RBAC does not work with Auth0 #822
Description
Issue submitter TODO list
- I've looked up my issue in FAQ
- I've searched for an already existing issues here
- I've tried running
main-labeled docker image and the issue still persists there - I'm running a supported version of the application which is listed here
Describe the bug (actual behavior)
I've set up RBAC according to the docs with Auth0 app and Google authentication, but instead of getting full access with my user, I see empty list of clusters and "Configure new cluster" button is inactive. After browsing some code I have a general feeling that I'm missing something here - looks like the code is expecting a list of roles or permissions?
I've tried changing config in different ways: oauth to oauth_google, then subject type from email to user and back, adding more scopes (which at first added email and some user info, but didn't result in any changes on the frontend).
Expected behavior
I should be able to see a list of clusters and be able to manage them after I log in with my user
Your installation details
App is latest (4cf17a0
v1.1.0)
Config is this:
AUTH_OAUTH2_CLIENT_AUTH0_CUSTOM_PARAMS_TYPE=oauth
AUTH_OAUTH2_CLIENT_AUTH0_CLIENT_NAME=Auth0
AUTH_OAUTH2_CLIENT_AUTH0_CLIENTID=cid
AUTH_OAUTH2_CLIENT_AUTH0_CLIENTSECRET=secret
AUTH_OAUTH2_CLIENT_AUTH0_ISSUER_URI=https://issuer.us.auth0.com/
AUTH_OAUTH2_CLIENT_AUTH0_PROVIDER=AUTH0
AUTH_OAUTH2_CLIENT_AUTH0_REDIRECT_URI=https://127.0.0.1:8080/login/oauth2/code/auth0
AUTH_OAUTH2_CLIENT_AUTH0_SCOPE_0_=openid
AUTH_OAUTH2_CLIENT_AUTH0_SCOPE_1_=email
AUTH_OAUTH2_CLIENT_AUTH0_SCOPE_2_=profile
AUTH_OAUTH2_CLIENT_AUTH0_SCOPE_3_=groups
AUTH_TYPE=OAUTH2
DYNAMIC_CONFIG_ENABLED=true
KAFKA_CLUSTERS_0_BOOTSTRAP_SERVERS=server1:9196
KAFKA_CLUSTERS_0_NAME=dev
KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG=org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";
KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM=SCRAM-SHA-512
KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL=SASL_SSL
RBAC_ROLES_0_CLUSTERS_0_=dev
RBAC_ROLES_0_NAME=allowed
RBAC_ROLES_0_PERMISSIONS_0_ACTIONS=all
RBAC_ROLES_0_PERMISSIONS_0_RESOURCE=applicationconfig
RBAC_ROLES_0_PERMISSIONS_1_ACTIONS=all
RBAC_ROLES_0_PERMISSIONS_1_RESOURCE=clusterconfig
RBAC_ROLES_0_PERMISSIONS_2_ACTIONS=all
RBAC_ROLES_0_PERMISSIONS_2_RESOURCE=topic
RBAC_ROLES_0_PERMISSIONS_2_VALUE=.*
RBAC_ROLES_0_PERMISSIONS_3_ACTIONS=all
RBAC_ROLES_0_PERMISSIONS_3_RESOURCE=consumer
RBAC_ROLES_0_PERMISSIONS_3_VALUE=.*
RBAC_ROLES_0_PERMISSIONS_4_ACTIONS=all
RBAC_ROLES_0_PERMISSIONS_4_RESOURCE=schema
RBAC_ROLES_0_PERMISSIONS_4_VALUE=.*
RBAC_ROLES_0_PERMISSIONS_5_ACTIONS=all
RBAC_ROLES_0_PERMISSIONS_5_RESOURCE=connect
RBAC_ROLES_0_PERMISSIONS_5_VALUE=.*
RBAC_ROLES_0_PERMISSIONS_6_ACTIONS=all
RBAC_ROLES_0_PERMISSIONS_6_RESOURCE=ksql
RBAC_ROLES_0_PERMISSIONS_7_ACTIONS_0_=view
RBAC_ROLES_0_PERMISSIONS_7_ACTIONS_1_=edit
RBAC_ROLES_0_PERMISSIONS_7_RESOURCE=acl
RBAC_ROLES_0_SUBJECTS_0_PROVIDER=oauth_google
RBAC_ROLES_0_SUBJECTS_0_TYPE=domain
RBAC_ROLES_0_SUBJECTS_0_VALUE=domain.com
RBAC_ROLES_0_SUBJECTS_1_PROVIDER=oauth_google
RBAC_ROLES_0_SUBJECTS_1_TYPE=email
RBAC_ROLES_0_SUBJECTS_1_VALUE=user@domain.com
Steps to reproduce
Set up RBAC with oauth2 and try to log in with Google
Screenshots
No response
Logs
In the app logs I haven't seen any debug messages that could possible be produced in api/src/main/java/io/kafbat/ui/service/rbac/AccessControlService.java, but one interesting observation was that UserInfoDTO had just a username and empty permissions: []. I feel like it could be a part of the problem
Additional context
No response