You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by mo...@apache.org on 2023/04/23 09:55:24 UTC
[apisix] branch master updated: chore(ci): remove 3rd keycloak docker image (#9341)
This is an automated email from the ASF dual-hosted git repository.
monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 143433504 chore(ci): remove 3rd keycloak docker image (#9341)
143433504 is described below
commit 1434335041c6e054f7b6afb0401aea0a069b0ad7
Author: dongjunduo <an...@gmail.com>
AuthorDate: Sun Apr 23 17:55:18 2023 +0800
chore(ci): remove 3rd keycloak docker image (#9341)
---
ci/init-plugin-test-service.sh | 11 +++-
ci/pod/docker-compose.plugin.yml | 32 +++-------
ci/{ => pod/keycloak}/kcadm_configure_cas.sh | 0
ci/pod/keycloak/kcadm_configure_university.sh | 90 +++++++++++++++++++++++++++
ci/pod/keycloak/server.crt.pem | 21 +++++++
ci/pod/keycloak/server.key.pem | 28 +++++++++
t/plugin/authz-keycloak.t | 34 +++++-----
t/plugin/authz-keycloak2.t | 27 ++++----
t/plugin/authz-keycloak3.t | 6 +-
t/plugin/openid-connect.t | 32 +++++-----
10 files changed, 206 insertions(+), 75 deletions(-)
diff --git a/ci/init-plugin-test-service.sh b/ci/init-plugin-test-service.sh
index 881f466c7..fbabe1ca1 100755
--- a/ci/init-plugin-test-service.sh
+++ b/ci/init-plugin-test-service.sh
@@ -42,8 +42,15 @@ after() {
# wait for keycloak ready
bash -c 'while true; do curl -s localhost:8080 &>/dev/null; ret=$?; [[ $ret -eq 0 ]] && break; sleep 3; done'
- docker cp ci/kcadm_configure_cas.sh apisix_keycloak_new:/tmp/
- docker exec apisix_keycloak_new bash /tmp/kcadm_configure_cas.sh
+
+ # install jq
+ wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -O jq
+ chmod +x jq
+ docker cp jq apisix_keycloak:/usr/bin/
+
+ # configure keycloak
+ docker exec apisix_keycloak bash /tmp/kcadm_configure_cas.sh
+ docker exec apisix_keycloak bash /tmp/kcadm_configure_university.sh
}
before() {
diff --git a/ci/pod/docker-compose.plugin.yml b/ci/pod/docker-compose.plugin.yml
index c0f102f88..7647a1ee9 100644
--- a/ci/pod/docker-compose.plugin.yml
+++ b/ci/pod/docker-compose.plugin.yml
@@ -37,31 +37,9 @@ services:
networks:
apisix_net:
-
## keycloak
apisix_keycloak:
- image: sshniro/keycloak-apisix:1.0.0
- environment:
- KEYCLOAK_USER: admin
- KEYCLOAK_PASSWORD: 123456
- restart: unless-stopped
- ports:
- - "8090:8080"
- - "8443:8443"
- networks:
- apisix_net:
-
- ## keycloak
- # The keycloak official has two types of docker images:
- # * legacy WildFly distribution
- # * new Quarkus based distribution
- # Here we choose new version, because it's mainstream and
- # supports kcadm.sh to init the container for test.
- # The original keycloak service `apisix_keycloak` is
- # third-party personal customized image and for OIDC test only.
- # We should unify both containers in future.
