Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement OIDC Authentication against Keycloak for Apache Pulsar #2591

Open
hugosmitter opened this issue Feb 23, 2023 · 4 comments · Fixed by #3023
Open

Implement OIDC Authentication against Keycloak for Apache Pulsar #2591

hugosmitter opened this issue Feb 23, 2023 · 4 comments · Fixed by #3023
Labels
help wanted Extra attention is needed kind/enhancement New feature or request
Milestone

Comments

@hugosmitter
Copy link

Describe the feature

OIDC provides a more flexible, modern and standard-based approach to authentication.
Currently, the Apache Pulsar PubSub component handles authentication by reading a Pulsar-generated token defined in a PubSub Component manifest.

This request is to add an OIDC Client Credentials grant authentication flow to the Apache Pulsar PubSub component.

References:
Keycloak - Identity and Access Management for Modern Applications - Packt Publishing
Go authentication example program from book above

Release Note

RELEASE NOTE:

@hugosmitter hugosmitter added the kind/enhancement New feature or request label Feb 23, 2023
@berndverst berndverst added the help wanted Extra attention is needed label Feb 23, 2023
@ItalyPaleAle
Copy link
Contributor

Although I'm not necessarily against this if someone wanted to submit a PR, from a security standpoint using OIDC with client credentials doesn't really improve the security of the system much IMHO.

Current authentication method uses a token, which is a static, pre-shared key. Aside from being able to establish a network connection to Pulsar, knowing the token is both sufficient and necessary to authenticate with Pulsar.

In the case of OIDC, authentication with Pulsar is performed with a JWT that is issued by an IdP (in this case Keycloak, but I think we should support any IdP). The main advantage of the JWT is that it has time validity bounds, so if it's stolen, it can't be used past its expiration time.

However, the problem is how Dapr authenticates itself with the IdP (Keycloak) to obtain the JWT. In the scheme you proposed, which uses the client credentials grant flow, authentication is performed by presenting the IdP the "client secret", which is a pre-shared key just like the Pulsar authentication token. So I'm not sure if this really increments the security of the solution after all, as an attacker would steal the client secret in the same way as they'd steal the access token for Pulsar.

The real advantage of using OIDC would be when you can rely on something like the platform to authenticate your app. For example, cloud providers like Azure or AWS have endpoints that applications can invoke to obtain a signed token (a JWT), and they are authenticated by virtue of running on a certain infrastructure, rather than by presenting a pre-shared key (like a client secret). In the case of Azure, for example, that's called Managed Identities (MSI).

@hugosmitter
Copy link
Author

hugosmitter commented Mar 8, 2023

Thank you for your feedback. You make very good observations. I realize the feature request doesn't achieve an ideal end state and it's not comprehensive. It's a modest step towards a more general approach. The OIDC authentication against an IdP gives Dapr-ized PubSub applications a more enterprise-level authentication approach not tied to Pulsar tokens. As you mentioned, OIDC supports expiring tokens and token re-issue flows. Also, this requests places the OIDC authentication in the PubSub component, but it could be generalized further down the road into its own authentication building block as a horizontal service for other building blocks to leverage.

I can appreciate hardcoding of sensitive information like tokens and clientID/secrets in the component is a problem. This is not weakness of OIDC. We need in Dapr better original approaches or we need to explore integration to existing approaches. For instance, mounting ephemeral volumes at runtime to hold sensitive information and/or K8s operators to replace CRD -provided values with values stored in secrets stores. We have in the Dapr the Secret Management building block, but the Dapr sidecar can't use it directly AFAIK. Even if it could, some actor must configure a secret identifier accessible to the sidecar, so we're back to square one.

I agree with your idea about anchoring authentication to the platform, as long as the interface can be abstracted for multi-cloud support. That is perhaps the cleanest approach, assuming the other parts of the systems/microservices have the mechanisms to trust the authenticated principal.

@hugosmitter
Copy link
Author

If you read the Dapr Component specification for Kafka, you'll have a model for how to implement OIDC for Pulsar. Also, the Pulsar Component supports storing the Pulsar Token in a Kubernetes Secret, but it's not mentioned in the web page. I'll submit a request to correct the documentation.

@yaron2
Copy link
Member

yaron2 commented Jul 28, 2023

If you read the Dapr Component specification for Kafka, you'll have a model for how to implement OIDC for Pulsar. Also, the Pulsar Component supports storing the Pulsar Token in a Kubernetes Secret, but it's not mentioned in the web page. I'll submit a request to correct the documentation.

Correct, there is a precedent here already and this type of authentication is valid. We'll make an effort to have this ready for 1.12.

@yaron2 yaron2 added this to the v1.12 milestone Jul 28, 2023
@ItalyPaleAle ItalyPaleAle reopened this Aug 1, 2023
@ItalyPaleAle ItalyPaleAle modified the milestones: v1.12, v1.13 Sep 12, 2023
@ItalyPaleAle ItalyPaleAle modified the milestones: v1.13, v1.14 Feb 26, 2024
@berndverst berndverst modified the milestones: v1.14, v1.15 Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed kind/enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants