You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/02/16 18:53:14 UTC
[GitHub] [apisix] MirtoBusico opened a new issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
MirtoBusico opened a new issue #6345:
URL: https://github.com/apache/apisix/issues/6345
### Issue description
I'm trying to use a keycloak server for user authentication (and authorization) in Apisix installed in a kubernetes cluster along with Istio
My keycloak server replies to
```
https://k6k.m01.net"
```
The keycloak certificate is signed by my private Certification Authority (CA)
My plugin setup followed these articles:
```
https://www.keycloak.org/2021/12/apisix.html
(another article: https://apisix.apache.org/blog/2021/12/10/integrate-keycloak-auth-in-apisix/ )
```
The definition is correct; but when I try to access a route with openid plugin enabled i receive an 500 internal error
Trying to access the keycloak server from the apisix pod shell I see that the CA is not recognized
```
bash-5.1# curl https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
bash-5.1#
```
### Environment
- apisix version (cmd: `apisix version`):
```
bash-5.1# apisix version
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua version
2.12.0
bash-5.1#
```
- OS (cmd: `uname -a`):
```
bash-5.1# uname -a
Linux apisix-dd76474d9-82frr 5.4.0-99-generic #112-Ubuntu SMP Thu Feb 3 13:50:55 UTC 2022 x86_64 Linux
bash-5.1#
```
- OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
```
bash-5.1# nginx -V
nginx version: openresty/1.19.9.1
built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.19.9.1.3 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-ap
i/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../mod_dubbo --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../ngx_multi_upstream_module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module/src/stream --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../wasm-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_modul
e --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
bash-5.1# openresty -V
nginx version: openresty/1.19.9.1
built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.19.9.1.3 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-ap
i/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../mod_dubbo --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../ngx_multi_upstream_module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module/src/stream --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../wasm-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_modul
e --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
bash-5.1#
```
- etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
```
What pod is erver-info API?
From the kubernetes dashboard I see that the image is:
docker.io/bitnami/etcd:3.4.16-debian-10-r14
```
- apisix-dashboard version, if have:
```
dashboard_version 2.10.1
```
- the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
```
Don't know how to get the openid plugin version
```
- luarocks version, if the issue is about installation (cmd: `luarocks --version`):
### Steps to reproduce
1) on 3 virtual machines install a K3S 3 node cluster
2) install Istio with "minimal" profile
3) verify versions of the three virtual machines cluster with K3S
```
sysop@m01serv:~$ kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
m01kw1 Ready <none> 28d v1.22.5+k3s1 192.168.102.122 <none> Ubuntu 20.04.3 LTS 5.4.0-99-generic containerd://1.5.8-k3s1
m01kw2 Ready <none> 28d v1.22.5+k3s1 192.168.102.123 <none> Ubuntu 20.04.3 LTS 5.4.0-99-generic containerd://1.5.8-k3s1
m01km Ready control-plane,master 28d v1.22.5+k3s1 192.168.102.121 <none> Ubuntu 20.04.3 LTS 5.4.0-99-generic containerd://1.5.8-k3s1
sysop@m01serv:~$
```
4) Istio version 1.12.2
```
sysop@m01serv:~$ istioctl version
client version: 1.12.2
control plane version: 1.12.2
data plane version: 1.12.2 (16 proxies)
sysop@m01serv:~$
```
5) Helm chart version
```
sysop@m01serv:~$ helm show chart apisix/apisix
apiVersion: v2
appVersion: 2.12.0
dependencies:
- condition: etcd.enabled
name: etcd
repository: https://charts.bitnami.com/bitnami
version: 6.2.6
- alias: dashboard
condition: dashboard.enabled
name: apisix-dashboard
repository: https://charts.apiseven.com
version: 0.4.0
- alias: ingress-controller
condition: ingress-controller.enabled
name: apisix-ingress-controller
repository: https://charts.apiseven.com
version: 0.9.0
description: A Helm chart for Apache APISIX
icon: https://apache.org/logos/res/apisix/apisix.png
maintainers:
- name: tao12345666333
name: apisix
type: application
version: 0.8.2
sysop@m01serv:~$
```
6) changes in values.yaml
```
...
gateway:
type: LoadBalancer
...
