API access under a third-party client keycloak

[mikhail-0330]

I use  version
repository: "apicurio/apicurio-registry"
tag: "2.4.3.Final"
in docker.

I set up authentication as follows:
 - name: AUTH_ENABLED
   value: "true"
 - name: KEYCLOAK_URL
   value: "https://keycloak.test"
 - name: KEYCLOAK_REALM
   value: "master"
 - name: KEYCLOAK_API_CLIENT_ID
   value: "apicurio-api-dev"
 - name: KEYCLOAK_UI_CLIENT_ID
   value: "apicurio-ui-dev"

   
 
Authorization to the api proceeds correctly with secrets  KEYCLOAK_API_CLIENT_ID + client secret from keycloak
1) get token from keycloak  as apicurio-api-dev / <client secret>
2) get /apis/registry/v2/groups/my-group/artifacts with token. Succes!

But I can also access the api through another keycloak client, which is not specified in the apicurio parameters:
1) let's take another real keycloak client, for example "test_client" and its client secret
2) get token from keycloak  as test_client / <test_client secret>
3) get /apis/registry/v2/groups/my-group/artifacts with token test_client. Succes! (!!! I think this is not valid  behaivor)

Should only the client specified in the apicurio environment be able to access the API?

[apicurio-bot]

Thank you for reporting an issue!

Pinging @EricWittmann to respond or triage.

[EricWittmann]

The configuration env variables are all about what client the Apicurio Registry application itself uses to interact with Keycloak (e.g. when fetching the server keys and oidc endpoints). It doesn't have anything to do with which clients can be used (by other applications) to generate a JWT from Keycloak.

So you can use whatever client you want to get a JWT. The question is whether the JWT is valid (by checking that it is syntactically valid and was property signed) and contains the appropriate roles to access registry. So as long as it's a valid JWT and contains the right role (e.g. sr-admin) then it will be allowed.

When you say you "get a token from keycloak" what do you mean exactly? E.g. what oidc flow are you using to get that token?

[mikhail-0330]

I use
curl -d "client_id=apicurio-api-dev" -d "client_secret=<secret>" -d "grant_type=client_credentials" "https://keycloak.<my.domain>/realms/master/protocol/openid-connect/token"

so i mean Client Credentials Grant.

Then i get the token and use it in the command
curl https://apicurio-dev.<my.domain>/apis/registry/v2/groups -H "Accept: application/json" -H "Authorization: Bearer <token>"

-"e.g. when fetching the server keys and oidc endpoints"
what happens if I remove the env KEYCLOAK_API_CLIENT_ID and use a random keycloak client to get a token? Will apicurio work as before? Or will it not allow requests with the token without KEYCLOAK_API_CLIENT_ID?

Can I restrict access by token only through client roles? If roles are not enabled, can I log in from any client and is this behavior normal?

[carlesarnal]

If you do not set up any roles restriction at the client level yes, any other client within the same realm will be able to access the Apicurio Registry API, that's the whole point of the client credentials grant and having separate clients for each application, so you can identify which application is doing what. The KEYCLOAK_API_CLIENT_ID is just the identifier for the Registry application itself against keycloak.