After following the documentation (and answers in SO questions 1 & 2) to enable OpenID Connection Authentication the pulsar.broker service fails to start and provides me with a flurry of 401 not authorised errors. I was not expecting this as I thought authentication/authorisation was only initiated from a pulsar client where an access token can be supplied.
Here are an example of some of the 401 errors presented to me:
lin-0afa7c37.mstarext.com pulsar[12971]: 2023-07-07T10:19:33,590+0000 [main] ERROR org.apache.pulsar.functions.worker.PulsarWorkerService - Error Starting up in worker
lin-0afa7c37.mstarext.com pulsar[12971]: org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: HTTP 401 Unauthorized
....
lin-0afa7c37.mstarext.com pulsar[12971]: Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
....
lin-0afa7c37.mstarext.com pulsar[12971]: 2023-07-07T10:19:33,597+0000 [main] ERROR org.apache.pulsar.broker.PulsarService - Failed to start Pulsar service: org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: HTTP 401 Unauthorized
....
lin-0afa7c37.mstarext.com pulsar[12971]: 2023-07-07T10:19:33,598+0000 [main] ERROR org.apache.pulsar.PulsarBrokerStarter - Failed to start pulsar service.
lin-0afa7c37.mstarext.com pulsar[12971]: org.apache.pulsar.broker.PulsarServerException: java.lang.RuntimeException: org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: HTTP 401 Unauthorized
Is there some other configuration that I need to update that's not mentioned in the referenced documentation above?
When authentication is enabled, the Pulsar Broker, Proxy, and Function Worker must be configured to use authentication. Since OIDC is an OAuth2 implementation, you can follow the OAuth2 docs here: https://pulsar.apache.org/docs/3.0.x/security-oauth2/#enable-oauth2-authentication-on-brokersproxies.
The broker.conf will look something like this (it varies based on your OAuth2 provider):
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2
# When client credentials are stored in a file
brokerClientAuthenticationParameters={"privateKey":"file:///path/to/privateKey","audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/","issuerUrl":"https://dev-kt-aa9ne.us.auth0.com"}
# When client credentials are stored in a base64 string
brokerClientAuthenticationParameters={"privateKey":"data:application/json;base64,privateKey-body-to-base64","audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/","issuerUrl":"https://dev-kt-aa9ne.us.auth0.com"}
# If using secret key (Note: key files must be DER-encoded)
tokenSecretKey=file:///path/to/secret.key
Note also that if you are running in Kubernetes, it is possible to mount a service account token projection and use that token for authentication.