Apicurio registry maven plugin cannot authenticate via Entra ID , the <clientScope> maven property is not used by the OAuth2WebClient

[constantinpopa10]

Description

Registry
Version: 3.0.5
Persistence type: sql

Steps to Reproduce

First of thanks for this great product that you're building, since I discovered Apicurio Registry it has caused quite a stir and excitement in my company, adoption is on the horizon.

Configure the maven plugin with client credentials properties including the <clientScope>. Try to register some artifacts in Apicurio Registry

Expected vs Actual Behaviour

Seems like the <clientScope> is ignored by the java-sdk used by the maven plugin when constructing the OAuth2WebClient.
Issue seems to be located here where the scope variable is ignored:

apicurio-registry/java-sdk/src/main/java/io/apicurio/registry/client/auth/VertXAuthFactory.java

Line 33 in d7b00e7

Oauth2Credentials oauth2Credentials = new Oauth2Credentials();

Only after I manually updated that library inserting this line of code oauth2Credentials.addScope(scope); I managed to successfully register artifacts in Apicurio Registry by authenticating with the client credentials of an Enterprise Application registered in EntraID

Logs

Error returned by Azure:
invalid_scope: AADSTS1002012: The provided value for scope null is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).

Suggestion for documentation improvement regarding Maven plugin auth with Entra ID

This page suggest that QUARKUS_OIDC_AUTH_SERVER_URL is configured with url like: https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/v2.0

When the maven plugin is configured with <authServerUrl> like: <authServerUrl>https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/oauth2/v2.0/token</authServerUrl>
the access token that is returned by Entra ID is always version v1.0 with iss: https://sts.windows.net/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/ which doesn't align with the expectation of Quarkus which isiss:https://login.microsoftonline.com/1a2bc34d-567e-89f1-g0hi-1j2kl3m4no56/v2.0 causing token validation failure in Apicurio Registry.

The fix I found was to update the Apicurio Registry's App Registration Manifest in Entra ID with "accessTokenAcceptedVersion": 2. By default this is null thus assuming the token is version 1, more details here.
This is somewhat a known issue, other people complained about this odd behaviour from EntraID which returns v1.0 token even though requesting it through a v2.0 endpoint, a github thread here.
Screenshot with fix:

[apicurio-bot]

Thank you for reporting an issue!

Pinging @jsenko to respond or triage.

[carlesarnal]

Hello @constantinpopa10,

This is for sure a problem, and the fix is as easy as you mentioned. About the documentation, you're right again, it's an improvement to be made for sure.