openIdToken should be present in user details - Cognito

[smasilamani-cfins]

We use AWS Cognito as our OIDC provider. When we use authentication: idtoken, we get the below error. From the logs, I can see that the user gets authenticated succesfully but failing later with the below message. Please note that Cognito issues the claims via id token and we need that to map our groups to AKHQ groups to grant proper permission.

If I remove authentication:idtoken, then I am able to login but I am always a reader. For some reason, the roles sent by Cognito is not mapping at all. I was able to intercep the id token and can see that Cognito does include the claims properly and see my groups as KafkaAdminNonProd but for some reason , after login the only available group to all of us is just reader.

openIdToken should be present in user details attributes to use micronaut.security.authentication:idtoken

application.yml

logger:
  levels:
    io.micronaut: INFO
    org.akhq: INFO

micronaut:
  security:
    enabled: true
    authentication: idtoken
    oauth2:
      enabled: true
      callback-uri: https://*****************/oauth/callback/saml
      clients:
        saml:
          client-id: "*****************"
          client-secret: "*****************"
          openid:
            issuer: "https://cognito-idp.us-east-1.amazonaws.com/*****************"
            jwks-uri: "https://cognito-idp.us-east-1.amazonaws.com/*****************/.well-known/jwks.json"
    endpoints:
      logout:
        get-allowed: true
    token:
      jwt:
        signatures:
          secret:
            generator:
              secret: *****************
akhq:
  clients-defaults:
    consumer:
      propeties:
        default.api.timeout.ms: 15000000
  server:
    access-log:
      enabled: true
      name: org.akhq.log.access
      format: "[Date: {}] [Duration: {} ms] [Url: {} {}] [Status: {}] [Ip: {}] [User:{}]"
  ui-options:
    topic-data:
      sort: NEWEST
  security:
    default-group: no-roles
    roles:
      developer-non-prod:
        - resources:
            - TOPIC
          actions:
            - READ
            - CREATE
            - UPDATE
            - READ_CONFIG
        - resources:
            - TOPIC_DATA
          actions:
            - READ
            - CREATE
            - UPDATE
            - DELETE
        - resources:
            - CONSUMER_GROUP
          actions:
            - READ
        - resources:
            - CONNECT_CLUSTER
          actions:
            - READ
        - resources:
            - CONNECTOR
          actions:
            - READ
            - CREATE
            - UPDATE_STATE
        - resources:
            - SCHEMA
          actions:
            - READ
            - CREATE
            - UPDATE
        - resources:
            - NODE
          actions:
            - READ
            - READ_CONFIG
        - resources:
            - ACL
          actions:
            - READ
        - resources:
            - KSQLDB
          actions:
            - READ
    groups:
      KafkaDeveloperNonProd:
        - role: developer-non-prod
          patterns:
            - "*"
    oidc:
      enabled: true
      providers:
        saml:
          label: Login with SSO
          username-field: email
          groups-field: groups
          default-group: reader
          use-oidc-claim: false
        groups:
          - name: KafkaAdminNonProd
            groups:
              - admin
          - name: KafkaReaderNonProd
            groups:
              - reader
          - name: KafkaDeveloperNonProd
            groups:
              - KafkaDeveloperNonProd

  connections:
    test-ssl-kafka:
      properties:
        bootstrap.servers: "*****************"
        security.protocol: SASL_SSL
        sasl.mechanism: AWS_MSK_IAM
        sasl.jaas.config: software.amazon.msk.auth.iam.IAMLoginModule required;
        sasl.client.callback.handler.class: software.amazon.msk.auth.iam.IAMClientCallbackHandler
        request.timeout.ms: 60000
      schema-registry:
        url: "https://*****************"
        basic-auth-username: *****************
        basic-auth-password: *****************
        request.timeout.ms: 60000
      connect:
        - name: "test-ssl-kafka-connect"
          url: "https://*****************"
          basic-auth-username: *****************
          basic-auth-password: *****************
          request.timeout.ms: 60000

