You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/02/14 15:38:19 UTC
[GitHub] [apisix] jp-gouin opened a new issue #3593: request help: OIDC missing Authorization header in CORS
jp-gouin opened a new issue #3593:
URL: https://github.com/apache/apisix/issues/3593
### Issue description
Hi,
I'm trying to implement a use case for Apisix and Apisix ingress controller.
It uses Keycloak as OIDC provider and the following Apisix plugins :
- OIDC (relay and introspection)
- authz-keycloak (fine-grain, `lazy_path` and `http_methods_as_scope`)
- Cors (with `allow_credentials`)
I have a webapplication , a backend for this webapp and an external api.
- This webapp call an api expose by it's backends
- The backend then call an external API
- The webapp also call directly the external API **(and this is where it fail)**
Here is the configuration for the webapp
```
apiVersion: apisix.apache.org/v1
kind: ApisixRoute
metadata:
name: foo-route
namespace: poc-front-app
spec:
rules:
- host: myawesomeapp.pocpoc.poc
http:
paths:
- backend:
serviceName: poc-front-appsvc
servicePort: 80
path: /*
plugins:
- name: openid-connect
enable: true
config:
client_id: poc-apisix
client_secret: edffb54f-3b2d-48a0-abcd-d2891824a722
discovery: https://keycloak.example.lan/auth/realms/master/.well-known/openid-configuration
introspection_endpoint: https://keycloak.example.lan/auth/realms/master/protocol/openid-connect/token/introspect
bearer_only: false
realm: master
access_token_in_authorization_header: true
introspection_endpoint_auth_method: "client_secret_basic"
redirect_uri: "/redirect_uri"
```
Resources of the API:
```
apiVersion: apisix.apache.org/v1
kind: ApisixRoute
metadata:
name: foo-route
namespace: poc-go-api
spec:
rules:
- host: myawesomeapi.pocpoc.poc
http:
paths:
- backend:
serviceName: poc-go-apisvc
servicePort: 80
path: /*
plugins:
- name: cors
enable: true
config:
allow_credential: true
allow_origins: http://myawesomeapp.pocpoc.poc:30438,http://myawesomeapi.pocpoc.poc:30438
allow_methods: HEAD,GET,POST,PUT,PATCH,DELETE
expose_headers: Set-Cookie,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,openID,audiotoken
allow_headers: Set-Cookie,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,openID,audiotoken
#allow_origins: "**"
#allow_methods: "**"
#expose_headers: "**"
#allow_headers: "**"
- name: authz-keycloak
enable: true
config:
token_endpoint: https://keycloak.example.lan/auth/realms/master/protocol/openid-connect/token
#permissions: ["View authors resources#authors:GET"]
http_method_as_scope: true
lazy_load_paths: true
client_id: poc-apisix
audience: poc-apisix
client_secret: edffb54f-3b2d-48a0-abcd-d2891824a722
discovery: https://keycloak.example.lan/auth/realms/master/.well-known/uma2-configuration
realm: master
ssl_verify: false
```
First (working) scenario
Here is the schematic of the use case and what is working and not :
![Apisix](https://user-images.githubusercontent.com/20150360/107880839-9ca9c200-6ee1-11eb-942d-0da407b03c3b.png)
I can see in my backends that i have a Authorization header (guessing that it came from Apisix plugin directly)
Now i also have an external api exposing through Apisix as well ; here is the configuration :
I use the Cors plugin to allow cross call and i also use the keycloak plugin to perform fin-grain authorisation on the incoming request
When the call is made by the backend of the webapp (and by setting manually the Authorization header from the request from the webapp to request to the external api) , everything works fine.
Not working scenario
![Apisix2](https://user-images.githubusercontent.com/20150360/107880841-a03d4900-6ee1-11eb-9f50-362bddbb86a1.png)
But when the call is made directly by the webapplication (using Cors) there is no session cookies in the request nor Authorization header ... And the answser from Apisix is pretty explicit : `{"message":"Missing JWT token in request"}`
The Cors plugin is configure to `allow_credential: true` and i can see this in the `GET response from the server` :
```
HTTP/1.1 401 Unauthorized
Date: Sun, 14 Feb 2021 14:57:27 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.3
Access-Control-Allow-Origin: http://myawesomeapp.pocpoc.poc:30438
Vary: Origin
Access-Control-Allow-Methods: HEAD,GET,POST,PUT,PATCH,DELETE
Access-Control-Max-Age: 5
Access-Control-Expose-Headers: Set-Cookie,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,openID,audiotoken
Access-Control-Allow-Headers: Set-Cookie,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,openID,audiotoken
Access-Control-Allow-Credentials: true
```
So how to have this authorization header ? Is this something Apisix can add like for the first scenario ?
