not required for single audiences
2025-01-11T13:53:59.347000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,347 TRACE io-executor-thread-2 ltOpenIdAuthorizationResponseHandler Token validation succeeded. Creating a user details
2025-01-11T13:53:59.347000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,347 TRACE io-executor-thread-2 i.m.s.o.r.DefaultOauthController Authentication succeeded. User [[email protected]] is now logged in
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,348 WARN io-executor-thread-2 i.m.s.o.e.t.r.IdTokenLoginHandler openIdToken should be present in user details attributes to use micronaut.security.authentication:idtoken
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 2025-01-11 13:53:59,348 ERROR io-executor-thread-2 o.akhq.controllers.ErrorController null
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 io.micronaut.security.errors.OauthErrorResponseException: null
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micronaut.security.oauth2.endpoint.token.response.IdTokenLoginHandler.lambda$getCookies$0(IdTokenLoginHandler.java:80)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at java.base/java.util.Optional.orElseThrow(Unknown Source)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micronaut.security.oauth2.endpoint.token.response.IdTokenLoginHandler.getCookies(IdTokenLoginHandler.java:80)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micronaut.security.token.cookie.CookieLoginHandler.loginSuccess(CookieLoginHandler.java:98)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micronaut.security.token.cookie.CookieLoginHandler.loginSuccess(CookieLoginHandler.java:44)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micronaut.security.oauth2.routes.DefaultOauthController.lambda$callback$0(DefaultOauthController.java:100)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:106)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapInner.onNext(FluxSwitchMapNoPrefetch.java:408)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:122)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:122)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.reactivex.internal.util.HalfSerializer.onNext(HalfSerializer.java:45)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.reactivex.internal.subscribers.StrictSubscriber.onNext(StrictSubscriber.java:97)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.reactivex.internal.subscriptions.ScalarSubscription.request(ScalarSubscription.java:55)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.reactivex.internal.subscriptions.SubscriptionHelper.deferredSetOnce(SubscriptionHelper.java:202)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.reactivex.internal.subscribers.StrictSubscriber.onSubscribe(StrictSubscriber.java:87)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.reactivex.internal.operators.flowable.FlowableJust.subscribeActual(FlowableJust.java:34)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.reactivex.Flowable.subscribe(Flowable.java:14935)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.reactivex.Flowable.subscribe(Flowable.java:14885)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.FluxSource.subscribe(FluxSource.java:71)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.Flux.subscribe(Flux.java:8840)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapMain.subscribeInner(FluxSwitchMapNoPrefetch.java:219)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapMain.onNext(FluxSwitchMapNoPrefetch.java:164)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.runAsync(FluxPublishOn.java:446)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.run(FluxPublishOn.java:533)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$3(PropagatedContext.java:211)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:84)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:37)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$4(PropagatedContext.java:228)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micrometer.core.instrument.composite.CompositeTimer.recordCallable(CompositeTimer.java:129)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micrometer.core.instrument.Timer.lambda$wrap$1(Timer.java:203)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$4(PropagatedContext.java:228)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micrometer.core.instrument.composite.CompositeTimer.recordCallable(CompositeTimer.java:129)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at io.micrometer.core.instrument.Timer.lambda$wrap$1(Timer.java:203)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
2025-01-11T13:53:59.348000+00:00 ecs/test-ssl-kafka-akhq/5eaa05ea885b45a18f0ed13703155bd9 at java.base/java.lang.Thread.run(Unknown Source)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: awaiting feedback
Projects
4.8.0 Release
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sdelamo @smasilamani-cfins @haraldott