You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/10/15 06:28:59 UTC

[GitHub] [apisix] whatsmore opened a new issue #2428: request help: 使用 authz-keycloak 插件无法鉴权成功的问题

whatsmore opened a new issue #2428:
URL: https://github.com/apache/apisix/issues/2428


   ### Issue description
   启动测试基本可用了，因为需要鉴权服务，所以想使用其中的几个插件来满足鉴权的能力，使用 key-auth 测试了一下基本通了，但是对于一个 route，可能会有多个用户，因此改用 authz-keycloak 插件。
   因为并不了解 ，因此按照[文档](https://github.com/apache/apisix/blob/master/doc/zh-cn/plugins/authz-keycloak.md)，启动一个容器然后上去配置
   `docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 sshniro/keycloak-apisix`
   配置过程基于网上的教程，配置了相应的client和对应的用户，并设置了密码。
   使用
   `curl --location --request POST 'http://localhost:8090/auth/realms/test/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=test' --data-urlencode 'password=123456' --data-urlencode 'client_id=test-client' --data-urlencode 'grant_type=password'`
   获取了对应的access_token
   使用
   `curl --location --request POST 'http://localhost:8090/auth/realms/test/protocol/openid-connect/userinfo'  --header 'Content-Type: application/x-www-form-urlencoded' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'access_token=eyJ.................hbG`
   验证token是正确可用的
   返回结果
   `{"sub":"11d5f929-9348-4114-8e7a-e3ee3fa2fac3","email_verified":false,"preferred_username":"test"}`
   再在route中配置相应的token_endpoint
   `http://127.0.0.1:8090/auth/realms/test/protocol/openid-connect/token`
   将policy_enforcement_mode设置为`PERMISSIVE `
   调用
   `curl  http://127.0.0.1:9080/authtest/ -H 'Authorization: Bearer {eyJ.................hbG}'`
   报错如下：
   `{"error":"invalid_grant","error_description":"Invalid bearer token"}`
   改为
   `curl  http://127.0.0.1:9080/authtest/ -H 'Authorization: Bearer eyJ.................hbG'`
   报错如下：
   `{"error":"invalid_request","error_description":"You must provide the issuedFor"}`
   
   在未开启 authz-keycloak 插件时，上述 curl 命令是可用的
   请问是我的 keycloak 的配置有问题吗？
   
   ### Environment
   
   * apisix version (cmd: `apisix version`):1.5
   * OS:macOS
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] sshniro commented on issue #2428: request help: failure to authenticate using the `authz-keycloak` plugin

Posted by GitBox <gi...@apache.org>.

sshniro commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-710362912


   If you can rephrase is EN I can help you with this. 🙂


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #2428: request help: failure to authenticate using the `authz-keycloak` plugin

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-816388568


   Closed as lack of response.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] whatsmore commented on issue #2428: request help: 使用 authz-keycloak 插件无法鉴权成功的问题

Posted by GitBox <gi...@apache.org>.

whatsmore commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-708998200


   @Caelebs 我也才刚开始，等大佬告诉我怎么设置为Authentication的，现在在重写body，唉，社区不够活跃


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] idbeta commented on issue #2428: request help: 使用 authz-keycloak 插件无法鉴权成功的问题

Posted by GitBox <gi...@apache.org>.

idbeta commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-709018333


   ping @Yiyiyimu 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Caelebs commented on issue #2428: request help: 使用 authz-keycloak 插件无法鉴权成功的问题

Posted by GitBox <gi...@apache.org>.

Caelebs commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-708996751


   @whatsmore 大兄弟交流交流，我这边也在自定义插件做鉴权


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Yiyiyimu commented on issue #2428: request help: failure to authenticate using the `authz-keycloak` plugin

Posted by GitBox <gi...@apache.org>.

Yiyiyimu commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-712652309


   @whatsmore Welcome adding what you found to documentation, in order to help other people who might come across this problem in the future.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] whatsmore commented on issue #2428: request help: 使用 authz-keycloak 插件无法鉴权成功的问题

Posted by GitBox <gi...@apache.org>.

whatsmore commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-709019460


   我在plugin.lua 的type里设置了auth好像也没生效，依旧是other，其实直接拷贝的key-auth，只不过改了一下名字和priority结果冲突


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Caelebs commented on issue #2428: request help: 使用 authz-keycloak 插件无法鉴权成功的问题

Posted by GitBox <gi...@apache.org>.

Caelebs commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-709015749


   @whatsmore 我也是刚开始搞，现有的插件不太满足我这的鉴权要求，lua以前也没用过，现在有点头大


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Caelebs commented on issue #2428: request help: failure to authenticate using the `authz-keycloak` plugin

Posted by GitBox <gi...@apache.org>.

Caelebs commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-712810169


   @whatsmore 铁子怎么搞的 围观围观？


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] whatsmore commented on issue #2428: request help: 使用 authz-keycloak 插件无法鉴权成功的问题

Posted by GitBox <gi...@apache.org>.

whatsmore commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-708974177


   另：新写的一个自定义插件，怎么定义为Authentication的啊？我想自己写一个鉴权插件，但是被分在other里了，创建用户的时候提示：请启用至少一种身份认证类插件


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] sshniro edited a comment on issue #2428: request help: failure to authenticate using the `authz-keycloak` plugin

Posted by GitBox <gi...@apache.org>.

sshniro edited a comment on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-710362912


   If you can rephrase in EN I can help you with this. 🙂


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] membphis commented on issue #2428: request help: 使用 authz-keycloak 插件无法鉴权成功的问题

Posted by GitBox <gi...@apache.org>.

membphis commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-709463499


   @whatsmore please use English in public channel


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] whatsmore commented on issue #2428: request help: failure to authenticate using the `authz-keycloak` plugin

Posted by GitBox <gi...@apache.org>.

whatsmore commented on issue #2428:
URL: https://github.com/apache/apisix/issues/2428#issuecomment-712604221


   算了，自己搞定了


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander closed issue #2428: request help: failure to authenticate using the `authz-keycloak` plugin

Posted by GitBox <gi...@apache.org>.

spacewander closed issue #2428:
URL: https://github.com/apache/apisix/issues/2428


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org