Logs:

> 2025-01-11T13:53:58.700000+00:00  TRACE default-nioEventLoopGroup-1-6 i.m.s.o.client.DefaultOpenIdClient Starting authorization code grant flow to provider [saml]. Redirecting to [https://kafka-test.auth.us-east-1.amazoncognito.com/oauth2/authorize]
> 2025-01-11T13:53:58.701000+00:00  TRACE default-nioEventLoopGroup-1-6 .DefaultAuthorizationRedirectHandler Built the authorization URL [https://test.auth.us-east-1.amazoncognito.com/oauth2/authorize?scope=openid+email+profile&response_type=code&redirect_uri=https%3A%2F%2Fakhq.test.io%2Foauth%2Fcallback%2Fsaml&state=eyJyZWRpcmVjdFVyaSI6Imh0dHBzOi8vdGVzdC1ha2hxLmNmaW5zLmlvL29hdXRoL2NhbGxiYWNrL2NydW0tc2FtbCIsIm5vbmNlIjoiYjNjNGFmMDYtZWM5NC00ZGFiLWEwYjktNWNiOWIyZTZmMzNhIn0%3D&nonce=f09d4e2a-8e39-4985-b3a2-49a4b7e1fc79&client_id=*******************]
> 2025-01-11T13:53:58.702000+00:00  INFO default-nioEventLoopGroup-1-6 org.akhq.log.access [Date: 2025-01-11T13:53:58.702166017Z] [Duration: 3 ms] [Url: GET /oauth/login/saml] [Status: 302] [Ip: /172.28.201.5] [User:Anonymous]
> 2025-01-11T13:53:59.115000+00:00  DEBUG default-nioEventLoopGroup-1-6 i.m.s.t.reader.HttpHeaderTokenReader Looking for bearer token in Authorization header
> 2025-01-11T13:53:59.116000+00:00  DEBUG default-nioEventLoopGroup-1-6 i.m.s.t.reader.DefaultTokenResolver Request GET, /oauth/callback/saml, no token found.
> 2025-01-11T13:53:59.116000+00:00  DEBUG default-nioEventLoopGroup-1-6 i.m.security.rules.IpPatternsRule One or more of the IP patterns matched the host address [172.28.201.5]. Continuing request processing.
> 2025-01-11T13:53:59.116000+00:00  DEBUG default-nioEventLoopGroup-1-6 i.m.s.rules.AbstractSecurityRule The given roles [[isAnonymous()]] matched one or more of the required roles [[isAnonymous()]]. Allowing the request
> 2025-01-11T13:53:59.117000+00:00  DEBUG default-nioEventLoopGroup-1-6 i.m.security.filters.SecurityFilter Authorized request GET /oauth/callback/saml. The rule provider org.akhq.security.rule.SecuredAnnotationRuleWithDefault authorized the request.
> 2025-01-11T13:53:59.117000+00:00  TRACE default-nioEventLoopGroup-1-6 i.m.s.o.r.DefaultOauthController Received callback from oauth provider [saml]
> 2025-01-11T13:53:59.117000+00:00  TRACE default-nioEventLoopGroup-1-6 i.m.s.o.client.DefaultOpenIdClient Received a successful authorization response from provider [saml]
> 2025-01-11T13:53:59.117000+00:00  TRACE default-nioEventLoopGroup-1-6 ltOpenIdAuthorizationResponseHandler Validating state found in the authorization response from provider [saml]
> 2025-01-11T13:53:59.118000+00:00  TRACE default-nioEventLoopGroup-1-6 s.o.e.t.r.DefaultTokenEndpointClient Sending request to token endpoint [https://kafka-test.auth.us-east-1.amazoncognito.com/oauth2/token]
> 2025-01-11T13:53:59.118000+00:00  TRACE default-nioEventLoopGroup-1-6 s.o.e.t.r.DefaultTokenEndpointClient The token endpoint supports [[client_secret_basic, client_secret_post]] authentication methods
> 2025-01-11T13:53:59.118000+00:00  TRACE default-nioEventLoopGroup-1-6 s.o.e.t.r.DefaultTokenEndpointClient Using client_secret_basic authentication. Adding an Authorization header
