You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/04/07 01:06:35 UTC
[GitHub] [apisix] liuxiran opened a new issue, #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
liuxiran opened a new issue, #2426:
URL: https://github.com/apache/apisix/issues/2426
Please answer these questions before submitting your issue.
- Why do you submit this issue?
- [ ] Question or discussion
- [x] Bug
- [ ] Requirements
- [ ] Feature or performance improvement
- [ ] Other
### Bug
- Which version of Apache APISIX Dashboard, OS, and Browser?
1. create a route, enable openid-connect plugin, configs:
```json
{
"name": "api2",
"route_group_id": "de45ec14-317f-4177-8a22-10ab95bd45f7",
"route_group_name": "group1",
"status": true,
"desc": "",
"protocols": ["http"],
"paths": ["/get1"],
"methods": ["GET"],
"upstream_protocol": "https",
"type": "roundrobin",
"plugins": {
"openid-connect": {
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
"discovery": "https://samples.auth0.com/.well-known/openid-configuration"
}
},
"script": {},
"uris": ["/get1"],
"vars": [],
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:443": 1
},
"timeout": {
"connect": 6000,
"send": 6000,
"read": 6000
}
},
"upstream_header": {},
"upstream_path": {
"to": "/get"
}
}
```
2. visit this route via chrome, got 500 error
3. got the error log in apisix error.log:
```shell
2020/10/10 06:47:45 [error] 26#26: *6045490 [lua] openidc.lua:1378: authenticate(): request to the redirect_uri path but there's no session state found, client: 192.168.1.145, server: , request: "GET /get HTTP/1.1", host: "192.168.1.145:9
2020/10/10 06:47:45 [error] 26#26: *6045490 [lua] openid-connect.lua:163: phase_func(): failed to authenticate in openidc: request to the redirect_uri path but there's no session state found, client: 192.168.1.145, server: , request: "GET
2020/10/10 06:47:45 [error] 25#25: *6045493 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/plugins/echo.lua:96: attempt to index local 'conf' (a userdata value)
stack traceback:
coroutine 0:
/usr/local/apisix/apisix/plugins/echo.lua: in function 'phase_fun'
[string "route#41ee9eef-564e-4208-86e6-fc6834bd7178"]:17: in function 'phase_func'
/usr/local/apisix/apisix/script.lua:52: in function 'run'
/usr/local/apisix/apisix/init.lua:508: in function 'http_access_phase'
access_by_lua(nginx.conf:173):2: in main chunk, client: 192.168.1.145, server: , request: "GET /favicon.ico HTTP/1.1", host: "192.168.1.145:9080", referrer: "http://192.168.1.145:9080/get"
```
**`redirect_uri` should be a reqired param in openid-connect plugin**
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1092684511
> > ```shell
> > 2020/10/10 06:47:45 [error] 26#26: *6045490 [lua] openid-connect.lua:163: phase_func(): failed to authenticate in openidc: request to the redirect_uri path but there's no session state found, client: 192.168.1.145, server: , request: "GET
> > ```
>
> we got this error, I think it is fine. because you did not set a correct `redirect_uri`.
>
> when missing `redirect_uri`, it'll use `ctx.var.request_uri` as default value: http://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_uri .
>
> > ```shell
> > 2020/10/10 06:47:45 [error] 25#25: *6045493 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/plugins/echo.lua:96: attempt to index local 'conf' (a userdata value)
> > stack traceback:
> > coroutine 0:
> > /usr/local/apisix/apisix/plugins/echo.lua: in function 'phase_fun'
> > [string "route#41ee9eef-564e-4208-86e6-fc6834bd7178"]:17: in function 'phase_func'
> > /usr/local/apisix/apisix/script.lua:52: in function 'run'
> > /usr/local/apisix/apisix/init.lua:508: in function 'http_access_phase'
> > ```
>
> @liuxiran that is another error message of plugin `echo`, but I do not find you enabled this plugin. so I think this error message is not related to this issue.
Hi, @Xarxavier I think your problem is the same as [membphis](https://github.com/membphis).
You can read the issue, and I think you will get the answer.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1095834759
> > > > Should `redirect_uri` be configured as a plugin configuration instead of plugin attributes? Different OIDC clients may need different redirect uri.
> > >
> > >
> > > I think the config as plugin attributes can cover the config as plugin config. So we can set a default `redirect_uri`.
> >
> >
> > Is it a good idea to have the same `redirect_uri` for different clients? AFAIK, the redirect_uri is used to get token (which requires different client credentials) so we can't use the same path for different clients.
>
> Hi @spacewander I don't think having the same `redirect_uri` for multiple OIDC providers would be an issue. I assume so based on the [sequence diagram above](https://github.com/apache/apisix/issues/2426#issuecomment-1091021687), where it seems like that APISIX must do two things if `redirect_uri` is called:
>
> 1. Exchange the auth code for an access token. Here, APISIX should be able to determine which OIDC provider to query from the session state.
