You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Alex Rudyy (JIRA)" <ji...@apache.org> on 2017/06/02 19:58:04 UTC
[jira] [Commented] (QPID-7801) [Java Broker] Allow variable
substitution of virtualhost in OAuth2 resolver URIs
[ https://issues.apache.org/jira/browse/QPID-7801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16035323#comment-16035323 ]
Alex Rudyy commented on QPID-7801:
----------------------------------
Rob, I reviewed the changes made against this JIRA and here are my review comments:
* Substitution of virtualhost
Creation of OAuth2 authentication provider with URIs containing {{$\{virtualhost\}}} fails with {{IllgalArgumentException}} as below
{noformat}
422 - Cannot convert 'http://localhost:8080/auth/realms/${virtualhost}/protocol/openid-connect/userinfo' into a URI for attribute tokenEndpointURI (Illegal character in path at index 35: http://localhost:8080/auth/realms/${virtualhost}/protocol/openid-connect/userinfo)
{noformat}
Encoding of illegal characters does not help in this case, as after encoding the encoded value is not decoded before expanding the URI string. Perhaps, URI attribute types should be changed to String to have this working. Am I doing something wrong?
* {{KeycloakOAuth2IdentityResolverService}}
When OAuth2 auth provider is attempted to create with {{KeycloakOAuth2IdentityResolverService}} without setting URI attributes and context variables {{$\{keycloak.baseUrl\}}} and {{$\{keycloak.domain\}}}, the error reported by the Broker is not user friendly and it could be unclear how to fix the problem. Here is an example of such error message
{noformat}
422 - Cannot convert '${this:defaultIdentityResolverEndpointURI}' into a URI for attribute identityResolverEndpointURI (Illegal character in scheme name at index 0: ${this:defaultIdentityResolverEndpointURI})
{noformat}
Perhaps {{KeycloakOAuth2IdentityResolverService}} should throw user friendly exception from its method {{KeycloakOAuth2IdentityResolverService#validate}} in this case.
* AMQP connection authentication
{{SubjectCreator}} is created in a constructor of {{AMQPConnection_1_0Impl}}. As result, virtual host can only be set in {{SubjectCreator}} via {{SNI}} only. Potentially, the implementation can be changed to create {{SubjectCreator}} in {{#receiveSaslInit()}} and virtual host can be taken from {{"sasl-init"}} performative in addition to {{SNI}}. That would allow to use virtual host substitution with {{SASL}} without TLS.
> [Java Broker] Allow variable substitution of virtualhost in OAuth2 resolver URIs
> ---------------------------------------------------------------------------------
>
> Key: QPID-7801
> URL: https://issues.apache.org/jira/browse/QPID-7801
> Project: Qpid
> Issue Type: Improvement
> Reporter: Rob Godfrey
> Assignee: Rob Godfrey
>
> Allow substitution of address space (based on resolution of SNI / HTTPS HOST to vhost) in OAuth2 resolver URIs (to allow per vhost configuration). Add keycloak provider
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org