> 2025-01-11T13:53:59.120000+00:00  TRACE default-nioEventLoopGroup-1-6 .p.ClientCredentialsHttpClientFilter Did not find any OAuth 2.0 client which should decorate the request with an access token received from client credentials request
> 2025-01-11T13:53:59.344000+00:00  TRACE io-executor-thread-2 ltOpenIdAuthorizationResponseHandler Token endpoint returned a success response. Validating the JWT
> 2025-01-11T13:53:59.344000+00:00  TRACE io-executor-thread-2 .DefaultOpenIdTokenResponseValidator Validating the JWT signature using the JWKS uri [https://cognito-idp.us-east-1.amazonaws.com/us-east-1_zkIPzLZKN/.well-known/jwks.json]
> 2025-01-11T13:53:59.344000+00:00  DEBUG io-executor-thread-2 i.m.s.t.jwt.validator.JwtValidator Validating signed JWT
> 2025-01-11T13:53:59.344000+00:00  DEBUG io-executor-thread-2 i.m.s.t.j.s.jwks.JwksSignatureUtils JWT Key ID: eQO7jdmMikPAZvjFmYfbbNyEiMkGkHHZcRSi7WKNgGQ=
> 2025-01-11T13:53:59.345000+00:00  DEBUG io-executor-thread-2 i.m.s.t.j.s.jwks.JwksSignatureUtils JWK Set Key IDs: eQO7jdmMikPAZvjFmYfbbNyEiMkGkHHZcRSi7WKNgGQ=,msoiFtk4sZnxg/qWXAdBJJbykSpxRlLrUs4vCfviy/Q=
> 2025-01-11T13:53:59.345000+00:00  DEBUG io-executor-thread-2 i.m.s.t.j.s.jwks.JwksSignatureUtils Found 1 matching JWKs
> 2025-01-11T13:53:59.346000+00:00  TRACE io-executor-thread-2 .DefaultOpenIdTokenResponseValidator JWT signature validation succeeded. Validating claims...
> 2025-01-11T13:53:59.347000+00:00  TRACE io-executor-thread-2 i.m.s.o.c.IdTokenClaimsValidator azp claim is not required for single audiences
> 2025-01-11T13:53:59.347000+00:00  TRACE io-executor-thread-2 ltOpenIdAuthorizationResponseHandler Token validation succeeded. Creating a user details
> 2025-01-11T13:53:59.347000+00:00  TRACE io-executor-thread-2 i.m.s.o.r.DefaultOauthController Authentication succeeded. User [[example@test.com](mailto:example@test.com)] is now logged in
> 2025-01-11T13:53:59.348000+00:00  WARN io-executor-thread-2 i.m.s.o.e.t.r.IdTokenLoginHandler openIdToken should be present in user details attributes to use micronaut.security.authentication:idtoken
> 2025-01-11T13:53:59.348000+00:00  ERROR io-executor-thread-2 o.akhq.controllers.ErrorController null
> 2025-01-11T13:53:59.348000+00:00  io.micronaut.security.errors.OauthErrorResponseException: null
> 2025-01-11T13:53:59.348000+00:00  at io.micronaut.security.oauth2.endpoint.token.response.IdTokenLoginHandler.lambda$getCookies$0(IdTokenLoginHandler.java:80)
> 2025-01-11T13:53:59.348000+00:00  at java.base/java.util.Optional.orElseThrow(Unknown Source)
> 2025-01-11T13:53:59.348000+00:00  at io.micronaut.security.oauth2.endpoint.token.response.IdTokenLoginHandler.getCookies(IdTokenLoginHandler.java:80)
> 2025-01-11T13:53:59.348000+00:00  at io.micronaut.security.token.cookie.CookieLoginHandler.loginSuccess(CookieLoginHandler.java:98)
> 2025-01-11T13:53:59.348000+00:00  at io.micronaut.security.token.cookie.CookieLoginHandler.loginSuccess(CookieLoginHandler.java:44)
