[Bug] Authentication using OpenID Connect assumes alg element under the OpenID Keys URL to be required. It is optional per specs. #22696
Labels
type/bug
The PR fixed a bug or issue reported a bug
Search before asking
Read release policy
Version
Pulsar 3.0.0
Minimal reproduce step
This is when attempting to use Pulsar Authentication using OpenID Connect with Microsoft EntraID.
Note: You will notice that the JWKS URL provided does not have alg in the key level
( https://login.microsoftonline.com/cde6fa59-abb3-4971-be01-2443c417cbda/discovery/v2.0/keys )
What did you expect to see?
I expect authentication to success.
What did you see instead?
I see this in the Pulsar logs. "Failed to authenticate HTTP request: JWK's alg [null] does not match JWT's alg [RS256]"
Anything else?
The issue seems to be coming from here ...
org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID
line 316: if (!jwt.getAlgorithm().equals(jwk.getAlgorithm())) {
It was getting the alg from the keyset which does not exists as provided by Microsoft Entra (and defined as optional as per OIDC spec)
Are you willing to submit a PR?
The text was updated successfully, but these errors were encountered: