akhq: AKHQ Login via OIDC Keycloak not working with 0.17 or 0.18
Hello AKHQ Team,
thank you for the project. Today I tested to update our AKHQ setup from 0.16 to 0.17. After the update I’m not able to login anymore via OIDC.
We use Keycloak as OIDC provider and with keycloak we create a token which includes the AKHQ roles which should be allowed and the topic filter regex. An example token:
{
"exp": "...",
"iat": "...",
"jti": "...",
"iss": "OIDC-URL",
"sub": "...",
"typ": "Bearer",
"azp": "client-ID",
"session_state": "...",
"acr": "1",
"allowed-origins": [],
"resource_access": {
"client-id": {
"roles": [
"topic/read",
"group/read",
"topic/data/read"
]
}
},
"scope": "openid profile email",
"topics-filter-regexp": [
"^my_test_latest_r-type_v1$",
"^my_test_latest_a_v1$"
],
"email_verified": false,
"roles": [
"topic/read",
"group/read",
"topic/data/read"
],
"name": "Firstname Lastname",
"preferred_username": "user@domain",
"given_name": "Firstname",
"locale": "en",
"family_name": "Lastname",
"email": "firstname.lastname@domain.com"
}
This is the AKHQ config
# Auth & Roles (optional)
security:
default-group: no-roles # Default groups for all the user even unlogged user
oidc:
enabled: true
providers:
keycloak:
label: "Login with Desti Passport"
username-field: preferred_username # default in jwt token claim, preferred_username
groups-field: roles
default-group: no-roles
Here is the token create by AKHQ log output from AKHQ 0.16.0
Attributes:
at_hash=>...,
sub=>...,
email_verified=>false,
roles=>["topic\/read","group\/read","topic\/data\/read"],
iss=>akhq,
typ=>ID,
preferred_username=>...,
given_name=>...,
locale=>en,
acr=>0,
topics-filter-regexp=>["^my_test_latest_r-type_v1$","^my_test_latest_a_v1$"],
nbf=>Wed Sep 22 08:23:51 UTC 2021,
azp=>client-id,
auth_time=>...,
name=>Firstname Lastname,
exp=>Wed Sep 22 09:23:51 UTC 2021,
session_state=>...,
iat=>Wed Sep 22 08:23:51 UTC 2021,
family_name=>Lastname,
email=>firstname.lastname@domain.com,
oauth2Provider=>keycloak,
username=>...
and what I get when using AKHQ 0.18.0, everything is empty
Attributes:
sub=>...,
nbf=>Wed Sep 22 08:26:30 UTC 2021,
connectsFilterRegexp=>[],
roles=>[],
iss=>akhq,
exp=>Wed Sep 22 09:26:30 UTC 2021,
iat=>Wed Sep 22 08:26:30 UTC 2021,
consumerGroupsFilterRegexp=>[],
topicsFilterRegexp=>[]
I saw a lot of changes around OIDC in AKHQ 0.17 and 0.18. and somewhere there the configuration is lost. Do you have an idea why our setup isn’t working anymore or what is missing in our JWT Token which is required by AKHQ?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 29 (11 by maintainers)
Micronaut framework does the magic : https://docs.micronaut.io/latest/guide/#immutableConfig
Configuration injection resolves kebab-case from yaml configuration files into their java camel case equivalent variables if you have a dedicated class for it. Which there is : https://github.com/tchiotludo/akhq/blob/dev/src/main/java/org/akhq/configs/SecurityProperties.java Big subject. There’s a lot more to it, like seamless support for env variables (uppercase with underscores).
@wilkej even if you are not a java developer, maybe you can add a unit test (that will failed) with a token you have here, this part is completely blindness for me, have a good token as a user can have will help to add a unit test about that