- apisix_keycloak_new:
- container_name: apisix_keycloak_new
+ container_name: apisix_keycloak
image: quay.io/keycloak/keycloak:18.0.2
# use host network because in CAS auth,
# keycloak needs to send back-channel POST to apisix.
@@ -69,10 +47,16 @@ services:
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
+ KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/conf/server.crt.pem
+ KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/conf/server.key.pem
restart: unless-stopped
- command: ["start-dev", "--http-port 8080"]
+ command: ["start-dev"]
volumes:
- /opt/keycloak-protocol-cas-18.0.2.jar:/opt/keycloak/providers/keycloak-protocol-cas-18.0.2.jar
+ - ./ci/pod/keycloak/server.crt.pem:/opt/keycloak/conf/server.crt.pem
+ - ./ci/pod/keycloak/server.key.pem:/opt/keycloak/conf/server.key.pem
+ - ./ci/pod/keycloak/kcadm_configure_cas.sh:/tmp/kcadm_configure_cas.sh
+ - ./ci/pod/keycloak/kcadm_configure_university.sh:/tmp/kcadm_configure_university.sh
## kafka-cluster
zookeeper-server1:
diff --git a/ci/kcadm_configure_cas.sh b/ci/pod/keycloak/kcadm_configure_cas.sh
similarity index 100%
rename from ci/kcadm_configure_cas.sh
rename to ci/pod/keycloak/kcadm_configure_cas.sh
diff --git a/ci/pod/keycloak/kcadm_configure_university.sh b/ci/pod/keycloak/kcadm_configure_university.sh
new file mode 100644
index 000000000..162b624f8
--- /dev/null
+++ b/ci/pod/keycloak/kcadm_configure_university.sh
@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+export PATH=/opt/keycloak/bin:$PATH
+
+kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin
+
+# create realm University
+kcadm.sh create realms -s realm=University -s enabled=true
+
+# create roles `Teacher, Student`
+kcadm.sh create roles -r University -s name=Teacher
+kcadm.sh create roles -r University -s name=Student
+
+# create users `teacher@gmail.com, student@gmail.com`
+kcadm.sh create users -r University -s username=teacher@gmail.com -s enabled=true
+kcadm.sh create users -r University -s username=student@gmail.com -s enabled=true
+
+# set password
+kcadm.sh set-password -r University --username teacher@gmail.com --new-password 123456
+kcadm.sh set-password -r University --username student@gmail.com --new-password 123456
+
+# bind roles to users
+kcadm.sh add-roles -r University --uusername teacher@gmail.com --rolename Teacher
+kcadm.sh add-roles -r University --uusername student@gmail.com --rolename Student
+
+# create client course_management
+kcadm.sh create clients -r University -s clientId=course_management -s enabled=true -s clientAuthenticatorType=client-secret -s secret=d1ec69e9-55d2-4109-a3ea-befa071579d5
+
+client_id=$(kcadm.sh get clients -r University --fields id,clientId 2>/dev/null | jq -r '.[] | select(.clientId=='\"course_management\"') | .id')
+teacher_id=$(kcadm.sh get roles -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"Teacher\"') | .id')
+student_id=$(kcadm.sh get roles -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"Student\"') | .id')
+
+# update client course_management
+kcadm.sh update clients/${client_id} -r University -s protocol=openid-connect -s standardFlowEnabled=true \
+ -s implicitFlowEnabled=true -s directAccessGrantsEnabled=true -s serviceAccountsEnabled=true \
+ -s authorizationServicesEnabled=true -s 'redirectUris=["*"]' -s 'webOrigins=["*"]'
+
+kcadm.sh update clients/${client_id}/authz/resource-server -r University -s allowRemoteResourceManagement=false -s policyEnforcementMode="ENFORCING"
+
+# create authz-resource with name `course_resource`, uri `/course/*`, scope `DELETE, delete, view, GET`
+kcadm.sh create clients/${client_id}/authz/resource-server/resource -r University -s name=course_resource \