> 2025-01-11T13:53:59.348000+00:00  at io.micronaut.security.oauth2.routes.DefaultOauthController.lambda$callback$0(DefaultOauthController.java:100)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:106)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapInner.onNext(FluxSwitchMapNoPrefetch.java:408)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:122)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:122)
> 2025-01-11T13:53:59.348000+00:00  at io.reactivex.internal.util.HalfSerializer.onNext(HalfSerializer.java:45)
> 2025-01-11T13:53:59.348000+00:00  at io.reactivex.internal.subscribers.StrictSubscriber.onNext(StrictSubscriber.java:97)
> 2025-01-11T13:53:59.348000+00:00  at io.reactivex.internal.subscriptions.ScalarSubscription.request(ScalarSubscription.java:55)
> 2025-01-11T13:53:59.348000+00:00  at io.reactivex.internal.subscriptions.SubscriptionHelper.deferredSetOnce(SubscriptionHelper.java:202)
> 2025-01-11T13:53:59.348000+00:00  at io.reactivex.internal.subscribers.StrictSubscriber.onSubscribe(StrictSubscriber.java:87)
> 2025-01-11T13:53:59.348000+00:00  at io.reactivex.internal.operators.flowable.FlowableJust.subscribeActual(FlowableJust.java:34)
> 2025-01-11T13:53:59.348000+00:00  at io.reactivex.Flowable.subscribe(Flowable.java:14935)
> 2025-01-11T13:53:59.348000+00:00  at io.reactivex.Flowable.subscribe(Flowable.java:14885)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.FluxSource.subscribe(FluxSource.java:71)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.Flux.subscribe(Flux.java:8840)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapMain.subscribeInner(FluxSwitchMapNoPrefetch.java:219)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.FluxSwitchMapNoPrefetch$SwitchMapMain.onNext(FluxSwitchMapNoPrefetch.java:164)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.runAsync(FluxPublishOn.java:446)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.publisher.FluxPublishOn$PublishOnSubscriber.run(FluxPublishOn.java:533)
> 2025-01-11T13:53:59.348000+00:00  at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$3(PropagatedContext.java:211)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:84)
> 2025-01-11T13:53:59.348000+00:00  at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:37)
> 2025-01-11T13:53:59.348000+00:00  at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$4(PropagatedContext.java:228)
> 2025-01-11T13:53:59.348000+00:00  at io.micrometer.core.instrument.composite.CompositeTimer.recordCallable(CompositeTimer.java:129)
> 2025-01-11T13:53:59.348000+00:00  at io.micrometer.core.instrument.Timer.lambda$wrap$1(Timer.java:203)
> 2025-01-11T13:53:59.348000+00:00  at io.micronaut.core.propagation.PropagatedContext.lambda$wrap$4(PropagatedContext.java:228)
> 2025-01-11T13:53:59.348000+00:00  at io.micrometer.core.instrument.composite.CompositeTimer.recordCallable(CompositeTimer.java:129)
> 2025-01-11T13:53:59.348000+00:00  at io.micrometer.core.instrument.Timer.lambda$wrap$1(Timer.java:203)
> 2025-01-11T13:53:59.348000+00:00  at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
> 2025-01-11T13:53:59.348000+00:00  at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> 2025-01-11T13:53:59.348000+00:00  at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 2025-01-11T13:53:59.348000+00:00  at java.base/java.lang.Thread.run(Unknown Source)