> 2. Redirect the user back to the initial requested URI. Same here, this URI should be retrievable from session state too.
The `redirect_uri` needs to exchange the auth code for an access token. So, different clients may have different ways to exchange it. If a new exchange way can't put all its configuration in the session state, for example, needs extra configuration in the APISIX, we will be in trouble.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1090983380
> @starsz I have reopened this issue right now.
>
> Do you have time to check this bug?
Sure. Let me have a check.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1207397477
I read the code again, it seems we have provided a default value:
https://github.com/apache/apisix/blob/a01c0e8fa8e42018d3212b0f943cb5dce37738d9/apisix/plugins/openid-connect.lua#L265-L268
Is there any problem with the default value?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] david-woelfle commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
david-woelfle commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1094648940
> > > Should `redirect_uri` be configured as a plugin configuration instead of plugin attributes? Different OIDC clients may need different redirect uri.
> >
> >
> > I think the config as plugin attributes can cover the config as plugin config. So we can set a default `redirect_uri`.
>
> Is it a good idea to have the same `redirect_uri` for different clients? AFAIK, the redirect_uri is used to get token (which requires different client credentials) so we can't use the same path for different clients.
Hi @spacewander I don't think having the same `redirect_uri` for multiple OIDC providers would be an issue. I assume so based on the [sequence diagram above](https://github.com/apache/apisix/issues/2426#issuecomment-1091021687), where it seems like that APISIX must do two things if `redirect_uri` is called:
1. Exchange the auth code for an access token. Here, APISIX should be able to determine which OIDC provider to query from the session state.
2. Redirect the user back to the initial requested URI. Same here, this URI should be retrievable from session state too.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liweitianux commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
liweitianux commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1206107085
@starsz , thank you for the detailed analysis and nice diagram on the OIDC flow.
> Why should the admin of an APISIX gateway decide about the `redirect_uri` at all?
>
>> Yes, the best way is that the admin doesn't need to care about the redirect_uri. It's a point that can be improved.
>
> Couldn't APISIX provide some generic auth callback endpoint that is automatically send to the auth server?
>
>> Apache APISIX is a gateway, we don't want to expose a fixed URL in the gateway since it will influence other APIs. So we should do more research to provide the best solution.
The [OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/) recommends that the `redirect_uri` should be explicitly specified and thus **exactly matched** by IDP, in order to prevent `redirect_uri` attacks [0]. So the user/admin should generally know the `redirect_uri` to use.
However, the above requirement would make the setup tedious and may be error-prone when there are many APIs to configure. And for some internal or on-premise IDP deployments, one may allow wildcard `redirect_uri` (also as illustrated in the tutorial [1]). Actually, I was confused and didn't know how to setup the `redirect_uri` after reading this tutorial.
So I'd say it would be great if APISIX could auto-set an internal URI for the `redirect_uri` if not specified, although it's not recommended by the best current practice.
According the discussion above, I'd suggest the following one: assume the current API/route is `/api/*`, then the auto-generated `redirect_uri` could be `/api/.apisix/redirect`. Just my idea...
Well, maybe it's better to just update the code and doc to mandate the `redirect_uri` parameter...
[0] [What is the real purpose of Redirect_Uri in OpenIdConnect?](https://stackoverflow.com/a/55375906)
[1] [如何在 Apache APISIX 中集成 Keycloak 实现身份认证](https://www.apiseven.com/blog/integrate-keycloak-auth-in-apisix)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kayx23 commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by "kayx23 (via GitHub)" <gi...@apache.org>.
kayx23 commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1726802720
@Radu-Iuonac if your scenario is not related to the `no session state found` error that leads to 500 (it seems to be the case from your description), could you see if your issue could be resolved with this new doc (that was recently verified to be working as intended)? https://docs.api7.ai/apisix/how-to-guide/authentication/set-up-sso-with-auth0#authenticate-with-client-credentials
Let use know if any feedback.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] canob commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by "canob (via GitHub)" <gi...@apache.org>.
canob commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1565205767
> Hi @starsz I change the redirect_uri callback to "pathtoprotect"/callback and some times it just redirect to the Auth Server and others keep throwing 500 error (state not found), i cant figure out why, some toughts?
Hi @Xarxavier,
Did you find a solution for this?
I'm experiencing a similar behavior of the one that you comment: when I'm not authenticated, I get the authentication page, do a succeded authentication, but after that, I get a 500 error.