+ -s ownerManagedAccess=false -s uris='["/course/*"]' -s scopes='[{"name": "DELETE"},{"name": "view"},{"name": "GET"},{"name": "delete"}]'
+
+course_resource_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/resource -r University --fields _id,name 2>/dev/null | jq -r '.[] | select(.name=='\"course_resource\"') | ._id')
+DELETE_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"DELETE\"') | .id')
+delete_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"delete\"') | .id')
+GET_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"GET\"') | .id')
+view_scope_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/scope -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"view\"') | .id')
+
+# create authz-policy `AllowTeacherPolicy, AllowStudentPolicy`
+kcadm.sh create clients/${client_id}/authz/resource-server/policy/role -r University \
+ -s name="AllowTeacherPolicy" -s logic="POSITIVE" -s decisionStrategy="UNANIMOUS" \
+ -s roles='[{"id": '\"${teacher_id}\"'}]'
+
+kcadm.sh create clients/${client_id}/authz/resource-server/policy/role -r University \
+ -s name="AllowStudentPolicy" -s logic="POSITIVE" -s decisionStrategy="UNANIMOUS" \
+ -s roles='[{"id": '\"${student_id}\"'}]'
+
+allow_teacher_policy_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/policy -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"AllowTeacherPolicy\"') | .id')
+allow_student_policy_id=$(kcadm.sh get clients/${client_id}/authz/resource-server/policy -r University --fields id,name 2>/dev/null | jq -r '.[] | select(.name=='\"AllowStudentPolicy\"') | .id')
+
+# create authz-permission `Delete Course Permission` and `View Course Permission`
+kcadm.sh create clients/${client_id}/authz/resource-server/permission/scope -r University \
+ -s name="Delete Course Permission" -s logic="POSITIVE" -s decisionStrategy="UNANIMOUS" \
+ -s policies='['\"${allow_teacher_policy_id}\"']' \
+ -s scopes='['\"${DELETE_scope_id}\"', '\"${delete_scope_id}\"']' \
+ -s resources='['\"${course_resource_id}\"']'
+
+kcadm.sh create clients/${client_id}/authz/resource-server/permission/scope -r University \
+ -s name="View Course Permission" -s logic="POSITIVE" -s decisionStrategy="AFFIRMATIVE" \
+ -s policies='['\"${allow_teacher_policy_id}\"', '\"${allow_student_policy_id}\"']' \
+ -s scopes='['\"${GET_scope_id}\"', '\"${view_scope_id}\"']' \
+ -s resources='['\"${course_resource_id}\"']'
diff --git a/ci/pod/keycloak/server.crt.pem b/ci/pod/keycloak/server.crt.pem
new file mode 100644
index 000000000..9c7bde3bb
--- /dev/null
+++ b/ci/pod/keycloak/server.crt.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUbZfnhty/ZiHPz5Aq8kK5Kr8kcSQwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzA0MTgxMTQzNDJaFw0zMzA0
+MTUxMTQzNDJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC/F4wK7eMTVAKGDMLCXE+Y6REdA5GU6/AakJf3NEKQ
+wCrtrqO+VBPIz445+edf3EEXhjFFGPdU6p0EkF0SMLaMsVBQQJ2qcP6FloIYiyT3
+WCs/gbtdoWq53ucAfWueIyHWsovLc0VhOXm0rhTYg88nMjJ7y6vYkfLMT6qlwASn
+9Tozgjat09fWATbN7yBi4ivVVsKDo2S3jkOyVnYYMjzZO3CSkyUSMl+ZsSesseSK
+A9c2zogfKIU833njraA8blMFfdinEMI/9yceEx57IUjnpY1iWHLSItiZF+LKEpeL
+vp9gpr88ghR85ISusqAqwcmnsdAqjjw7gbPm1DIvUgVBAgMBAAGjUzBRMB0GA1Ud
+DgQWBBRvlz5ZiE2fD9ikPRqpYwsVrxZfxTAfBgNVHSMEGDAWgBRvlz5ZiE2fD9ik
+PRqpYwsVrxZfxTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCX
+5fOeFnX67eHI5dJB8p3U2GS21qykDVLV5ZV+JZfZwXJEygIvr/T9vs772EPxv+0/
+TO0+pGdcVswXq/6BoUFCV0rWWTDP5wTS3sV1ZsSSHil5zEutXuAI1LQGlit6w5xn
+iDURFZw3ZmOFytXKXNbca1ma4yaCZtOwVe3O36GZeOiZFzBYE2DELqy77Nz1E5+3
+jZaDnx0vonV8/hhX6FAPRPQnIXkaEH3BnVQZGD1jxipbFQQtmeeNPELy18MQo30N
+W1wOsbMMouniKUjdT16tdtzJzC+l9pVqRC+8df5PJfN56Uv9Ed6pjytkSF1SvHyJ
+iTWmyxJL9AonUkc5Oiri
+-----END CERTIFICATE-----
