You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi everyone,I'm encountering issues with configuring Apache Pulsar to authenticate using Keycloak with OpenID Connect (OIDC).
The Docker container for Pulsar is running well, but I'm facing problems with authentication.
I have set up the following configuration for the Pulsar broker and the Spring Boot application, but I'm running into issues with authentication.Broker Configuration (broker.conf):# Specify the authentication provider
authenticationProviders=org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID# Enable authentication
authenticationEnabled=true# Disable authorization (if not needed)
authorizationEnabled=false# OpenID Connect configuration
oidc.auth.provider.openid.issuerUrl=http://your-keycloak-server/realms/master
oidc.auth.provider.openid.clientCredentialsFile=file:///path/to/your/client-credentials.json
oidc.auth.provider.openid.audience=account# Allowed token issuers and audiences
openIDAllowedTokenIssuers=http://your-keycloak-server/realms/master
openIDAllowedAudiences=account# Optional settings
openIDRoleClaim=sub
openIDRequireIssuersUseHttps=false# Token validation settings
authenticationRefreshCheckSeconds=120
openIDAcceptedTimeLeewaySeconds=120
openIDKeyIdCacheMissRefreshSeconds=120Spring Boot Application Configuration:URL issuerUrl = new URL("http://your-keycloak-server/realms/master");
URL credentialsUrl = new URL("file:///path/to/your/client-credentials.json");
String audience = "account";System.out.println("PulsarClient initializing...");// Build Pulsar Client with OAuth2 Authentication
return PulsarClient.builder()
.serviceUrl("pulsar://your-pulsar-server:6650")
.authentication(AuthenticationFactoryOAuth2.clientCredentials(issuerUrl, credentialsUrl, audience))
.operationTimeout(30, TimeUnit.SECONDS)
.connectionTimeout(30, TimeUnit.SECONDS)
.build();Credentials JSON File (client-credentials.json):
{
"client_id": "client_id",
"client_secret": "client_secret",
"type": "client_credentials",
"grant_type": "client_credentials",
}Issues Encountered: Authentication Failures:
Errors indicating Failed to authenticate the client and Failed to get partitioned topic metadata. JWT Claims Missing:
Errors about missing nbf (not before) claim in the JWT. Configuration Problems:
Errors such as Required configuration parameter: privateKey and UnsupportedAuthenticationException.Questions: Missing Claims: Why might the JWT tokens issued by Keycloak be missing the nbf claim, and how can this be resolved?
Authentication Failures: What could be causing the Failed to authenticate the client errors, and how can I troubleshoot this?
Private Key Error: How can I resolve the Required configuration parameter: privateKey issue when using AuthenticationProviderOpenID?Any insights or suggestions would be greatly appreciated. Thank you! (edited)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi everyone,I'm encountering issues with configuring Apache Pulsar to authenticate using Keycloak with OpenID Connect (OIDC).
The Docker container for Pulsar is running well, but I'm facing problems with authentication.
I have set up the following configuration for the Pulsar broker and the Spring Boot application, but I'm running into issues with authentication.Broker Configuration (broker.conf):# Specify the authentication provider
authenticationProviders=org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID# Enable authentication
authenticationEnabled=true# Disable authorization (if not needed)
authorizationEnabled=false# OpenID Connect configuration
oidc.auth.provider.openid.issuerUrl=http://your-keycloak-server/realms/master
oidc.auth.provider.openid.clientCredentialsFile=file:///path/to/your/client-credentials.json
oidc.auth.provider.openid.audience=account# Allowed token issuers and audiences
openIDAllowedTokenIssuers=http://your-keycloak-server/realms/master
openIDAllowedAudiences=account# Optional settings
openIDRoleClaim=sub
openIDRequireIssuersUseHttps=false# Token validation settings
authenticationRefreshCheckSeconds=120
openIDAcceptedTimeLeewaySeconds=120
openIDKeyIdCacheMissRefreshSeconds=120Spring Boot Application Configuration:URL issuerUrl = new URL("http://your-keycloak-server/realms/master");
URL credentialsUrl = new URL("file:///path/to/your/client-credentials.json");
String audience = "account";System.out.println("PulsarClient initializing...");// Build Pulsar Client with OAuth2 Authentication
return PulsarClient.builder()
.serviceUrl("pulsar://your-pulsar-server:6650")
.authentication(AuthenticationFactoryOAuth2.clientCredentials(issuerUrl, credentialsUrl, audience))
.operationTimeout(30, TimeUnit.SECONDS)
.connectionTimeout(30, TimeUnit.SECONDS)
.build();Credentials JSON File (client-credentials.json):
{
"client_id": "client_id",
"client_secret": "client_secret",
"type": "client_credentials",
"grant_type": "client_credentials",
}Issues Encountered: Authentication Failures:
Errors indicating Failed to authenticate the client and Failed to get partitioned topic metadata. JWT Claims Missing:
Errors about missing nbf (not before) claim in the JWT. Configuration Problems:
Errors such as Required configuration parameter: privateKey and UnsupportedAuthenticationException.Questions: Missing Claims: Why might the JWT tokens issued by Keycloak be missing the nbf claim, and how can this be resolved?
Authentication Failures: What could be causing the Failed to authenticate the client errors, and how can I troubleshoot this?
Private Key Error: How can I resolve the Required configuration parameter: privateKey issue when using AuthenticationProviderOpenID?Any insights or suggestions would be greatly appreciated. Thank you! (edited)
Beta Was this translation helpful? Give feedback.
All reactions