hi-rustin opened a new issue, #20367: URL: https://github.com/apache/pulsar/issues/20367
### Search before asking - [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Version `streamnative/sn-pulsar:2.11.1.1` ### Minimal reproduce step 1. Create an Okta application and scope In this step, you will create an application integration in your Okta developer account. 1. Log in to your Okta Developer account and navigate to Applications in the sidebar. 2. In the dropdown, click Applications and then Create App Integration. 3. On the Create a new app integration menu, select API services for OAuth 2.0 access tokens. Click Next. 4. Add an App integration name and then Save. 2. Configure an Okta authorization server with a scope 1. Navigate to Security in the sidebar and then API. From here, you can add a new authorization server, or use the default authorization server. This tutorial will use the default server. 2. Click on the name of your authorization server and then select the Scopes tab. 3. Select Add Scope: 1. Add pulsar as the name for your scope and include an optional description. 2. For User Consent, leave the default Implicit selected. 3. Check the box to set this as the Default Scope. 4. Click Create. 3. Start pulsar cluster: ```yaml version: '3.5' services: standalone: container_name: standalone hostname: localhost image: streamnative/sn-pulsar:2.11.1.1 command: > bash /waitForOAuth.sh environment: allowAutoTopicCreationType: partitioned brokerDeleteInactiveTopicsEnabled: "false" saslAllowedMechanisms: OAUTHBEARER kopOauth2AuthenticateCallbackHandler: io.streamnative.pulsar.handlers.kop.security.oauth.OauthValidatorCallbackHandler kopOauth2ConfigFile: /conf/kop-handler.properties PULSAR_PREFIX_messagingProtocols: kafka PULSAR_PREFIX_kafkaListeners: SASL_PLAINTEXT://0.0.0.0:9092 PULSAR_PREFIX_kafkaAdvertisedListeners: SASL_PLAINTEXT://10.xxxx27:19092 PULSAR_PREFIX_brokerEntryMetadataInterceptors: org.apache.pulsar.common.intercept.AppendIndexMetadataInterceptor PULSAR_PREFIX_authenticationEnabled: true PULSAR_PREFIX_authenticationProviders: org.apache.pulsar.broker.authentication.AuthenticationProviderToken PULSAR_PREFIX_brokerClientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2 PULSAR_PREFIX_brokerClientAuthenticationParameters: "{\"type\":\"client_credentials\",\"privateKey\":\"/conf/client_credentials.json\",\"issuerUrl\":\"https://trial-xxxxx.okta.com/oauth2/default\",\"scope\": \"pulsar\", \"audience\": \"api://default\"}" PULSAR_PREFIX_tokenSecretKey: "file:///pulsar/my-secret.key" LOGGING_LEVEL: debug ports: - 6650:6650 - 8080:8080 - 19092:9092 volumes: - ./client_credentials.json:/conf/client_credentials.json - ./kop-handler.properties:/conf/kop-handler.properties - ./waitForOAuth.sh:/waitForOAuth.sh ``` client_credentials.json: ```json { "type": "client_credentials", "client_id": "dasdadadasdsada", "client_secret": "x7AcrrdqS52cGdsadadsadadada", "issuer_url": "https://trial-xxxxx.okta.com/oauth2/default";, "audience": "api://default" } ``` kop-handler.properties: ```properties oauth.validate.method=token ``` waitForOAuth.sh: ```sh #!/bin/sh bin/pulsar tokens create-secret-key --output my-secret.key pwd ls sleep 20 bin/apply-config-from-env.py conf/standalone.conf && exec bin/pulsar standalone ``` ### What did you expect to see? It works. ### What did you see instead? ```log Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized at org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:942) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?] at org.glassfish.jersey.client.JerseyInvocation.access$700(JerseyInvocation.java:82) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?] at org.glassfish.jersey.client.JerseyInvocation$1.completed(JerseyInvocation.java:863) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?] at org.glassfish.jersey.client.ClientRuntime.processResponse(ClientRuntime.java:229) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?] at org.glassfish.jersey.client.ClientRuntime.access$200(ClientRuntime.java:62) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?] at org.glassfish.jersey.client.ClientRuntime$2.lambda$response$0(ClientRuntime.java:173) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?] at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?] at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?] at org.glassfish.jersey.internal.Errors.process(Errors.java:292) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?] at org.glassfish.jersey.internal.Errors.process(Errors.java:274) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?] at org.glassfish.jersey.internal.Errors.process(Errors.java:244) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?] at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:288) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?] at org.glassfish.jersey.client.ClientRuntime$2.response(ClientRuntime.java:173) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?] at org.apache.pulsar.client.admin.internal.http.AsyncHttpConnector.lambda$apply$1(AsyncHttpConnector.java:251) ~[io.streamnative-pulsar-client-admin-original-2.11.1.1.jar:2.11.1.1] ``` ### Anything else? 1. I guess this issue is not related to the KOP, because even if I do not use the Kafka protocol, it still not working. ### Are you willing to submit a PR? - [ ] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