The URL is this one:
http://keycloakurl/realms/myreal/protocol/openid-connect/auth?state=e00f033714f2087c5b902610990cf342&redirect_uri=http%3A%2F%2Fapisixurl%3A9080%2Fadd_note%2Fcallback&client_id=grafana-oauth&scope=openid%20email%20profile%20offline_access%20roles&nonce=119423136878333950d28060c3c51b05&response_type=code
The strange thing is that if I remove the "callback" word of that URL, from the redirect_uri part, I get the response of the upstream API, authenticated:
http://keycloakurl/realms/myreal/protocol/openid-connect/auth?state=e00f033714f2087c5b902610990cf342&redirect_uri=http%3A%2F%2Fapisixurl%3A9080%2Fadd_note&client_id=grafana-oauth&scope=openid%20email%20profile%20offline_access%20roles&nonce=119423136878333950d28060c3c51b05&response_type=code
In my case, I'm trying to access to "http://apisixurl:9080/add_note", and as I saw in the documentation, I added a redirect_uri param with the value "http://apisixurl:9080/add_note/callback". My route is "/add_note*".
As somebody mentioned before, I cannot set the same access url and redirect url, because that is not working for this plugin.
Is there any piece of advice that you can give me to solve this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1094262283
Should `redirect_uri` be configured as a plugin configuration instead of plugin attributes? Different OIDC clients may need different redirect uri.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jaysonsantos commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
jaysonsantos commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1212988261
For those still struggling with that, by default resty.session will try to use `aes` as the encryption algorithm for the cookie that holds the session, but without setting `session_secret` `session.start` will fail with the reason `EVP_DecryptFinal_ex`, to avoid that you have to set it with a 32 bytes random value.
If using the helm chart to spin up apisix, this should do the trick
```yaml
configurationSnippet:
httpSrv: |
set $session_secret 8044c47e83b5ac9bb7c868eb8b202e93;
```
to generate that secret:
```
openssl rand 16 -hex
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] yzhaowei commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
yzhaowei commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1102629597
@starsz Thanks for your quick response! It works!
Here is my setting:
- IdP callback URL: `http://localhost:9080/image/redirect`
- APISIX Admin API setting for route uri: `"uri": "/image/*"`
- APISIX Admin API setting for plugin `openid-connect`: `"redirect_uri": "http://localhost:9080/image/redirect"`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1094456532
> Should `redirect_uri` be configured as a plugin configuration instead of plugin attributes? Different OIDC clients may need different redirect uri.
I think the config as plugin attributes can cover the config as plugin config. So we can set a default `redirect_uri`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1091021687
> The reason could be that the openid-connect plugin probably checks if the user requested URI is identical to redirect_uri and if that is the case assumes that user has already been redirected back from the Auth server and should already have a valid session cookie. The plugin hence expects a session cookie and then fails with the error above if it finds no session state. @membphis or @moonming could you maybe confirm that this is what the plugin does?
Hi @david-woelfle .Yes, that's true.
Now, Apache APISIX uses "lua-resty-openidc" to deal with the openid-connect loginc.
You can refer to the code here :
https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L1472-L1481
> Assume you try to protect an upstream API with OpenID, say https://httpbin.org/image/png
The exposed route for the upstream could be https://example.com/image/png
If users without a session yet try to access https://example.com/image/png they should be redirected to the Auth server to redeem a session. (This redirect currently fails).
After the authentication passed the users should be redirected back to the original target URI (https://example.com/image/png) because that is the resource they initially tried to access. (Please note that this what the openid-connect plugin actually tries to do by default as redirect_uri has a default value of "ngx.var.request_uri", which is IMHO the right thing to do and absolutely correct. The docs are correct too, just the implementation in the plugin seems to have a bug ;) )
Here, I think you may misunderstand the usage of `redirect_uri`.
In fact:
* Assume you try to protect an upstream API with OpenID, say https://httpbin.org/image/png
* The exposed route for the upstream could be https://example.com/image/png
* If users without a session yet try to access https://example.com/image/png they should be redirected to the Auth server to redeem a session **and Apache APISIX will store the target_url (default is request URI) in session.** You can refer : https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L366-L371
* After the authentication passed, the Auth server will redirect to the `redirect_uri` (which is config in Apache APISIX), and Apache APISIX will get the code and state from the redirection. You can refer: https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L1092-L1204
* And Apache APISIX will use the `code` and `state` to get the access_token, and use access_token to get the user info.
* After this, Apache APISIX then will redirect to the target URI (which is stored in the session, is https://example.com/image/png).You can refer: https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L1205
So the flow should be like this:
In a conclusion, it's a bug.But I think it's a little bit hard to fix it.
> Refer the following link, I solved my problem.
https://stackoverflow.com/questions/49338403/openidc-with-keycloak-error-uthenticate-request-to-the-redirect-uri-path-but
Your redirect URI must not be set to "/" but to some arbitrary path that is not supposed to return content (like /redirect_uri). It is a "vanity" URL that is handled by lua-resty-openidc
It's a quick way to fix it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1214369488
> > @liweitianux I see. Would you like to submit a PR for that? Thanks!
>
> Yes, I could make a PR, but maybe a bit late due to various works at hand.
>
> By the way, I'm still a newbie to APISIX, so how should I obtain the current route's `uri` config in the plugin? It's needed to derive the `redirect_uri`.
