You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/04/06 19:25:57 UTC

[GitHub] [apisix] david-woelfle commented on issue #2426: bug：enable openid-connect plugin without redirect_uri got 500 error

david-woelfle commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1090675455

   Came across the same problem today and did some testing on the problem with an up-to-date apisix instance. It seems like this problem (`request to the redirect_uri path but there's no session state found`) only happens if the user requested URI and the `redirect_uri` are identical. 
   
   The reason could be that the openid-connect plugin probably checks if the user requested URI is identical to `redirect_uri` and if that is the case assumes that user has already been redirected back from the Auth server and should already have a valid session cookie. The plugin hence expects a session cookie and then fails with the error above if it finds no session state. @membphis or @moonming could you maybe confirm that this is what the plugin does?
   
   If my hypothesis is correct then I would assume this is a bug and I find that the approach of @lemonrains is not a good solutions. Here is why:
   * Assume you try to protect an upstream API with OpenID, say `https://httpbin.org/image/png`
   * The exposed route for the upstream could be `https://example.com/image/png`
   * If users without a  session yet try to access `https://example.com/image/png` they should be redirected to the Auth server to redeem a session. (This redirect currently fails).
   * After the authentication passed the users should be redirected back to the original target URI (`https://example.com/image/png`) because that is the resource they initially tried to access. (Please note that this what the openid-connect plugin actually tries to do by default as `redirect_uri` has a default value of `"ngx.var.request_uri"`, which is IMHO the right thing to do and absolutely correct. The docs are correct too, just the implementation in the plugin seems to have a bug ;) )
   
    


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org