Payara icon indicating copy to clipboard operation
Payara copied to clipboard
verified publisher icon payara

Bug Report: Environment variables are not read in OpenIdAuthenticationDefinition/FISH-5748

Open Lars5678 opened this issue 4 years ago • 5 comments

Description

Since Payara 5.2021.6, environment variables are no longer resolved in the OpenIdAuthenticationDefinition Annotation.

Expected Outcome

As before, environment variables should be resolved.

Current Outcome

grafik

Steps to reproduce

@ApplicationScoped
@OpenIdAuthenticationDefinition(
        clientSecret = "${ENV=OIDC_CLIENTSECRET}",
        clientId = "${ENV=OIDC_CLIENTID}"
)
@DeclareRoles({"xxx", "yyy"})
public class ApplicationConfig {

}

This has led to the URL shown above since Payara 5.2021.6

This can be remedied by first setting the values ​​in the Microprofile Config.

payara.security.openid.clientId=${OIDC_CLIENTID}
payara.security.openid.clientSecret=${OIDC_CLIENTSECRET}

Environment

Payara Micro 5.2021.6 and Payara Micro 5.2021.6

Lars5678 avatar Sep 17 '21 11:09 Lars5678

Hi @LarsBrenker,

Would you be able to provide the proper sample reproducer app?

shub8968 avatar Sep 22 '21 09:09 shub8968

I can reproduce with the sample app here https://github.com/payara/Payara/pull/5422. This app doesn't refer to an environment variable but when I change the annotation in SecuredPage.java to refer to an environment variable as in the example above, I see the same behavior as reported:

@OpenIdAuthenticationDefinition(
        providerURI = "http://localhost:8080/openid-server/webresources/oidc-provider",
        clientId = "${ENV=OIDC_CLIENTID}",
        clientSecret = CLIENT_SECRET_VALUE,
        redirectURI = "${baseURL}/Callback"
)

While the OIDC_CLIENTID environment variable is set to sample_client_id before Payara Server starts.

I don't see this with an older version. It's most probably related to the integrating of the security connectors done in FISH-786: https://github.com/payara/Payara/pull/5373

OndroMih avatar Sep 22 '21 12:09 OndroMih

Hi @OndroMih, thanks for the reproducer. It can be. If https://github.com/payara/Payara/pull/5373 was merged on August 6th, this fits in with my observation that the problem exists since Payara 5.2021.6.

Lars5678 avatar Sep 22 '21 12:09 Lars5678

Hi, @LarsBrenker. I am able to reproduce this issue. I have raised an internal issue with JIRA FISH-5748. Thanks. It may take a while to fix the issue. You are free to submit a PR to fix this issue if you feel confident to do so.

shub8968 avatar Sep 23 '21 16:09 shub8968

Stumbled upon this while upgrading our environment. Another workaround is to use the environment variables that map to the relevant MP Config properties:

PAYARA_SECURITY_OPENID_CLIENTID=myclientid
PAYARA_SECURITY_OPENID_CLIENTSECRET=myclientsecret

antonireus avatar Feb 09 '22 08:02 antonireus

Hi @LarsBrenker @YotillaAntoni,

This was a breaking change caused by the integration of security connectors, as you identified. As a result our documentation was modified to state Microprofile Config Properties and Expression Language can be used in the OpenIdAuthenticationDefinition but password aliases and environment variables can't. They instead, as @YotillaAntoni identified, can be used indirectly through MicroProfile Config.

Best Regards, James

JamesHillyard avatar Oct 04 '22 10:10 JamesHillyard