Authenticating from CI/CD when using OIDC + Azure AD

[jurajseffer]

Hello,

Running Apicurio Registry and UI v3.0.4

What are the options for a CI/CD job, e.g. Jenkins, to authenticate when the registry is set up to use Azure AD via OIDC? I have seen that:

• there is some support for Kafka using OIDC/Keycloak but I'm not planning on pushing to Apicurio using Kafka
• Apicurio supports basic HTTP auth but I could not see where those users and passwords could be defined, is that only supported for Keycloak being the source? Would it work with Azure AD? There is also Basic auth doesn't work on Registry v3 #5967
• I could use a JWT token generated for a user but these will expire quickly

We have implemented the readonly, developer and admin roles and users log in via the browser using their Azure AD accounts. What are our options to authenticate a script running on CI in this scenario?

Thanks

[seb2020]

Hi,

You can read https://www.apicur.io/blog/2024/09/23/registry-azure-entraid-tutorial for creating a second azure app for machine-to-machine. It has helped me a lot.

Then you can with a curl obtain a token and interact with the API :

curl --request POST \ --url https://login.microsoftonline.com/<id>/oauth2/v2.0/token \ --header 'content-type: application/x-www-form-urlencoded' \ --data client_id=<client_id> \ --data 'client_secret=<client_secret>' \ --data grant_type=client_credentials \ --data scope=<app>/.default

And you can then interact with the API using an "Authorization" header

[jurajseffer]

Thank you @seb2020.

I have implemented the following to make it work:

1. created a new AD "cli" application
2. created a client secret for the above application to store in the CI system
3. created an API permission within the above application by specifying the "developer" role from the main Apicurio AD application
4. got an AD admin to authorise the API permission
5. configured the main Apicurio AD application to use version 2 for requested_access_token_version, otherwise there was a mismatch in domains when Apicurio verified the JWT (default was version 1)
6. use the curl you posted above to get a valid JWT

[youcefguichi]

hey @jurajseffer @seb2020 i see that you are also familliar / setting up apicurio for your use case, i have a quick question and i would appreciate your thoughts:

• I setup Apicurio with azure entra id and users can loging based and have the permission mapped based on the assigned app roles sr-admin sr-developer sr-readonly all is good untill this.
• for the api access i did a simlair setup to yours Authenticating from CI/CD when using OIDC + Azure AD #6039 (comment)

Question:

we have multiple teams and each team wants to only manage / see there own schemas, and since we only have the 3 default roles to use sr-admin sr-developer sr-readonly, it's still not clear how we can have a granular access to schemas per teams (per ad group let's say), if you have any ideas i would appreciate your input, thanks!

however as a next step i'm aiming to try the feature that state that only the creator can have access to the artifacts.. it may works but yeah not sure..

[jurajseffer]

According to https://www.apicur.io/registry/docs/apicurio-registry/3.0.x/getting-started/assembly-configuring-registry-security.html#registry-security-obac-enabled it sounds like you can only enforce the ownership of a particular artifact or an artifact group per specific owner so in case of AD integration I'd expect only that specific single AD user would have write access to the artifact and group of artifacts they created but no other user, regardless of their AD group membership. We plan to make Apicurio read only for human operators and only write from automated code pipelines so the ownership rules are not relevant to us.