Authentication when verifying schemas?

[ivanpedersen]

Hey, currently when I'm verifying schemas I'm using config like:

<groupId>io.apicurio</groupId>
<artifactId>apicurio-registry-maven-plugin</artifactId>
<version>${apicurio-registry-maven-plugin.version}</version>
<executions>
    <execution>
        <phase>generate-sources</phase>
        <goals>
            <goal>test-update</goal>
        </goals>
        <configuration>
            <registryUrl>${registry-url}</registryUrl>
            <authServerUrl>${auth-server-url}</authServerUrl> 
            <clientId>${client-id}</clientId>
            <clientSecret>${client-secret}</clientSecret>
...

But I would ideally want to be able to not specify my clientSecret, since it currently requires me to copy the secret around, even to local machines when compiling my project. I would want to not have to use any auth when verifying the schemas. Is it possible?

The documentation says:

If authentication is required, you can specify your authentication server and client credentials.

https://www.apicur.io/registry/docs/apicurio-registry/2.4.x/getting-started/assembly-managing-registry-artifacts-maven.html#testing-artifacts-using-maven-plugin_registry

But it's not clear to me what this means?

I've got services that don't specify any auth, and it's able to fetch schemas ok. In order to update any schemas though, I need auth ofc. Does this setup mean that I should be able to verify schemas as well without auth?

spring:
  kafka:
    properties:
      apicurio:
        registry:
          as-confluent: true
          headers:
            enabled: false
          use-specific-avro-reader: true
          artifact:
            group-id: "default"
          url: "https://apicurio.company.com/apis/registry/v2/"

I think we're using Keycloak in front of Apicurio if that makes any difference?

[EricWittmann]

The only way to verify the schemas without providing auth credentials would be to configure the Registry server to allow "Anonymous Reads". This is a feature that can be enabled either by setting an ENV variable as documented here:

https://www.apicur.io/registry/docs/apicurio-registry/2.5.x/getting-started/assembly-configuring-the-registry.html#registry-security-anon-read

Or if you are an Admin user you should be able to enable that feature via the Settings tab in the UI.

When that feature is enabled, then REST API calls that only require read access will be allowed even when credentials are not provided.

[EricWittmann]

Also note: when Anonymous Reads are enabled, you can simply omit all of the auth related config from the maven plugin. It will then just make calls to the server without trying to perform any sort of OAuth.