You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/02/08 03:26:39 UTC

[GitHub] [apisix] seanleblanc opened a new issue #6260: request help: JWT Auth

seanleblanc opened a new issue #6260:
URL: https://github.com/apache/apisix/issues/6260


   ### Issue description
   
   I'm trying to get JWT authentication/authorization to work for requests coming into a route. It seems the correct plugin for this is openid-auth? 
   
   A few questions - it seems client_id/client_secret are required for this. If we only intend to look at the bearer token on the authorization header, how are these used?
   
   Are there good ways to troubleshoot this? The route works, but when we configure the plugin and then enable it, it fails with a 401 for caller, and the apisix pod log shows openid-connect.lua:268: phase_func(): OIDC introspection failed: response indicates failure, status=401....
   
   
   ### Environment
   
   - apisix version (cmd: `apisix version`): 2.12.0
   - OS (cmd: `uname -a`): Linux
   - OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`): openresty/1.19.9.1
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] seanleblanc commented on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
seanleblanc commented on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1033063150


   > > it fails with a 401 for caller, and the apisix pod log shows openid-connect.lua:268: phase_func(): OIDC introspection failed: response indicates failure, status=401
   > 
   > It seems APISIX requested to the `introspection_endpoint` but got 401 from the `introspection_endpoint`.
   > 
   > Can you check the log of the introspection_endpoint?
   
   Thanks. I had not even defined one. After I added one, it is giving me a 405 now - no resource method found for POST. We are using Keycloak, I've tried setting https://{keycloakhost}/auth/realms/{realm}/.well-known/openid-configuration as well as the /certs path, and neither work. 
   
   Is there an example config with Keycloak that would work for this? Is it trying to authenticate to Keycloak at some point? As mentioned above, I am trying to get equivalent functionality to what Istio's RequestAuthentication and AuthorizationPolicy objects do - they use similar endpoints to retrieve cert(s) to validate JWT. Am I using the right plugin for this?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] seanleblanc commented on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
seanleblanc commented on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1033059506


   > we have JWT plugin, see https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md
   > 
   > Please describe the scenario in detail, I can't get to your needs.
   
   I'm trying to get apisix to do do authz on a route. I want it to look at the Authentication header to inspect JWT token and that it has proper scope(s) on it and then either pass on the request - or reject it. Much like what Istio does with AuthenticationPolicy and AuthorizationPolicy objects.
   
   In the first case, I'm trying to get it to do this with KeyCloak, if that helps at all. Though we will likely swap out KeyCloak for other token providers, depending on environment/project we are on.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
starsz commented on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1035707770


   > Sure, this is our most recent config, which kind of works. I see that adding the public key works, but without that, it seems to try to do something like POSTing to introspection_endpoint? It seems the scope value is not used to inspect the scope(s) in the token, but instead is used somehow with these endpoints? So basically any valid token gets through.
   > 
   > { "access_token_in_authorization_header": true, "bearer_only": true, "client_id": "unconfigured", "client_secret": "unconfigured", "disable": false, "discovery": "https://KEYCLOAKHOST/auth/realms/REALM/.well-known/openid-configuration", "public_key": "-----BEGIN PUBLIC KEY-----....KEY\n-----END PUBLIC KEY-----" }
   > 
   > The samples you are showing seem to be from authz-keycloak? We are using keycloak for testing, but are likely to be using something else in other envs/projects. Will authz-keycloak interop only with Keycloak, or can it be used with any JWT token provider, assuming it has endpoints for certs? Also, in that sample up above for authz-keycloak, it has a client_id value, how is that used? Is it expecting the jwt token to have that client_id as a value, or is it somehow using that to authenticate to Keycloak for some reason?
   
   Hi, @seanleblanc Can you have a try at the master version. Since we have supported use jwks in this PR: https://github.com/apache/apisix/commit/fec47142eb1e98f387686a2f172920a9fd5cbb90


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1032357315


   we have JWT plugin, see https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md
   
   Please describe the scenario in detail, I can't get to your needs.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] seanleblanc edited a comment on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
seanleblanc edited a comment on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1033063150


   > > it fails with a 401 for caller, and the apisix pod log shows openid-connect.lua:268: phase_func(): OIDC introspection failed: response indicates failure, status=401
   > 
   > It seems APISIX requested to the `introspection_endpoint` but got 401 from the `introspection_endpoint`.
   > 
   > Can you check the log of the introspection_endpoint?
   
