[
https://issues.apache.org/jira/browse/QPID-7801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16035323#comment-16035323
]
Alex Rudyy commented on QPID-7801:
----------------------------------
Rob, I reviewed the changes made against this JIRA and here are my review
comments:
* Substitution of virtualhost
Creation of OAuth2 authentication provider with URIs containing
{{$\{virtualhost\}}} fails with {{IllgalArgumentException}} as below
{noformat}
422 - Cannot convert
'http://localhost:8080/auth/realms/${virtualhost}/protocol/openid-connect/userinfo'
into a URI for attribute tokenEndpointURI (Illegal character in path at index
35:
http://localhost:8080/auth/realms/${virtualhost}/protocol/openid-connect/userinfo)
{noformat}
Encoding of illegal characters does not help in this case, as after encoding
the encoded value is not decoded before expanding the URI string. Perhaps, URI
attribute types should be changed to String to have this working. Am I doing
something wrong?
* {{KeycloakOAuth2IdentityResolverService}}
When OAuth2 auth provider is attempted to create with
{{KeycloakOAuth2IdentityResolverService}} without setting URI attributes and
context variables {{$\{keycloak.baseUrl\}}} and {{$\{keycloak.domain\}}}, the
error reported by the Broker is not user friendly and it could be unclear how
to fix the problem. Here is an example of such error message
{noformat}
422 - Cannot convert '${this:defaultIdentityResolverEndpointURI}' into a URI
for attribute identityResolverEndpointURI (Illegal character in scheme name at
index 0: ${this:defaultIdentityResolverEndpointURI})
{noformat}
Perhaps {{KeycloakOAuth2IdentityResolverService}} should throw user friendly
exception from its method {{KeycloakOAuth2IdentityResolverService#validate}} in
this case.
* AMQP connection authentication
{{SubjectCreator}} is created in a constructor of {{AMQPConnection_1_0Impl}}.
As result, virtual host can only be set in {{SubjectCreator}} via {{SNI}} only.
Potentially, the implementation can be changed to create {{SubjectCreator}} in
{{#receiveSaslInit()}} and virtual host can be taken from {{"sasl-init"}}
performative in addition to {{SNI}}. That would allow to use virtual host
substitution with {{SASL}} without TLS.
> [Java Broker] Allow variable substitution of virtualhost in OAuth2 resolver
> URIs
> ---------------------------------------------------------------------------------
>
> Key: QPID-7801
> URL: https://issues.apache.org/jira/browse/QPID-7801
> Project: Qpid
> Issue Type: Improvement
> Reporter: Rob Godfrey
> Assignee: Rob Godfrey
>
> Allow substitution of address space (based on resolution of SNI / HTTPS HOST
> to vhost) in OAuth2 resolver URIs (to allow per vhost configuration). Add
> keycloak provider
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
