Open
Description
Issue submitter TODO list
- I've looked up my issue in FAQ
- I've searched for an already existing issues here
- I've tried running
master-labeled docker image and the issue still persists there - I'm running a supported version of the application which is listed here
Describe the bug (actual behavior)
I ahve configured oAuth2/OIDC for AuthN + AuthZ and configured my Okta authorization server to include groups and can confirm that groups appear in the access token it returns.
When I use rbac rules targeting a group which should be extracted from groups in the access token I get this error on the console:
reactor.core.Exceptions$ErrorCallbackNotImplemented: java.lang.ClassCastException: Cannot cast
com.provectus.kafka.ui.config.auth.RbacOidcUser to org.springframework.security.core.userdetails.UserDetailsMy rbac section in the config looks like this:
rbac:
roles:
- clusters:
- development-dev-1
name: "ReadOnly"
permissions:
- resource: clusterconfig
actions: [ VIEW ]
- resource: topic
value: ".*"
actions: [ VIEW, MESSAGES_READ ]
- resource: consumer
value: ".*"
actions: [ VIEW ]
- resource: schema
value: ".*"
actions: [ VIEW ]
- resource: connect
value: ".*"
actions: [ VIEW, RESTART ]
- resource: acl
actions: [ VIEW ]
subjects:
- provider: "oauth"
type: "group"
value: "Developers"And my auth section looks like this:
auth:
oauth2:
client:
okta:
authorization-grant-type: authorization_code
client-name: Okta
custom-params:
roles-field: groups
type: oauth
issuer-uri: https://myorg.okta-emea.com/oauth2/{authorizationServerId}
provider: okta
redirect-uri: https://{hostname}/kafka-ui/login/oauth2/code/okta
scope:
- openid
- profile
- email
- groups
user-name-attribute: email
type: OAUTH2Setting logging.level.ROOT: TRACE I was able to pull out the decoded access token that is getting returned... it looks like this (with redactions):
[
Authentication=OAuth2AuthenticationToken [
Principal=RbacOidcUser[
user=Name: [[email protected]],
Granted Authorities: [
[OIDC_USER, SCOPE_email, SCOPE_groups, SCOPE_openid, SCOPE_profile]
],
User Attributes: [
{
at_hash=<HASH>,
sub=<SUBJECT_ID>,
zoneinfo=America/Los_Angeles,
ver=1,
email_verified=true,
amr=[swk, mfa, pwd],
iss=https://myorg.okta-emea.com/oauth2/<AUTHZ_SERVER_ID>,
groups=[Developers],
[email protected],
locale=en_US,
given_name=My,
nonce=<NONCE>,
aud=[<AUDIENCE_ID>],
updated_at=<DATE>,
idp=<IDP_ID>,
auth_time=<DATE>,
name=My User,
exp=<DATE>,
family_name=User,
iat=<DATE>,
[email protected],
jti=<REDACTED>
}
],
groups=[]
],
Credentials=[PROTECTED],
Authenticated=true,
Details=null,
Granted Authorities=[OIDC_USER, SCOPE_email, SCOPE_groups, SCOPE_openid, SCOPE_profile]
]
]
As you can see under User Attributes groups is indeed listed with the correct group name (Developers) that should match the subject value for the ReadOnly role defined in the rbac config.
Expected behavior
I'd expect the system to find the expected groups property inside the User Attributes section of the access token and correctly assign the role with "subjects": {"provider": "oauth", "type": "group", "value": "Developers"}.
Your installation details
- App version:
cc12814 - Helm chart version:
0.7.5 - Config
rbac: roles: - clusters: - development-1 name: "ReadOnly" permissions: - resource: clusterconfig actions: [ VIEW ] - resource: topic value: ".*" actions: [ VIEW, MESSAGES_READ ] - resource: consumer value: ".*" actions: [ VIEW ] - resource: schema value: ".*" actions: [ VIEW ] - resource: connect value: ".*" actions: [ VIEW, RESTART ] - resource: acl actions: [ VIEW ] subjects: - provider: "oauth" type: "group" value: "Developers" auth: oauth2: client: okta: authorization-grant-type: authorization_code client-name: Okta custom-params: roles-field: groups type: oauth issuer-uri: https://myorg.okta-emea.com/oauth2/<AUTHZ_SERVER_ID> provider: okta redirect-uri: https://kafka-ui/login/oauth2/code/okta scope: - openid - profile - email - groups user-name-attribute: email type: OAUTH2 kafka: clusters: - bootstrapServers: development-1-kafka-bootstrap:9092 kafka-connect: - address: http://development-1-connect-api:8083 name: development-1 name: development-1 schemaRegistry: http://schema-registry:8081 logging: level: ROOT: TRACE - Any IAC configs:
N/A
Steps to reproduce
- Deploy Kafka UI with the aforementioned configuration using an OIDC provider from Okta.
- Attempt to login with a valid user that is assigned to a group that should end up with the
ReadOnlyrole. - No role is assigned and no resources are listed in the UI.
Screenshots
No response
Logs
DEBUG [parallel-2] o.s.s.w.s.c.WebSessionServerSecurityContextRepository: Found SecurityContext 'SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=RbacOidcUser[user=Name: [[email protected]], Granted Authorities: [[OIDC_USER, SCOPE_email, SCOPE_groups, SCOPE_openid, SCOPE_profile]], User Attributes: [{at_hash=<HASH>, sub=<SUBJECT_ID>, zoneinfo=America/Los_Angeles, ver=1, email_verified=true, amr=[swk, mfa, pwd], iss=https://myorg.okta-emea.com/oauth2/<AUTHZ_SERVER_ID>, groups=[Developers], [email protected], locale=en_US, given_name=My, nonce=<NONCE>, aud=[<AUDIENCE>], updated_at=2023-09-08T11:24:03Z, idp=00oiezc9clgcLMk1t0i6, auth_time=2023-09-12T15:07:26Z, name=My User, exp=2023-09-12T16:26:32Z, family_name=User, iat=2023-09-12T15:26:32Z, [email protected], jti=<JTI>}], groups=[]], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[OIDC_USER, SCOPE_email, SCOPE_groups, SCOPE_openid, SCOPE_profile]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@5c0ffc11'
2023-09-12 15:36:46,308 ERROR [parallel-2] r.c.p.Operators: Operator called default onErrorDropped
reactor.core.Exceptions$ErrorCallbackNotImplemented: java.lang.ClassCastException: Cannot cast com.provectus.kafka.ui.config.auth.RbacOidcUser to org.springframework.security.core.userdetails.UserDetails
Caused by: java.lang.ClassCastException: Cannot cast com.provectus.kafka.ui.config.auth.RbacOidcUser to org.springframework.security.core.userdetails.UserDetails
Additional context
It is worth noting that if I set subjects to be like this everything works fine and it correctly assigns the user ReadOnly permissions:
rbac:
roles:
- name: ReadOnly
subjects:
- provider: oauth
type: email
value: [email protected]