>
> In addition, I still need to consider how to handle the `redirect_uri` for the Service/Consumer/Global cases.
Sorry for missing this!
You can use `ctx.curr_req_matched._path` to get the matched part of the uri.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Xarxavier commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by "Xarxavier (via GitHub)" <gi...@apache.org>.
Xarxavier commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1567239545
> > Hi @starsz I change the redirect_uri callback to "pathtoprotect"/callback and some times it just redirect to the Auth Server and others keep throwing 500 error (state not found), i cant figure out why, some toughts?
>
> Hi @Xarxavier,
>
> Did you find a solution for this? I'm experiencing a similar behavior of the one that you comment: when I'm not authenticated, I get the authentication page, do a succeded authentication, but after that, I get a 500 error, on the redirect.
>
> The URL is this one: http://keycloakurl/realms/myreal/protocol/openid-connect/auth?state=e00f033714f2087c5b902610990cf342&redirect_uri=http%3A%2F%2Fapisixurl%3A9080%2Fadd_note%2Fcallback&client_id=grafana-oauth&scope=openid%20email%20profile%20offline_access%20roles&nonce=119423136878333950d28060c3c51b05&response_type=code
>
> The strange thing is that if I remove the "callback" word of that URL, from the redirect_uri part, I get the response of the upstream API, authenticated: http://keycloakurl/realms/myreal/protocol/openid-connect/auth?state=e00f033714f2087c5b902610990cf342&redirect_uri=http%3A%2F%2Fapisixurl%3A9080%2Fadd_note&client_id=grafana-oauth&scope=openid%20email%20profile%20offline_access%20roles&nonce=119423136878333950d28060c3c51b05&response_type=code
>
> In my case, I'm trying to access to "http://apisixurl:9080/add_note", and as I saw in the documentation, I added a redirect_uri param with the value "http://apisixurl:9080/add_note/callback". My route is "/add_note*".
>
> This was working right, but using Chromium with --disable-web-security to disable CORS of Web Browser for Keycloak, and I put a Nginx Reverse Proxy in Front of Keycloak to add Access-Control-Allow-Origin * header to the Keycloak response. After that, I always get a 500 error from APISIX after the redirect from Keycloack.
>
> As somebody mentioned before, I cannot set the same access url and redirect url, because that is not working for this plugin.
>
> Is there any piece of advice that you can give me?
>
> Thanks in advance.
Hello @canob the error 500 in my case was because something wasnt able to reach apisix... like the state look if the reverse proxy is passing all the parameters correctly and check if you have connectivity between those two(apisix and keycloack) in any case with the log maybe i can provide further help.
Since those two were working fine before probably is because your reverse proxy is messing something.
Without further knowledge i cant guess any further.
Greetings
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Radu-Iuonac commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by "Radu-Iuonac (via GitHub)" <gi...@apache.org>.
Radu-Iuonac commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1725914724
Hi,
I am facing a similar issue with APISIX. I deployed APISIX in GCP GKE and tried integrating it with Auth0. In my case my API GW is accessed from a FE app which already performs login with Auth0 and thus has a valid token.
I configured my APISIX route like this
`{
"uri": "/my-service/*",
"name": "My Route",
"plugins": {
"openid-connect": {
"bearer_only": true,
"client_id": "AUTH0_CLIENTID",
"client_secret": "AUTH0_SECRET",
"discovery": AUTH0_DOMAIN.well-known/openid-configuration",
"redirect_uri": "http://localhost:8082/my-service/redirect", // same as Auth0 callback as mentioned in previous threads
"scope": "openid profile"
}
},
"upstream_id": "1",
"status": 1
}`
When calling the api with a -H "Authorization: Bearer AUTH0_TOKEN" i get a 401 Authorization Required error, why is this?
If I set the bearer_only to false and still call the API with -H "Authorization: Bearer AUTH0_TOKEN" it redirects me to login. It looks like API SIX ignores the fact that I have a valid token.
If I call the endpoint from browser then I get redirected to Auth0, I login, get a session and redirect to my api all good.
I see myself forced to use API SIX as a simple API GW without any security and handle the security in each upstream service individually. It is quite sad as this project has a lot of potential.
If anybody has encountered this issue before and has a solution please do share!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liweitianux commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
liweitianux commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1207741595
> @liweitianux I see. Would you like to submit a PR for that? Thanks!
Yes, I could make a PR, but maybe a bit late due to various works at hand.
By the way, I'm still a newbie to APISIX, so how should I obtain the current route's `uri` config in the plugin? It's needed to derive the `redirect_uri`.
In addition, I still need to consider how to handle the `redirect_uri` for the Service/Consumer/Global cases.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1207396508
> So I'd say it would be great if APISIX could auto-set an internal URI for the redirect_uri if not specified, although it's not recommended by the best current practice.
> According the discussion above, I'd suggest the following one: assume the current API/route is /api/*, then the auto-generated redirect_uri could be /api/.apisix/redirect. Just my idea...