diff --git a/ci/pod/keycloak/server.key.pem b/ci/pod/keycloak/server.key.pem
new file mode 100755
index 000000000..f2bc2d942
--- /dev/null
+++ b/ci/pod/keycloak/server.key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC/F4wK7eMTVAKG
+DMLCXE+Y6REdA5GU6/AakJf3NEKQwCrtrqO+VBPIz445+edf3EEXhjFFGPdU6p0E
+kF0SMLaMsVBQQJ2qcP6FloIYiyT3WCs/gbtdoWq53ucAfWueIyHWsovLc0VhOXm0
+rhTYg88nMjJ7y6vYkfLMT6qlwASn9Tozgjat09fWATbN7yBi4ivVVsKDo2S3jkOy
+VnYYMjzZO3CSkyUSMl+ZsSesseSKA9c2zogfKIU833njraA8blMFfdinEMI/9yce
+Ex57IUjnpY1iWHLSItiZF+LKEpeLvp9gpr88ghR85ISusqAqwcmnsdAqjjw7gbPm
+1DIvUgVBAgMBAAECggEBAKUrrkGYI2mGePPzPbiP38E02zTv67sEQLJFfwUOp+bE
+I5b0F9agh8VQGghkyKgkEiNKO3YVQVuluvjB66CYeIGdleT4JQ+4wVcoo+ShCN++
+1wr6kMA6kKx+Tb8vqYCzr0ELbSf6x+Jksp0Ixz3qmHixu88jWbNFW89boQ3JrnyZ
+TUgRSRdPoXcxspwcbhy6mMhwUfUSy8Zcck81dBEAjokvzbYh4jtFYMipWqro66KJ
+B9uqQme2J/rN/2PSrA6chI85Wa+JaGOSPDaGNp+DrADjoVZf1tXgzGCsA/lmVtQ0
+8YN4Dh21EjLxz4Dj5GE7RWET4Ejvv1XEih1p+zKne00CgYEA327raCD5Fnr1nGTb
+Q4ZWkcDR6EGSD6JGD0ur+UqqJhirM/5b4iGcsVK5uufb5dwk9+9z0EucXOVq/il0
+vgG2FbgRYM8kx3CDLvMYAqKJ8e5NsGJWwJVq6DsmsO1SaEId+SVFH83RHfG5/ksq
+/DgRg0Wl9FoL7sHchuSIP2QiLrMCgYEA2vHcKsMZk/KGMBHVffY3PUckirIM6vLa
+idMmm0T0HSAdviZRxQGyOnjd93ZhMqFJPTrmHOq0uAxfdFt+oRoHk/pGarBCv76L
+NnPrSnVe1pJOh7Mm7LHLgrAgeM2WW7xz6jZwc8On+9qHK97I/wAnJB8J7DvQJ2hR
+sWCDSbfKtjsCgYEAnVE77tVIjMuGo9dfiuvLiFR7d0yzys43Bg4ByEUKCEjWQoWV
+rGJ+MVxN6YvXCME4RloS8VZLgh0GeG44BJCv5Br2IXO4MbTGqQgAn9pRxkZD7S1Q
+Z8jMvTboxypSG5ZyBDp5sSr5Ulwg2SuT2IKh0gv4DVRZkoJtA41lYTzf1IECgYBd
+3NJGgt20T4S3lu2v0p5b5uQDkdF36CVIcP1cE3OUCPC3VDY5/0ApUSfXryh8TCjZ
+1yZPv086mBNUDuV6q24UQndtxaLYERgdgBSfFzJRSuffxS4qyw40OM2y/HA5Y9FN
+14jeGEMr9cN9S0VgDPC6y5O1cu8J9e8P3BBsyh5dgQKBgHMlIhOJDO/neVnax79X
+d3+5GaiggUnkd27OkYC4LhXEc/QWeHE0ByA0bDhhnsE7IVK2CVC18axOLmEJVy2g
+F6ZtxcpNrlVtF4YaOiRVUcDNnz9gX48efrpdoX2iBSFEd1NRDo/bjkVXI1L08LNf
+BbMB104PadChoGpl5R3NQQsP
+-----END PRIVATE KEY-----
diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t
index b09c1d792..58a633113 100644
--- a/t/plugin/authz-keycloak.t
+++ b/t/plugin/authz-keycloak.t
@@ -31,7 +31,7 @@ __DATA__
local plugin = require("apisix.plugins.authz-keycloak")
local ok, err = plugin.check_schema({
client_id = "foo",
- token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token"
+ token_endpoint = "https://host.domain/realms/foo/protocol/openid-connect/token"
})
if not ok then
ngx.say(err)
@@ -54,7 +54,7 @@ done
local plugin = require("apisix.plugins.authz-keycloak")
local ok, err = plugin.check_schema({
client_id = "foo",
- discovery = "https://host.domain/auth/realms/foo/.well-known/uma2-configuration"
+ discovery = "https://host.domain/realms/foo/.well-known/uma2-configuration"
})
if not ok then
ngx.say(err)
@@ -78,8 +78,8 @@ done
local ok, err = plugin.check_schema({
client_id = "foo",
lazy_load_paths = true,
- token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token",
- resource_registration_endpoint = "https://host.domain/auth/realms/foo/authz/protection/resource_set"
+ token_endpoint = "https://host.domain/realms/foo/protocol/openid-connect/token",
+ resource_registration_endpoint = "https://host.domain/realms/foo/authz/protection/resource_set"
})
if not ok then
ngx.say(err)
@@ -103,7 +103,7 @@ done
local ok, err = plugin.check_schema({
client_id = "foo",
lazy_load_paths = true,
- discovery = "https://host.domain/auth/realms/foo/.well-known/uma2-configuration"
+ discovery = "https://host.domain/realms/foo/.well-known/uma2-configuration"
})
if not ok then
ngx.say(err)
@@ -125,9 +125,9 @@ done
content_by_lua_block {
local plugin = require("apisix.plugins.authz-keycloak")
local ok, err = plugin.check_schema({
- discovery = "https://host.domain/auth/realms/foo/.well-known/uma2-configuration",
