GitHub user mgam1 edited a discussion: How to get OpenID Connect to work.
Hi All, Firstly thanks for taking the time to read my issue and for any help provided! Im using Pulsar 3.0.0. I've attempted to follow the instructions on https://pulsar.apache.org/docs/3.0.x/security-openid-connect/ in order to enable OpenID Connect Authentication, but can't seem to get passed a certificate error. I believe this error stems from pulsar's [AuthenticationProviderOpenID.java](https://github.com/apache/pulsar/blob/master/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java) class, where in the initialise method it attempts to setup the SSL context to enable a secure connection to the issuer url provided. In the example [broker.conf](https://pulsar.apache.org/docs/3.0.x/security-openid-connect/) it says that the "openIDTokenIssuerTrustCertsFilePath" is an optional setting and that it will use the trust store of the JVM. So I ensured that the required certificates where added to the trust store found at ".../jre/lib/security/cacerts" on my broker instance and left that config value as blank. This did not work, I was presented with the error: ``` Caused by: java.lang.IllegalArgumentException: File does not contain valid certificates: .... Caused by: java.security.cert.CertificateException: could not find certificate file: at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:68) ~[io.netty-netty-handler-4.1.89.Final.jar:4.1.89.Final] ``` This to me seemed to indicate that it was expecting a .pem file to be supplied, so I copied the pem file onto the broker server and supplied the absolute path to the file as openIDTokenIssuerTrustCertsFilePath=/opt/pulsar/certificates/certificate.pem but I received the error: `Caused by: java.security.cert.CertificateException: found no certificates in input stream` Here is a example of the broker.conf settings I'm using. ``` broker.conf settings authenticationProviders=org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID openIDAllowedTokenIssuers=https://login-stg.somewebsite.com/ openIDAllowedAudiences=https://auth0-some-website.com/maas, https://some-stg.some-dev.auth0.com/userinfo openIDTokenIssuerTrustCertsFilePath= openIDRoleClaim=https://some-web.com/role ``` GitHub link: https://github.com/apache/pulsar/discussions/20743 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