LGTM. I just wonder why we use dot in the path `/api/.apisix/redirect`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] yzhaowei commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
yzhaowei commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1102187049
I had the same issue even I followed the solution given as above, which use a "vanity" URL like '/redirect'. I also followed the tutorial in [APISIX blog with Authing](https://apisix.apache.org/zh/blog/2022/01/04/authing), it failed too.
Some facts:
- The `redirect_uri ` in the `openid-connect` plugin configuration must be one of call backs in the IdP, e,.g Authing.cn.
- The login was successful. There is a successful record in the website of Authing.cn under '用户行为日志'.
- My browser shows something like `http://localhost:9080/redirect?code=<code>&state=<state>`.
It seems APISIX did not redirect to the redirect_uri. I also tried `redirect_uri: http://localhost:9080/` and failed too.
```
# a successful login but fails to redirect to /image/png
curl -X PUT \
http://127.0.0.1:9080/apisix/admin/routes/2 \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
-d '{
"uri": "/image/*",
"upstream_id": "1",
"plugins": {
"openid-connect": {
"client_id": "<client id>",
"client_secret": "<client secret>",
"discovery": "<.../.well-known/openid-configuration>",
"bearer_only": false,
"scope": "openid profile",
"redirect_uri": "http://localhost:9080/redirect"
}
}
}'
```
Here are the response after a successful user login using OIDC. Obviously, it was caused by accessing to `/redirect`.
```
{"error_msg":"404 Route Not Found"}
```
Here are the log information in `error.log` and `access.log`.
```
# error.log
2022/04/19 06:49:58 [error] 47#47: *480883 [lua] openidc.lua:1378: authenticate(): request to the redirect_uri path but there's no session state found, client: 172.18.0.1, server: _, request: "GET /image/png HTTP/1.1", host: "localhost:9080"
2022/04/19 06:49:58 [error] 47#47: *480883 [lua] openid-connect.lua:304: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 172.18.0.1, server: _, request: "GET /image/png HTTP/1.1", host: "localhost:9080"
2022/04/19 06:49:58 [warn] 47#47: *480883 [lua] plugin.lua:750: run_plugin(): openid-connect exits with http status code 500, client: 172.18.0.1, server: _, request: "GET /image/png HTTP/1.1", host: "localhost:9080"
```
```
# access.log
172.18.0.1 - - [19/Apr/2022:06:53:03 +0000] localhost:9080 "GET /image/png HTTP/1.1" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0" - - - "http://localhost:9080"
172.18.0.1 - - [19/Apr/2022:06:53:13 +0000] localhost:9080 "GET /redirect?code=<code>&state=<state> HTTP/1.1" 404 47 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0" - - - "http://localhost:9080"
```
Environment (Docker images):
- apache/apisix:2.13.1-alpine
- apache/apisix-dashboard:2.10.1-alpine
- bitnami/etcd:3.4.15
- prom/prometheus:v2.25.0
- grafana/grafana:7.3.7
@starsz, Do you tested the tutorial using Authing? Is there any further solution? Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] david-woelfle commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
david-woelfle commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1092126054
Thank you for the detailed insights @starsz and for the super fast reply to @membphis and @moonming!
> Hi @david-woelfle .Yes, that's true.
Now, Apache APISIX uses "lua-resty-openidc" to deal with the openid-connect loginc.
You can refer to the code here :
>
> https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L1472-L1481
I see the problem. OK I should probably open an issue in that repo then, right?
> So the flow should be like this:
Thanks once more, the graph and the explanation above is really useful for me. But there is one thing which I do not understand, maybe you can help me out with, it's about this step:
> After the authentication passed, the Auth server will redirect to the redirect_uri (which is config in Apache APISIX), and Apache APISIX will get the code and state from the redirection. You can refer: https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L1092-L1204
Seems like the `redirect_uri` (aka the `proxiex-token-url` in your sequence diagram) is an internal endpoint that APISIX needs to finish the the auth process, that is, to trigger the exchange code for an access token, right? It doesn't even depend on the upstream/resource server at all as those are not involved in the information exchange. Neither is the user btw. and the user agents just follows redirects.
Now the question: Why should the admin of an APISIX gateway decide about the `redirect_uri` at all? Couldn't APISIX provide some generic auth callback endpoint that is automatically send to the auth server? I mean like e.g. Grafana that provides a hardcoded endpoint (https://your-grafana-server/login/generic_oauth -> [see docs here](https://your-grafana-server/login/generic_oauth)).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] moonming commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by "moonming (via GitHub)" <gi...@apache.org>.
moonming commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1726763256
@monkeyDluffy6017 please take a look
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] david-woelfle commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
david-woelfle commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1090675455
Came across the same problem today and did some testing on the problem with an up-to-date apisix instance. It seems like this problem (`request to the redirect_uri path but there's no session state found`) only happens if the user requested URI and the `redirect_uri` are identical.