- token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token",
- resource_registration_endpoint = "https://host.domain/auth/realms/foo/authz/protection/resource_set",
+ discovery = "https://host.domain/realms/foo/.well-known/uma2-configuration",
+ token_endpoint = "https://host.domain/realms/foo/protocol/openid-connect/token",
+ resource_registration_endpoint = "https://host.domain/realms/foo/authz/protection/resource_set",
client_id = "University",
client_secret = "secret",
grant_type = "urn:ietf:params:oauth:grant-type:uma-ticket",
@@ -187,7 +187,7 @@ done
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.authz-keycloak")
- local ok, err = plugin.check_schema({discovery = "https://host.domain/auth/realms/foo/.well-known/uma2-configuration"})
+ local ok, err = plugin.check_schema({discovery = "https://host.domain/realms/foo/.well-known/uma2-configuration"})
if not ok then
ngx.say(err)
end
@@ -210,7 +210,7 @@ done
local plugin = require("apisix.plugins.authz-keycloak")
local ok, err = plugin.check_schema({
client_id = "foo",
- token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token",
+ token_endpoint = "https://host.domain/realms/foo/protocol/openid-connect/token",
lazy_load_paths = true
})
if not ok then
@@ -238,7 +238,7 @@ done
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "https://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
"permissions": ["course_resource#delete"],
"client_id": "course_management",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
@@ -296,7 +296,7 @@ GET /t
--- response_body
false
--- error_log
-Error while sending authz request to https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token: 18
+Error while sending authz request to https://127.0.0.1:8443/realms/University/protocol/openid-connect/token: 18
--- error_code: 503
@@ -311,7 +311,7 @@ Error while sending authz request to https://127.0.0.1:8443/auth/realms/Universi
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "https://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
"permissions": ["course_resource#delete"],
"client_id": "course_management",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
@@ -382,7 +382,7 @@ Request denied: HTTP 401 Unauthorized. Body: {"error":"HTTP 401 Unauthorized"}
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "http://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "http://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
"client_id": "course_management",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
"policy_enforcement_mode": "ENFORCING",
@@ -447,7 +447,7 @@ GET /t
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "http://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "http://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
"client_id": "course_management",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
"policy_enforcement_mode": "ENFORCING",
@@ -515,7 +515,7 @@ Location: http://127.0.0.1/test
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "https://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
"permissions": ["course_resource#view"],
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
@@ -587,7 +587,7 @@ true
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "https://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
"permissions": ["course_resource#view"],
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
diff --git a/t/plugin/authz-keycloak2.t b/t/plugin/authz-keycloak2.t
index 65faded2e..09d5a8157 100644
--- a/t/plugin/authz-keycloak2.t
+++ b/t/plugin/authz-keycloak2.t
@@ -34,7 +34,7 @@ __DATA__
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token",
"permissions": ["course_resource#view"],
