jakubmatyszewski opened a new issue, #16580: URL: https://github.com/apache/druid/issues/16580
### Affected Version 29.0.1 ### Description I've set up pac4j authenticator based on druid-pac4j-extension to authenticate with Okta. I have an issue where users that are present in my Okta instance, but are **not** assigned to the druid app (in Okta app settings) are redirected to following screen:  As you will see in configuration I'll paste below, I have `druid.auth.authenticator.pac4j.skipOnFailure=true` set - and I would expect this would effectively take such user to the **next authenticator in the chain**, but this doesn't happen and the screen that user is redirected to is a dead-end. ### Configuration in use ``` druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator", "pac4j", "anonymous"] druid.auth.authorizers=["opaAuthorizer"] druid.auth.authorizer.opaAuthorizer.type=opa druid.auth.authorizer.opaAuthorizer.opaUri={{ .auth.okta.opaUri}} # Basic authn druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName=opaAuthorizer druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword={ "type": "environment", "variable": "ADMIN_PASSWORD" } druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword={ "type": "environment", "variable": "SYSTEM_PASSWORD" } druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=true # Escalator authn druid.escalator.type=basic druid.escalator.internalClientUsername=druid_system druid.escalator.internalClientPassword={ "type": "environment", "variable": "SYSTEM_PASSWORD" } druid.escalator.authorizerName=opaAuthorizer # Pac4j druid.auth.authenticator.pac4j.authorizerName=opaAuthorizer druid.auth.authenticator.pac4j.type=pac4j druid.auth.authenticator.pac4j.skipOnFailure=true druid.auth.pac4j.cookiePassphrase=testpassphrase druid.auth.pac4j.oidc.clientID={{ .auth.okta.clientID }} druid.auth.pac4j.oidc.clientSecret={ "type": "environment", "variable": "OIDC_SECRET" } druid.auth.pac4j.oidc.discoveryURI={{ .auth.okta.discoveryURI }} druid.auth.pac4j.oidc.scope={{ .auth.okta.oidcScope }} # Anonymous authn druid.auth.authenticator.anonymous.type=anonymous druid.auth.authenticator.anonymous.identity=defaultUser druid.auth.authenticator.anonymous.authorizerName=opaAuthorizer druid.auth.allowUnauthenticatedHttpOptions=true druid.server.http.allowedHttpMethods=["OPTIONS"] druid.server.http.enableForwardedRequestCustomizer=true ``` ### Steps to reproduce the problem 1. To reproduce you need [druid-pac4j](https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j/) extension. ``` druid.extensions.loadList=["druid-pac4j", (...)] ``` 2. Create an app in Okta that will receive & authenticate traffic from druid 3. Configure druid common config: - besides basic pac4j&okta configuration, use [anonymous authenticator](https://druid.apache.org/docs/latest/operations/auth/#anonymous-authenticator) ``` druid.auth.authenticatorChain=["pac4j", "anonymous"] ``` - make sure that skipOnFailure option for pac4j is on: ``` druid.auth.authenticator.pac4j.skipOnFailure=true ``` 4. Create 2 users in Okta - one that will be assigned to the druid app - the other one that won't be assigned there; but is a member of your company 5. Try to enter druid dashboard with both users (the other user will be redirected to 401 screen - instead of authenticated with `anonymous` authenticator) ### Errors in logs In default logging I saw only this line in router logs: ``` 2024-06-10T12:01:46,325 ERROR [qtp1032375822-100] org.pac4j.oidc.credentials.extractor.OidcExtractor - Bad authentication response, error=access_denied ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