The reason could be that the openid-connect plugin probably checks if the user requested URI is identical to `redirect_uri` and if that is the case assumes that user has already been redirected back from the Auth server and should already have a valid session cookie. The plugin hence expects a session cookie and then fails with the error above if it finds no session state. @membphis or @moonming could you maybe confirm that this is what the plugin does?
If my hypothesis is correct then I would assume this is a bug and I find that the approach of @lemonrains is not a good solutions. Here is why:
* Assume you try to protect an upstream API with OpenID, say `https://httpbin.org/image/png`
* The exposed route for the upstream could be `https://example.com/image/png`
* If users without a session yet try to access `https://example.com/image/png` they should be redirected to the Auth server to redeem a session. (This redirect currently fails).
* After the authentication passed the users should be redirected back to the original target URI (`https://example.com/image/png`) because that is the resource they initially tried to access. (Please note that this what the openid-connect plugin actually tries to do by default as `redirect_uri` has a default value of `"ngx.var.request_uri"`, which is IMHO the right thing to do and absolutely correct. The docs are correct too, just the implementation in the plugin seems to have a bug ;) )
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1090975186
@starsz I have reopened this issue right now.
Do you have time to check this bug?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] david-woelfle commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
david-woelfle commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1092890413
>> Couldn't APISIX provide some generic auth callback endpoint that is automatically sent to the auth server
>
>Thanks @[david-woelfle](https://github.com/david-woelfle).It's a good idea. But there is some difference from Grafana.
Apache APISIX is a gateway, we don't want to expose a fixed URL in the gateway since it will influence other APIs. So we should do more research to provide the best solution.
I see your point @starsz. How about a configurable endpoint, like what is already implemented in the [prometheus plugin](https://apisix.apache.org/docs/apisix/plugins/prometheus#how-to-specify-export-uri)? Could be a simple configuration option like this:
```
plugin_attr:
openid-connect:
redirect_uri: /apisix/redirect
```
And last but not least, thanks very much for working on this!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liweitianux commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
liweitianux commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1207423283
Hi @spacewander .
> LGTM. I just wonder why we use dot in the path `/api/.apisix/redirect`.
Well, it's similar to `/.well-known/...` something as well as that a beginning `.` (dot) means hidden in the UNIX realm. What's more, it would make this internal URI almost unlikely conflict with user's ones.
> I read the code again, it seems we have provided a default value:
> Is there any problem with the default value?
Yes. The current default value (`ngx.var.request_uri`) for `redirect_uri` is the exact cause of this 500 error...
@david-woelfle already analyzed the cause above: https://github.com/apache/apisix/issues/2426#issuecomment-1090675455
@lemonrains also pointed a possible solution to this 500 error above: https://github.com/apache/apisix/issues/2426#issuecomment-978803473 . i.e., manually set `redirect_uri` to an unused/non-existing URI, since it's a "vanity" one and doesn't hurt the flow.
The actual flow was analyzed in detail by @starsz in https://github.com/apache/apisix/issues/2426#issuecomment-1091021687 . The **openidc** module saves the original URI in session, after the IDP redirect back to the `redirect_uri`, **openidc** exchanges code with IDP for tokens, and then continues to redirect to the original URI (from session).
https://github.com/zmartzone/lua-resty-openidc/blob/b07330120ffe54dd3fbeac247726b76d0f9dc793/lib/resty/openidc.lua#L1466-L1478
This 500 error is caused by the above code segment in the **openidc** module. When `redirect_uri` is `ngx.var.request_uri` (i.e., the default value), it would be the same as the `target_url` above, and thus hit the `request to the redirect_uri path but there's no session state found` error and finally the 500 error from APISIX.
Hope the above explained the issue well.
Cheers.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1207697923
@liweitianux
I see. Would you like to submit a PR for that? Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Xarxavier commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
Xarxavier commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1092739659
>
> > > ```shell
> > > 2020/10/10 06:47:45 [error] 26#26: *6045490 [lua] openid-connect.lua:163: phase_func(): failed to authenticate in openidc: request to the redirect_uri path but there's no session state found, client: 192.168.1.145, server: , request: "GET
> > > ```
> >
> >
> > we got this error, I think it is fine. because you did not set a correct `redirect_uri`.
> > when missing `redirect_uri`, it'll use `ctx.var.request_uri` as default value: http://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_uri .
> > > ```shell
> > > 2020/10/10 06:47:45 [error] 25#25: *6045493 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/plugins/echo.lua:96: attempt to index local 'conf' (a userdata value)
> > > stack traceback:
> > > coroutine 0:
> > > /usr/local/apisix/apisix/plugins/echo.lua: in function 'phase_fun'
> > > [string "route#41ee9eef-564e-4208-86e6-fc6834bd7178"]:17: in function 'phase_func'
> > > /usr/local/apisix/apisix/script.lua:52: in function 'run'
> > > /usr/local/apisix/apisix/init.lua:508: in function 'http_access_phase'
> > > ```
> >
> >
> > @liuxiran that is another error message of plugin `echo`, but I do not find you enabled this plugin. so I think this error message is not related to this issue.