"client_id": "course_management",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
@@ -71,7 +71,7 @@ passed
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
@@ -96,6 +96,7 @@ passed
if res.status == 200 then
ngx.say(true)
else
+ ngx.say(res.status)
ngx.say(false)
end
else
@@ -147,7 +148,7 @@ Invalid bearer token
[[{
"plugins": {
"authz-keycloak": {
- "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/uma2-configuration",
+ "discovery": "http://127.0.0.1:8080/realms/University/.well-known/uma2-configuration",
"permissions": ["course_resource#view"],
"client_id": "course_management",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
@@ -184,7 +185,7 @@ passed
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
@@ -260,7 +261,7 @@ Invalid bearer token
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token",
"permissions": ["course_resource#delete"],
"client_id": "course_management",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
@@ -297,7 +298,7 @@ passed
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=student@gmail.com&password=123456",
@@ -348,7 +349,7 @@ true
[[{
"plugins": {
"authz-keycloak": {
- "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/uma2-configuration",
+ "discovery": "http://127.0.0.1:8080/realms/University/.well-known/uma2-configuration",
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
"lazy_load_paths": true,
@@ -385,7 +386,7 @@ passed
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
@@ -431,7 +432,7 @@ true
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=student@gmail.com&password=123456",
@@ -477,7 +478,7 @@ true
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
@@ -523,7 +524,7 @@ true
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=student@gmail.com&password=123456",
@@ -571,7 +572,7 @@ true
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
@@ -617,7 +618,7 @@ true
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=student@gmail.com&password=123456",
diff --git a/t/plugin/authz-keycloak3.t b/t/plugin/authz-keycloak3.t
index 2671e9039..619417bc3 100644
--- a/t/plugin/authz-keycloak3.t
+++ b/t/plugin/authz-keycloak3.t
@@ -42,7 +42,7 @@ __DATA__
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token",
"access_denied_redirect_uri": "http://127.0.0.1/test",
"permissions": ["course_resource#delete"],
"client_id": "course_management",
@@ -78,7 +78,7 @@ passed
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=student@gmail.com&password=123456",
@@ -127,7 +127,7 @@ apisix:
[[{
"plugins": {
"authz-keycloak": {
- "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
+ "token_endpoint": "https://127.0.0.1:8443/realms/University/protocol/openid-connect/token",
"permissions": ["course_resource#view"],
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
index 6f6f7aa0d..515319248 100644
--- a/t/plugin/openid-connect.t
+++ b/t/plugin/openid-connect.t
@@ -171,7 +171,7 @@ true
[[{
"plugins": {
"openid-connect": {
- "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
+ "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
"realm": "University",
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
@@ -179,7 +179,7 @@ true
"ssl_verify": false,
"timeout": 10,
"introspection_endpoint_auth_method": "client_secret_post",
- "introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect",
+ "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect",
"set_access_token_header": true,
"access_token_in_authorization_header": false,
"set_id_token_header": true,
@@ -276,7 +276,7 @@ x-userinfo: ey.*
[[{
"plugins": {
"openid-connect": {
- "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
+ "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
"realm": "University",