Thanks !
### Environment
* apisix version (cmd: `apisix version`): 2.3-alpine
* apisix version (cmd: `apisix version`): 2.3-alpine
* OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-781969418
The openid-connect plugin will set the Authorization header according to the client info. I think it may be cause the difference.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] github-actions[bot] commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-1031292462
This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jp-gouin commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
jp-gouin commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782117288
How will it transform the session cookies into an Authorization header ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] github-actions[bot] closed issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
github-actions[bot] closed issue #3593:
URL: https://github.com/apache/apisix/issues/3593
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-781856696
> When the call is made by the backend of the webapp (and by setting manually the Authorization header from the request from the webapp to request to the external api)
> But when the call is made directly by the webapplication (using Cors) there is no session cookies in the request nor Authorization header
Does the external API return the Authorization header and the web application send it back in the CORS request?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] github-actions[bot] commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-1047630754
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jp-gouin commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
jp-gouin commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-781973517
Ok , so in case of CORS request does it set the Authorization header as well ?
Btw i also use the CORS plugin for the external api and allow setting credential for Cors request.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jp-gouin commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
jp-gouin commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782071121
I assume that might blocked the frontend to put any credential in the request but since it's apisix that set the authorization header...
Also i see that in case of Cors request the session cookie is not set in the request, that why Apisix cannot add the authorization header...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782986891
AFAIK, `openid-connect` plugin fetches a new token with the given client info.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jp-gouin commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
jp-gouin commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782084028
Sorry, I'm not sure to understand , i already use the openid-connect plugin.
```
apiVersion: apisix.apache.org/v1
kind: ApisixRoute
metadata:
name: foo-route
namespace: poc-front-app
spec:
rules:
- host: myawesomeapp.pocpoc.poc
http:
paths:
- backend:
serviceName: poc-front-appsvc
servicePort: 80
path: /*
plugins:
- name: openid-connect
enable: true
config:
client_id: poc-apisix
client_secret: edffb54f-3b2d-48a0-abcd-d2891824a722
discovery: https://keycloak.example.lan/auth/realms/master/.well-known/openid-configuration
introspection_endpoint: https://keycloak.example.lan/auth/realms/master/protocol/openid-connect/token/introspect
bearer_only: false
realm: master
access_token_in_authorization_header: true
introspection_endpoint_auth_method: "client_secret_basic"
redirect_uri: "/redirect_uri"
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jp-gouin commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
jp-gouin commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782698877
Ok i see what you mean, i copied the function from jwt-auth to authz-keycloak but no luck so far.
I cannot see how to fetch the jwt token from the session cookie...
Do you have an idea of how openid-connect plugin is doing this ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782038376
The `Access-Control-Allow-Credentials` is not allowed setting credentials, but allow passing credentials.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782112893
What about refactor authz-keycloak and use this `fetch_jwt_token` instead?
https://github.com/apache/apisix/blob/017298de8687970fb53ef34579e4a947abda4d0b/apisix/plugins/jwt-auth.lua#L154
We can put it in https://github.com/apache/apisix/blob/master/apisix/core/utils.lua
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jp-gouin commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
jp-gouin commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-781947606
Hi,
No in the second scenario the request do not go to the external API , it's blocked by Apisix because of the missing Authorization Header.
In the working scenario this Header is set directly by Apisix (my guess) , but not by the front-end nor the backend.
I can see this because when i receive the call from the front-end to the back-end of the webapp , i list all the header of the call and i see the Authorization header one.
So when i'm doing a Cors call to an external API (also served by Apisix) , Apisix do not set the Authorization header for the outgoing request as it does for internal call.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jp-gouin edited a comment on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
jp-gouin edited a comment on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782084028
You mean i should also use the openid-connect plugin on the external api ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jp-gouin edited a comment on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
jp-gouin edited a comment on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782084028
You mean i should also use the openid-connect plugin on the external api ?
Edit : I now have the session cookie in the request, it was caused by the Cors .
I think rewrite uri could do the trick to avoid Cors request.
Do you known how to configure the openid-connect plugin to only perform the verification on the session cookie ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #3593: request help: OIDC missing Authorization header in CORS
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #3593:
URL: https://github.com/apache/apisix/issues/3593#issuecomment-782077735
> Also i see that in case of Cors request the session cookie is not set in the request, that why Apisix cannot add the authorization header
Maybe you can also use openid-connect plugin for it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org