Search before asking
Read release policy
Version
Pulsar v3.1.1
Minimal reproduce step
Goal is to enable OIDC in a standalone Pulsar instance via Azure App Registrations.
- Create an App registration in Azure in preparation for OIDC
- Bind the necessary args to the standalone.conf file to enable OIDC following official instructions, including admin role binding
- Start instance
- Configure the pulsar admin/shell to use OAuth2 with a credential and make an admin call (ex: tenants list)
What did you expect to see?
listed tenants
What did you see instead?
A 401/unauthorized on the client/shell side.
An error on the Pulsar broker/instance side: Failed to authenticate HTTP request: Failed to authenticate HTTP request: JWK's alg [null] does not match JWT's alg [RS256]
Anything else?
The 'alg' header is optional, as per the JWK spec:
Azure does not return this as field as part of the well known config, but the Pulsar OIDC implementation requires this. This validation is failing and results in the error I saw in the Pulsar instance logs:
It's also possible I've screwed up the OIDC configuration, but my suspicion above seems to make sense... I can share more of my config if needed.
I'll be glad to do anything I can to help fix this; my guess is this behavior would prevent it from functioning with Azure (if the alg field is missing globally). Short of creating a custom OIDC implementation/authorizer myself, is there anything else I can do in the interim to get around this?
Are you willing to submit a PR?
Search before asking
Read release policy
Version
Pulsar v3.1.1
Minimal reproduce step
Goal is to enable OIDC in a standalone Pulsar instance via Azure App Registrations.
What did you expect to see?
listed tenants
What did you see instead?
A 401/unauthorized on the client/shell side.
An error on the Pulsar broker/instance side: Failed to authenticate HTTP request:
Failed to authenticate HTTP request: JWK's alg [null] does not match JWT's alg [RS256]Anything else?
The 'alg' header is optional, as per the JWK spec:
Azure does not return this as field as part of the well known config, but the Pulsar OIDC implementation requires this. This validation is failing and results in the error I saw in the Pulsar instance logs:
It's also possible I've screwed up the OIDC configuration, but my suspicion above seems to make sense... I can share more of my config if needed.
I'll be glad to do anything I can to help fix this; my guess is this behavior would prevent it from functioning with Azure (if the alg field is missing globally). Short of creating a custom OIDC implementation/authorizer myself, is there anything else I can do in the interim to get around this?
Are you willing to submit a PR?