[bitnami/schema-registry] Schema registry server side OAuth2

[mavrallous]

Name and Version

bitnami/schema-registry

What is the problem this feature will solve?

Hi,

I tried to enable Oauth2 on schema registry on server side to protect schema registry endpoints by setting following configurations but this seems to not work:

configuration: |-
  rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.AuthenticationHandler
  oauthbearer.jwks.endpoint.url=***keycloak***
  oauthbearer.expected.issuer=***keycloak***
  oauthbearer.expected.audience="account"
  oauthbearer.sub.claim.name="sub"
  oauthbearer.groups.claim.name="groups"

Additionally this also protects the readiness endpoints which is not desirable. I there some unprotected public endpoint that we ca use for readiness?

What is the feature you are proposing to solve the problem?

OAuth configuration for schema registry server and public endpoint for readiness checks.

What alternatives have you considered?

No response

[javsalgar]

Hi,

Do you find an error? Do the logs show anything meaningful?

[mavrallous]

Upon accessing an endpoint I get following response while the token is valid. What is this realm configuration that it complains about?

Bearer realm="null",error="invalid_token"
Maybe the authenticator is validating something more than just the token signature. I am not sure.
Looks like this response is coming from this class.
io.confluent.common.security.jetty.OAuthBearerAuthenticator

[javsalgar]

Could you confirm by entering the container that the configuration files have the expected contents? If so, then there may be an issue not with the Bitnami packaging of schema-registry, but in schema-registry itself.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.