JTBS opened a new issue, #19868: URL: https://github.com/apache/pulsar/issues/19868
### Search before asking - [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Version Pulsar 2.11.x Standalone install on Ubuntu/WSL2 bin/pulsar standalone ### Minimal reproduce step Followed steps in: https://pulsar.apache.org/docs/2.11.x/security-oauth2/ tokenSecretKey=file:///path/to/secret.key Generated secret using: bin/pulsar tokens create-secret-key --output my-secret.key Ref: https://pulsar.apache.org/docs/2.11.x/security-token-admin/ Install standalone: Pulsar 2.11.x bin/pulsar standalone ### What did you expect to see? Expected Pulsar standalone install to start successfully If I disable authentication, then Pulsar standalone cluster starts successfully ### What did you see instead? **Option 1: Error: with tokenSecretKey generated as per docs:** org.apache.pulsar.broker.web.AuthenticationFilter - [127.0.0.1] Failed to authenticate HTTP request: Failed to authentication token: The parsed JWT indicates it was signed with the RS256 signature algorithm, but the specified signing key of type javax.crypto.spec.SecretKeySpec may not be used to validate RS256 signatures. Because the specified signing key reflects a specific and expected algorithm, and the JWT does not reflect this algorithm, it is likely that the JWT was not expected and therefore should not be trusted. Another possibility is that the parser was configured with the incorrect signing key, but this cannot be assumed for security reasons. 2023-03-20T21:14:34,375-0400 [AsyncHttpClient-71-1] WARN org.apache.pulsar.client.admin.internal.BaseResource - [http://localhost:8085/admin/v2/persistent/public/functions/assignments] Failed to perform http put request: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized **Option 2: Error: if I try tokenPublicKey instead - this is valid Public key I got from OKTA api** I also tried using Public KEY in DER format option - That is Valid OKTA Public Key - I was able to validate Token independently using same public key - But I still got "401 error" in that case also - Error below with "Public Key option" Error: WARN org.apache.pulsar.broker.web.AuthenticationFilter - [127.0.0.1] Failed to authenticate HTTP request: Failed to authentication token: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted. **Option 3: Error is no tokenSecretKey or tokenPublicKey provided** Error java.io.IOException: No secret key was provided for token authentication at org.apache.pulsar.broker.authentication.AuthenticationProviderToken.getValidationKey(AuthenticationProviderToken.java:269) ~[org.apache.pulsar-pulsar-broker-common-2.11.0.jar:2.11.0] **Option 4: Tried to use Kubernetes Pulsar Install with Helm charts** Error: Looks like current helm charts only supports "JWT" option and not "OAUTH2" - Broker was not coming up due to errors on start up ### Anything else? I am just looking for correct guidance on how to enable Authentication on stand along Pulsar install? I tried a lot of options to just get this working but with no luck. All my OAUTH details seems to be correct and I independently verified. ### Are you willing to submit a PR? - [ ] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