   Thanks. I had not even defined one. After I added one, it is giving me a 405 now - no resource method found for POST. We are using Keycloak, I've tried setting https://{keycloakhost}/auth/realms/{realm}/.well-known/openid-configuration as well as the /certs path, and neither work. 
   
   Is there an example config with Keycloak that would work for this? Is it trying to authenticate to Keycloak at some point? As mentioned above, I am trying to get equivalent functionality to what Istio's RequestAuthentication and AuthorizationPolicy objects do - they use similar endpoints to retrieve cert(s) to validate JWT (and I have this working with Istio, so I know the Keycloak/JWTs it emits should work). Am I using the right plugin for this?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
starsz commented on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1032629677


   > it fails with a 401 for caller, and the apisix pod log shows openid-connect.lua:268: phase_func(): OIDC introspection failed: response indicates failure, status=401
   
   It seems APISIX requested to the `introspection_endpoint` but got 401 from the `introspection_endpoint`.
   
   Can you check the log of the introspection_endpoint?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] seanleblanc edited a comment on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
seanleblanc edited a comment on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1033059506


   > we have JWT plugin, see https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md
   > 
   > Please describe the scenario in detail, I can't get to your needs.
   
   I'm trying to get apisix to do do authz on a route. I want it to look at the Authentication header to inspect JWT token and that it has proper scope(s) on it and then either pass on the request - or reject it. Much like what Istio does with RequestAuthentication and AuthorizationPolicy objects.
   
   In the first case, I'm trying to get it to do this with KeyCloak, if that helps at all. Though we will likely swap out KeyCloak for other token providers, depending on environment/project we are on.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1033303471


   > After I added one, it is giving me a 405 now
   
   Can you show your configuration?
   
   > s there an example config with Keycloak that would work for this
   
   PLAT https://github.com/apache/apisix/blob/ec0fc2ceaf04a20b0bd0ebdaad67296a1d3f621c/t/plugin/authz-keycloak2.t#L168-L305


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] seanleblanc commented on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
seanleblanc commented on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1034182182


   Sure, this is our most recent config, which kind of works. I see that adding the public key works, but without that, it seems to try to do something like POSTing to introspection_endpoint? It seems the scope value is not used to inspect the scope(s) in the token, but instead is used somehow with these endpoints? So basically any valid token gets through.
   
    {
     "access_token_in_authorization_header": true,
     "bearer_only": true,
     "client_id": "unconfigured",
     "client_secret": "unconfigured",
     "disable": false,
     "discovery": "https://KEYCLOAKHOST/auth/realms/REALM/.well-known/openid-configuration",
     "public_key": "-----BEGIN PUBLIC KEY-----\....KEY\n-----END PUBLIC KEY-----"
   }
   
   
   The samples you are showing seem to be from authz-keycloak? We are using keycloak for testing, but are likely to be using something else in other envs/projects. Will authz-keycloak interop only with Keycloak, or can it be used with any JWT token provider, assuming it has endpoints for certs? Also, in that sample up above for authz-keycloak, it has a client_id value, how is that used? Is it expecting the jwt token to have that client_id as a value, or is it somehow using that to authenticate to Keycloak for some reason?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] seanleblanc edited a comment on issue #6260: request help: JWT Auth

Posted by GitBox <gi...@apache.org>.
seanleblanc edited a comment on issue #6260:
URL: https://github.com/apache/apisix/issues/6260#issuecomment-1033063150


   > > it fails with a 401 for caller, and the apisix pod log shows openid-connect.lua:268: phase_func(): OIDC introspection failed: response indicates failure, status=401
   > 
   > It seems APISIX requested to the `introspection_endpoint` but got 401 from the `introspection_endpoint`.
   > 
   > Can you check the log of the introspection_endpoint?
   
   Thanks. I had not even defined one. After I added one, it is giving me a 405 now - no resource method found for POST. We are using Keycloak, I've tried setting https://{keycloakhost}/auth/realms/{realm}/.well-known/openid-configuration as well as the /certs path (https://{keycloakhost}/auth/realms/{realm}/protocol/openid-connect/certs), and neither work. 
   
   Is there an example config with Keycloak that would work for this? Is it trying to authenticate to Keycloak at some point? As mentioned above, I am trying to get equivalent functionality to what Istio's RequestAuthentication and AuthorizationPolicy objects do - they use similar endpoints to retrieve cert(s) to validate JWT (and I have this working with Istio, so I know the Keycloak/JWTs it emits should work). Am I using the right plugin for this?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org