>
> Hi, @Xarxavier I think your problem is the same as [membphis](https://github.com/membphis). You can read the issue, and I think you will get the answer.
I change the redirect_uri callback to "pathtoprotect"/callback and changed the fact that some times it just redirect to the Auth Server and others keep throwing errors, i cant figure out why, some toughts?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Xarxavier commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
Xarxavier commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1092620238
Hello guys i would like some help to understand why im getting this error, i implemented OIDC flow as above, the problem is that after authentication some times i complete the flow and apisix just return me to auth endpoint and in other times i get this error.
OIDC authentication failed: request to the redirect_uri path but there's no session state found
Can some 1 light me?.
Thanks in advance.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] moonming commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
moonming commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1090936901
@david-woelfle thanks for your detailed report 👍
@starsz @membphis please take a look, thx
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1091579475
I think we can improve the error log and status code at least.
So I create an issue: https://github.com/apache/apisix/issues/6803
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Radu-Iuonac commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by "Radu-Iuonac (via GitHub)" <gi...@apache.org>.
Radu-Iuonac commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1727112118
I see the error with Introspection endpoint. Looking for a solution for this Auth0, but seems that for Auth0 opaque tokens are default.
https://community.auth0.com/t/introspection-endpoint-for-opaque-tokens-or-more-flexible-rules-to-get-clear-jwt-access-token/63866
After adding a somewhat random introspection endpoint "AUTH0_DOMAIN/well-known/jwks.json" no I get
WWW-Authenticate: Bearer realm="master", error="invalid_token", error_description="response indicates failure, status=404, body=Not found."
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] juzhiyuan commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by "juzhiyuan (via GitHub)" <gi...@apache.org>.
juzhiyuan commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1707540372
Hello,
For your records, if you're using NGINX with APISIX and encounter the same issue, please check as follows:
1. Check your NGINX error.log: if you can find the same error, go ahead:
2. Set configuration block like this
3. Try again!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1092354771
> Why should the admin of an APISIX gateway decide about the redirect_uri at all
Yes, the best way is that the admin doesn't need to care about the redirect_uri. It's a point that can be improved.
> Couldn't APISIX provide some generic auth callback endpoint that is automatically sent to the auth server
Thanks @[david-woelfle](https://github.com/david-woelfle).It's a good idea. But there is some difference from Grafana.
Apache APISIX is a gateway, we don't want to expose a fixed URL in the gateway since it will influence other APIs. So we should do more research to provide the best solution.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1094592255
> > Should `redirect_uri` be configured as a plugin configuration instead of plugin attributes? Different OIDC clients may need different redirect uri.
>
> I think the config as plugin attributes can cover the config as plugin config. So we can set a default `redirect_uri`.
Is it a good idea to have the same `redirect_uri` for different clients? AFAIK, the redirect_uri is used to get token (which requires different client credentials) so we can't use the same path for different clients.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1102481152
Hi @yzhaowei .
Since your uri config in route is ` "uri": "/image/*",`.So you should configure your `redirect_uri` as follow:(started with "image" path prefix"
```
"redirect": http://localhost:9080/image/redirect"
```
else the redirect request can't match the route in Apache APISIX.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Radu-Iuonac commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by "Radu-Iuonac (via GitHub)" <gi...@apache.org>.
Radu-Iuonac commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1727079488
Hi @kayx23,
No unfortunately it is not working. When I make a request to a route that has
```
"openid-connect": {
"bearer_only": true,
"client_id": "AUTH0_CLIENTID",
"client_secret": "AUTH0_SECRET",
"discovery": "AUTH0_DOMAIN/.well-known/openid-configuration",
"redirect_uri": "http://localhost:8082/my-service/redirect",
"scope": "openid profile"
}
```
even if I send a valid token in the Authorization header I get a 401 Unauthorized
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] bug:enable openid-connect plugin without redirect_uri got 500 error [apisix]
Posted by "luoluoyuyu (via GitHub)" <gi...@apache.org>.
luoluoyuyu commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1841952603
@moonming @shreemaan-abhishek @monkeyDluffy6017 @starsz
To fix this bug, I think we need to fix the upstream library.https://github.com/zmartzone/lua-resty-openidc/issues/499
What do you think?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] bug:enable openid-connect plugin without redirect_uri got 500 error [apisix]
Posted by "luoluoyuyu (via GitHub)" <gi...@apache.org>.
luoluoyuyu commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1863886266
I'll continue to finish the work on https://github.com/apache/apisix/pull/7690 to fix this bug
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] moonming commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
moonming commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1090936696
@david-woelfle thanks for your detailed report 👍
@starsz @membphis please take a look, thx
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1094190954
> >
>
> > > > ```shell
> > > > 2020/10/10 06:47:45 [error] 26#26: *6045490 [lua] openid-connect.lua:163: phase_func(): failed to authenticate in openidc: request to the redirect_uri path but there's no session state found, client: 192.168.1.145, server: , request: "GET
> > > > ```
> > >
> > >
> > > we got this error, I think it is fine. because you did not set a correct `redirect_uri`.