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
@@ -284,7 +284,7 @@ x-userinfo: ey.*
"ssl_verify": false,
"timeout": 10,
"introspection_endpoint_auth_method": "client_secret_post",
- "introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect",
+ "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect",
"set_access_token_header": true,
"access_token_in_authorization_header": true,
"set_id_token_header": false,
@@ -731,14 +731,14 @@ jwt signature verification failed
"openid-connect": {
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
- "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
+ "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
"redirect_uri": "http://localhost:3000",
"ssl_verify": false,
"timeout": 10,
"bearer_only": true,
"realm": "University",
"introspection_endpoint_auth_method": "client_secret_post",
- "introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect"
+ "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect"
}
},
"upstream": {
@@ -770,7 +770,7 @@ passed
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
@@ -892,7 +892,7 @@ OIDC introspection failed: invalid token
"openid-connect": {
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
- "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
+ "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
"redirect_uri": "http://localhost:3000",
"ssl_verify": false,
"timeout": 10,
@@ -900,7 +900,7 @@ OIDC introspection failed: invalid token
"use_jwks": true,
"realm": "University",
"introspection_endpoint_auth_method": "client_secret_post",
- "introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect"
+ "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect"
}
},
"upstream": {
@@ -932,7 +932,7 @@ passed
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
@@ -1023,7 +1023,7 @@ OIDC introspection failed: invalid jwt: invalid jwt string
[[{
"plugins": {
"openid-connect": {
- "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
+ "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
"realm": "University",
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
@@ -1031,7 +1031,7 @@ OIDC introspection failed: invalid jwt: invalid jwt string
"ssl_verify": false,
"timeout": 10,
"introspection_endpoint_auth_method": "client_secret_post",
- "introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect",
+ "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect",
"set_access_token_header": true,
"access_token_in_authorization_header": false,
"set_id_token_header": true,
@@ -1102,7 +1102,7 @@ passed
-- Request the location, it's a URL of keycloak and contains the post_logout_redirect_uri
-- Like:
- -- http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/logout?post_logout_redirect=http://127.0.0.1:1984/hello
+ -- http://127.0.0.1:8080/realms/University/protocol/openid-connect/logout?post_logout_redirect=http://127.0.0.1:1984/hello
local location = res.headers["Location"]
res, err = httpc:request_uri(location, {
method = "GET"
@@ -1207,7 +1207,7 @@ true
"openid-connect": {
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
- "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
+ "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
"realm": "University",
"bearer_only": true,
"access_token_in_authorization_header": true,
@@ -1217,7 +1217,7 @@ true
"ssl_verify": false,
"timeout": 10,
"introspection_endpoint_auth_method": "client_secret_post",
- "introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect"
+ "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect"
}
},
"upstream": {
@@ -1249,7 +1249,7 @@ passed
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
- local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",