pulsar icon indicating copy to clipboard operation
pulsar copied to clipboard
verified publisher icon apache

[improve][client] Make authorization server metadata path configurable in AuthenticationOAuth2

Open izumo27 opened this issue 3 weeks ago • 1 comments

Motivation

The client’s OAuth2 authentication plugin can be used for OIDC. So, the authorization server metadata path is fixed to /.well-known/openid-configuration.

However, RFC 8414 defines /.well-known/oauth-authorization-server as the default, and some users may want to configure a different path. https://datatracker.ietf.org/doc/html/rfc8414#section-3 This PR makes the authorization server metadata path configurable.

Modifications

  • Added the wellKnownMetadataPath parameter to make the authorization server metadata path configurable.
  • Added the AuthenticationOAuth2StandardAuthzServer class and the clientCredentialsWithStandardAuthzServerBuilder builder, which preconfigure the standard path /.well-known/openid-configuration as defined in RFC 8414.

Verifying this change

  • [x] Make sure that the change passes the CI checks.

This change added tests and can be verified as follows:

  • Added tests for configurable authorization server metadata path

Does this pull request potentially affect one of the following parts:

  • [ ] Dependencies (add or upgrade a dependency)
  • [ ] The public API
  • [ ] The schema
  • [ ] The default values of configurations
  • [ ] The threading model
  • [ ] The binary protocol
  • [ ] The REST endpoints
  • [ ] The admin CLI options
  • [ ] The metrics
  • [ ] Anything that affects deployment

Documentation

  • [ ] doc
  • [x] doc-required
  • [ ] doc-not-needed
  • [ ] doc-complete

Matching PR in forked repository

PR in forked repository: https://github.com/izumo27/pulsar/pull/6

izumo27 avatar Dec 09 '25 10:12 izumo27

Codecov Report

:x: Patch coverage is 72.22222% with 10 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 74.38%. Comparing base (3937788) to head (3f4049c). :warning: Report is 15 commits behind head on master.

Files with missing lines Patch % Lines
...auth2/AuthenticationOAuth2StandardAuthzServer.java 52.94% 6 Missing and 2 partials :warning:
.../auth/oauth2/protocol/DefaultMetadataResolver.java 75.00% 1 Missing and 1 partial :warning:
Additional details and impacted files

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #25052       +/-   ##
=============================================
+ Coverage     38.50%   74.38%   +35.88%     
- Complexity    13234    34133    +20899     
=============================================
  Files          1863     1922       +59     
  Lines        146150   150408     +4258     
  Branches      16973    17471      +498     
=============================================
+ Hits          56272   111878    +55606     
+ Misses        82185    29604    -52581     
- Partials       7693     8926     +1233
Flag Coverage Δ
inttests 26.38% <0.00%> (-0.01%) :arrow_down:
systests 22.94% <0.00%> (+0.11%) :arrow_up:
unittests 73.91% <72.22%> (+39.27%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
.../impl/auth/oauth2/AuthenticationFactoryOAuth2.java 94.11% <100.00%> (+94.11%) :arrow_up:
...client/impl/auth/oauth2/ClientCredentialsFlow.java 80.00% <100.00%> (+80.00%) :arrow_up:
...pache/pulsar/client/impl/auth/oauth2/FlowBase.java 67.85% <100.00%> (+67.85%) :arrow_up:
.../auth/oauth2/protocol/DefaultMetadataResolver.java 71.42% <75.00%> (+71.42%) :arrow_up:
...auth2/AuthenticationOAuth2StandardAuthzServer.java 52.94% <52.94%> (ø)

... and 1417 files with indirect coverage changes

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov-commenter avatar Dec 09 '25 15:12 codecov-commenter

However, RFC 8414 defines /.well-known/oauth-authorization-server as the default, and some users may want to configure a different path. https://datatracker.ietf.org/doc/html/rfc8414#section-3 This PR makes the authorization server metadata path configurable

@izumo27 It seems that according to RFC 8414, the logic is also different than what there is in the current implementation.

https://www.rfc-editor.org/rfc/rfc8414.html#section-3.1 More specifically this part:

If the issuer identifier value contains a path component, any terminating "/" MUST be removed before inserting "/.well-known/" and the well-known URI suffix between the host component and the path component. The client would make the following request when the issuer identifier is "https://example.com/issuer1" and the well-known URI suffix is "oauth-authorization-server" to obtain the metadata, since the issuer identifier contains a path component:

 GET /.well-known/oauth-authorization-server/issuer1 HTTP/1.1
 Host: example.com

Instead of appending .well-known/oauth-authorization-server to the path, the logic should be to prefix the path with /.well-known/oauth-authorization-server.

lhotari avatar Dec 15 '25 11:12 lhotari

@lhotari Thank you for the comment. I’ve fixed it.

  • Changed the logic to insert well-known path before the issuer path when wellKnownMetadataPath is configured.
  • For OIDC, keep the existing implementation that appends well-known path after the issuer path when wellKnownMetadataPath is empty.

The RP would make the following request to the Issuer https://example.com/issuer1 to obtain its configuration information, since the Issuer contains a path component:

  GET /issuer1/.well-known/openid-configuration HTTP/1.1
  Host: example.com

https://openid.net/specs/openid-connect-discovery-1_0.html

izumo27 avatar Dec 18 '25 10:12 izumo27