> > > when missing `redirect_uri`, it'll use `ctx.var.request_uri` as default value: http://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_uri .
> > > > ```shell
> > > > 2020/10/10 06:47:45 [error] 25#25: *6045493 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/plugins/echo.lua:96: attempt to index local 'conf' (a userdata value)
> > > > stack traceback:
> > > > coroutine 0:
> > > > /usr/local/apisix/apisix/plugins/echo.lua: in function 'phase_fun'
> > > > [string "route#41ee9eef-564e-4208-86e6-fc6834bd7178"]:17: in function 'phase_func'
> > > > /usr/local/apisix/apisix/script.lua:52: in function 'run'
> > > > /usr/local/apisix/apisix/init.lua:508: in function 'http_access_phase'
> > > > ```
> > >
> > >
> > > @liuxiran that is another error message of plugin `echo`, but I do not find you enabled this plugin. so I think this error message is not related to this issue.
> >
> >
> > Hi, @Xarxavier I think your problem is the same as [membphis](https://github.com/membphis). You can read the issue, and I think you will get the answer.
>
> Hi @starsz I change the redirect_uri callback to "pathtoprotect"/callback and some times it just redirect to the Auth Server and others keep throwing 500 error (state not found), i cant figure out why, some thoughts?
Looks strange. Can you provide your config of the openid-connect plugin. And the URI that returns 500?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1094191152
> > > Couldn't APISIX provide some generic auth callback endpoint that is automatically sent to the auth server
> >
> >
> > Thanks @[david-woelfle](https://github.com/david-woelfle).It's a good idea. But there is some difference from Grafana.
> > Apache APISIX is a gateway, we don't want to expose a fixed URL in the gateway since it will influence other APIs. So we should do more research to provide the best solution.
>
> I see your point @starsz. How about a configurable endpoint, like what is already implemented in the [prometheus plugin](https://apisix.apache.org/docs/apisix/plugins/prometheus#how-to-specify-export-uri)? Could be a simple configuration option like this:
>
> ```
> plugin_attr:
> openid-connect:
> redirect_uri: /apisix/redirect
> ```
>
> And last but not least, thanks very much for working on this!
I think it's a good idea. And I will try to have a test of it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kingluo commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by GitBox <gi...@apache.org>.
kingluo commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1264279282
> For those still struggling with that, by default resty.session will try to use `aes` as the encryption algorithm for the cookie that holds the session, but without setting `session_secret` `session.start` will fail with the reason `EVP_DecryptFinal_ex`, to avoid that you have to set it with a 32 bytes random value. If using the helm chart to spin up apisix, this should do the trick
>
> ```yaml
> configurationSnippet:
> httpSrv: |
> set $session_secret 8044c47e83b5ac9bb7c868eb8b202e93;
> ```
The nginx variable would make all openidc instances use the same secret.
So the best way is to distinguish the host and set it accordingly.
```lua
set_by_lua_block $session_secret {
local secrets = {
["foo.domain"] = "xxx",
["bar.domain"] = "yyy",
}
return secrets[ngx.var.host]
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] canob commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
Posted by "canob (via GitHub)" <gi...@apache.org>.
canob commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1567242758
> Hello @canob the error 500 in my case was because something wasnt able to reach apisix... like the state look if the reverse proxy is passing all the parameters correctly and check if you have connectivity between those two(apisix and keycloack) in any case with the log maybe i can provide further help. Since those two were working fine before probably is because your reverse proxy is messing something. Without further knowledge i cant say for sure Greetings
Thanks @Xarxavier , I'm going to review the headers that my reverse proxy is passing.
Regards!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] bug:enable openid-connect plugin without redirect_uri got 500 error [apisix]
Posted by "luoluoyuyu (via GitHub)" <gi...@apache.org>.
luoluoyuyu commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1835321034
Hi @shreemaan-abhishek @monkeyDluffy6017
Please assign this issue to me.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] bug:enable openid-connect plugin without redirect_uri got 500 error [apisix]
Posted by "luoluoyuyu (via GitHub)" <gi...@apache.org>.
luoluoyuyu commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1840097246
Hi @Radu-Iuonac
I created a new issue for your problem.
https://github.com/apache/apisix/issues/10592
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] bug:enable openid-connect plugin without redirect_uri got 500 error [apisix]
Posted by "moonming (via GitHub)" <gi...@apache.org>.
moonming closed issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
URL: https://github.com/apache/apisix/issues/2426
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org