Registry basic authorization only supports one scope (Azure Entra-related)

[j-setiawan]

Description

Registry
Version: 3.0.7
Persistence type: sql

I'm attempting to access the registry REST API with basic authorization and Azure Entra as my identity provider. Azure requires that the client credentials grant provides a scope value. As far as I know, the registry supports specifying one scope with APICURIO_AUTHN_BASIC_SCOPE.

The issue is that I have two app registrations: an sr-developer and sr-readonly, and they each need to have a unique scope. Using https://graph.microsoft.com/.default would solve the "single scope" problem, but is an issue for other reasons. Does that mean the registry, for basic authorization, can only support a single role when using Azure?

I also have a related issue where I can only specify one value for the auth role claim mapping values for both users and applications, so I chose the UUID of the user's group and made the app role's value the same as the group UUID.

Here is my configuration so far. Does this look correct or am I missing more basic configurations that would solve this in an easier manner?

# Only one scope is possible
APICURIO_AUTHN_BASIC_SCOPE: "api://<app registration client ID>/.default"

# Specify different paths for interactive login vs. API
QUARKUS_OIDC_RESOLVE_TENANTS_WITH_ISSUER: "true"

QUARKUS_OIDC_AUTH_SERVER_URL: "https://login.microsoftonline.com/<tenant ID>/v2.0"
QUARKUS_OIDC_TOKEN_PATH: "https://login.microsoftonline.com/<tenant ID>/oauth2/v2.0/token"

# Specific to interactive logins (UI)
QUARKUS_OIDC_UI_TOKEN_ISSUER: "https://login.microsoftonline.com/<tenant ID>/v2.0"
QUARKUS_OIDC_UI_AUTH_SERVER_URL: "https://login.microsoftonline.com/<tenant ID>/v2.0"
QUARKUS_OIDC_UI_TOKEN_PATH: "https://login.microsoftonline.com/<tenant ID>/oauth2/v2.0/token"
QUARKUS_OIDC_UI_ROLES_ROLE_CLAIM_PATH: "groups"

# Specific to client credentials (API)
QUARKUS_OIDC_API_TOKEN_ISSUER: "https://sts.windows.net/<tenant ID>/"
QUARKUS_OIDC_API_AUTH_SERVER_URL: "https://login.microsoftonline.com/<tenant ID>/v2.0"
QUARKUS_OIDC_API_TOKEN_PATH: "https://login.microsoftonline.com/<tenant ID>/oauth2/v2.0/token"
QUARKUS_OIDC_API_ROLES_ROLE_CLAIM_PATH: "roles"

# These need to match for both groups and roles
APICURIO_AUTH_ROLES_DEVELOPER: <UUID>
APICURIO_AUTH_ROLES_READONLY: <UUID>

Environment

Docker Compose

Steps to Reproduce

1. Configure two app registrations in Azure - sr-developer and sr-readonly
2. "Expose an API" and choose unique Application ID URIs
3. There is no way to configure the registry to handle the different scopes

Expected vs Actual Behaviour

• Can specify multiple scopes (possibly tied to client IDs?)
• Can specify multiple possible claim values for each schema registry role

Logs