You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/02/26 17:52:33 UTC
[GitHub] [apisix] MirtoBusico opened a new issue #6460: request help: in authz-keycloak plugin is it possible to customize the "access denied"
MirtoBusico opened a new issue #6460:
URL: https://github.com/apache/apisix/issues/6460
### Issue description
Using the **authz-keycloak** plugin when access is not permitted you correctly receive an access denied message
```
{"error":"access_denied","error_description":"not_authorized"}
```
in the body of the requested url
Question: is it possible to specify a redirect url to be used when the access is denied so the user see predefined page instead of a message?
### Environment
### Environment
- apisix version (cmd: `apisix version`):
```
bash-5.1# apisix version
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua version
2.12.0
bash-5.1#
```
- OS (cmd: `uname -a`):
```
bash-5.1# uname -a
Linux apisix-dd76474d9-82frr 5.4.0-99-generic #112-Ubuntu SMP Thu Feb 3 13:50:55 UTC 2022 x86_64 Linux
bash-5.1#
```
- OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
```
bash-5.1# nginx -V
nginx version: openresty/1.19.9.1
built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.19.9.1.3 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-ap
i/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../mod_dubbo --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../ngx_multi_upstream_module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module/src/stream --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../wasm-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_modul
e --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
bash-5.1# openresty -V
nginx version: openresty/1.19.9.1
built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.19.9.1.3 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-ap
i/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../mod_dubbo --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../ngx_multi_upstream_module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module/src/stream --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../wasm-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_modul
e --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
bash-5.1#
```
- etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
```
What pod is erver-info API?
From the kubernetes dashboard I see that the image is:
docker.io/bitnami/etcd:3.4.16-debian-10-r14
```
- apisix-dashboard version, if have:
```
dashboard_version 2.10.1
```
- the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
```
Don't know how to get the authz-keycloak plugin version
```
- luarocks version, if the issue is about installation (cmd: `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #6460: request help: in authz-keycloak plugin is it possible to customize the "access denied" message?
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #6460:
URL: https://github.com/apache/apisix/issues/6460#issuecomment-1053522438
You can add a conf to redirect the client instead of
https://github.com/apache/apisix/blob/77e90d2f3d2e7023b5b19b4709805f548b979264/apisix/plugins/authz-keycloak.lua#L597-L599
We can use the redirect code there:
https://github.com/apache/apisix/blob/77e90d2f3d2e7023b5b19b4709805f548b979264/apisix/plugins/redirect.lua#L215-L216
PR is welcome!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander closed issue #6460: request help: in authz-keycloak plugin is it possible to customize the "access denied" message?
Posted by GitBox <gi...@apache.org>.
spacewander closed issue #6460:
URL: https://github.com/apache/apisix/issues/6460
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #6460: request help: in authz-keycloak plugin is it possible to customize the "access denied" message?
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #6460:
URL: https://github.com/apache/apisix/issues/6460#issuecomment-1054885549
> I think it would be a good idea to support this feature in `response-rewrite` as well. Currently, `response-rewrite` supports modifying the header when matching the response status code (for example, modifying the header to `Location: https://apisix.apache.org/` when matching `403`), but does not support modifying the response status at the same time.
Note that 403 may not return from authz-keycloak
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #6460: request help: in authz-keycloak plugin is it possible to customize the "access denied" message?
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #6460:
URL: https://github.com/apache/apisix/issues/6460#issuecomment-1056031443
Yes
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shuaijinchao commented on issue #6460: request help: in authz-keycloak plugin is it possible to customize the "access denied" message?
Posted by GitBox <gi...@apache.org>.
shuaijinchao commented on issue #6460:
URL: https://github.com/apache/apisix/issues/6460#issuecomment-1054044725
I think it would be a good idea to support this feature in `response-rewrite` as well. Currently, `response-rewrite` supports modifying the header when matching the response status code (for example, modifying the header to `Location: https://apisix.apache.org/` when matching `403`), but does not support modifying the response status at the same time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] oil-oil commented on issue #6460: request help: in authz-keycloak plugin is it possible to customize the "access denied" message?
Posted by GitBox <gi...@apache.org>.
oil-oil commented on issue #6460:
URL: https://github.com/apache/apisix/issues/6460#issuecomment-1055056324
> > I think it would be a good idea to support this feature in `response-rewrite` as well. Currently, `response-rewrite` supports modifying the header when matching the response status code (for example, modifying the header to `Location: https://apisix.apache.org/` when matching `403`), but does not support modifying the response status at the same time.
>
> Note that 403 may not return from authz-keycloak
So I just need to add a new parameter to indicate the url address to redirect when there is no permission, Is it right?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6460: request help: in authz-keycloak plugin is it possible to customize the "access denied" message?
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6460:
URL: https://github.com/apache/apisix/issues/6460#issuecomment-1053637612
Hi @spacewander you mean that I have to post a "feature request"?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] oil-oil commented on issue #6460: request help: in authz-keycloak plugin is it possible to customize the "access denied" message?
Posted by GitBox <gi...@apache.org>.
oil-oil commented on issue #6460:
URL: https://github.com/apache/apisix/issues/6460#issuecomment-1054090080
I want to try to implement this function, please assign this task to me.😃
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org