Skip to content

OIDC AuthenticationClass cannot be shared with other products #716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
maltesander opened this issue Nov 21, 2024 · 0 comments · Fixed by #718
Closed

OIDC AuthenticationClass cannot be shared with other products #716

maltesander opened this issue Nov 21, 2024 · 0 comments · Fixed by #718
Assignees
@sbernauer
Labels
release/24.11.1 type/bug

Comments

@maltesander
Copy link
Member

Affected Stackable version

24.11

Affected Apache NiFi version

1.27.0, 2.0.0

Current and expected behavior

The Stackable AuthenticationClass is used to share information about e.g. an OIDC endpoint between products.

apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
  name: keycloak
spec:
  provider:
    oidc:
      hostname: sdp-keycloak.tech
      port: 443
      principalClaim: preferred_username
      rootPath: /realms/sdp
     ...

This configuration would work with other Stackable products like Trino, Superset, but fails in NiFi.
The reason is that NiFi expects a trailing slash in the rootPath and fails to configure if its missing. Other products do not need that.

Possible solution

Consolidate the NiFi operator code to be able to share (OIDC) AuthenticationClasses with other products without breaking.

Additional context

A Workaround is to not share the AuthenticationClass with other Stackable products, but create a new AuthenticationClass with the traling slash fixed:

apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
  name: keycloak-nifi-fix
spec:
  provider:
    oidc:
      hostname: sdp-keycloak.tech
      port: 443
      principalClaim: preferred_username
      rootPath: /realms/sdp/
     ...

Environment

No response

Would you like to work on fixing this bug?

None
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbernauer sbernauer

Labels
release/24.11.1 type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Construction of OIDC endpoint when rootPath has no trailing slash stackabletech/nifi-operator
3 participants
@lfrancke @maltesander @sbernauer