You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/08/05 06:52:24 UTC

[GitHub] [apisix] liweitianux commented on issue #2426: bug：enable openid-connect plugin without redirect_uri got 500 error

liweitianux commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1206107085

   @starsz , thank you for the detailed analysis and nice diagram on the OIDC flow.
   
   > Why should the admin of an APISIX gateway decide about the `redirect_uri` at all?
   >
   >> Yes, the best way is that the admin doesn't need to care about the redirect_uri. It's a point that can be improved.
   >
   > Couldn't APISIX provide some generic auth callback endpoint that is automatically send to the auth server?
   >
   >> Apache APISIX is a gateway, we don't want to expose a fixed URL in the gateway since it will influence other APIs. So we should do more research to provide the best solution.
   
   The [OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/) recommends that the `redirect_uri` should be explicitly specified and thus **exactly matched** by IDP, in order to prevent `redirect_uri` attacks [0].  So the user/admin should generally know the `redirect_uri` to use.
   
   However, the above requirement would make the setup tedious and may be error-prone when there are many APIs to configure.  And for some internal or on-premise IDP deployments, one may allow wildcard `redirect_uri` (also as illustrated in the tutorial [1]).  Actually, I was confused and didn't know how to setup the `redirect_uri` after reading this tutorial.
   
   So I'd say it would be great if APISIX could auto-set an internal URI for the `redirect_uri` if not specified, although it's not recommended by the best current practice.
   
   According the discussion above, I'd suggest the following one: assume the current API/route is `/api/*`, then the auto-generated `redirect_uri` could be `/api/.apisix/redirect`.  Just my idea...
   
   Well, maybe it's better to just update the code and doc to mandate the `redirect_uri` parameter...
   
   [0] [What is the real purpose of Redirect_Uri in OpenIdConnect?](https://stackoverflow.com/a/55375906)
   [1] [如何在 Apache APISIX 中集成 Keycloak 实现身份认证](https://www.apiseven.com/blog/integrate-keycloak-auth-in-apisix)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org