tls:
enabled: true
servicePort: 443
containerPort: 9443
existingCASecret: "m01cacert"
certCAFilename: "cert"
http2:
enabled: true
...
discovery:
enabled: true
registry:
dns:
servers:
- "10.43.0.10:53"
...
dashboard:
enabled: true
ingress-controller:
enabled: true
```
7) Apisix installation:
```
kubectl create ns apisix
kubectl label namespace apisix istio-injection=enabled
cat m01ca.pem
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIUfUAyqeAGoxCGB6V/5qxOS/ZczrEwDQYJKoZIhvcNAQEL
BQAwgZUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9t
ZTEVMBMGA1UECgwMQnVzaWNvIE1pcnRvMRMwEQYDVQQLDApMYWJvcmF0b3J5MRUw
EwYDVQQDDAxCdXNpY28gTWlydG8xJDAiBgkqhkiG9w0BCQEWFW1pcnRvYnVzaWNv
QGdtYWlsLmNvbTAeFw0yMjAxMTcxNzQ2MDZaFw0zMjAxMTUxNzQ2MDZaMIGVMQsw
CQYDVQQGEwJJVDEOMAwGA1UECAwFSXRhbHkxDTALBgNVBAcMBFJvbWUxFTATBgNV
BAoMDEJ1c2ljbyBNaXJ0bzETMBEGA1UECwwKTGFib3JhdG9yeTEVMBMGA1UEAwwM
QnVzaWNvIE1pcnRvMSQwIgYJKoZIhvcNAQkBFhVtaXJ0b2J1c2ljb0BnbWFpbC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7T89OolDaC7YprD0l
3q20y0cchShqovk8Nzo12prDX8CCGxv6zexaHYVKk6qFfSGJJcgHcuxLIHvnflVH
Ugx9/LWOxaVz6N0i7z8hjnzxyMb2CXaTOpsbp0CdLeoEHjoZlESzAg6blIL4szPn
O2VpWfA10qTGWLC0z/QvcPENOVw3NLBZNJWbCl+WmcsCi+ttyzmSdMDS2ANnk6z0
mTqnFVtiCiRYQCXq0A5dr//Jva2q/h0sGoKHSV9Yt/StMB79uRVCGSpiCJAhalh1
8Zs+O9CPnkk+E2jnKn4jgI8FAY0Cii61nn15+/6BrHMu9h6/SO4oKj8i9UXPyodf
NW+3AgMBAAGjUzBRMB0GA1UdDgQWBBSCmgdUoJ6HXR5wMoX47koWO5HNnzAfBgNV
HSMEGDAWgBSCmgdUoJ6HXR5wMoX47koWO5HNnzAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQBgZsZV87/e/8YauGLLGAen857V+NNvl1fMNPAF58O/
NG+iepahWxBJ5miEyMA6BH8ARUa1Q1fah8HC+/Q1dXEj17+h6d4QFS6PWBKp0a2N
MSnq0L4FYMnrUrhYxxyt4buNXDuYvaDit7lchKeHBJLBu/NBXH8WhMo/9g0Fg7YD
NRv6xg7wvYJf7YIc3RIg5bjklXKpdcvCZjuF8KVqv70x4eQx2m2zcf4CibvZKDFG
g/HY3btrW7fvhz9Ytj5w+SoCVLe3OKR0+koIyoGqsmiej9U4dbPTqVdsl3+XyfUF
oTpClYSDqa/kfmlT1o9FXpScRTQMOuHBiMYvEFiDBUGY
-----END CERTIFICATE-----
kubectl -n apisix create secret generic m01cacert --from-file=cert=./m01ca.pem
helm install apisix apisix/apisix -f apisix-values.yaml \
--set ingress-controller.config.apisix.serviceNamespace=apisix \
--set ingress-controller.config.apisix.serviceName=apisix-admin \
--set ingress-controller.config.kubernetes.apisixRouteVersion=apisix.apache.org/v2beta3 \
--namespace apisix
```
8) install an httpbin demo application with these definitions
```
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##################################################################################################
# httpbin service
##################################################################################################
apiVersion: v1
kind: ServiceAccount
metadata:
name: httpbin
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
service: httpbin
spec:
ports:
- name: http
port: 8000
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
app: httpbin
version: v1
spec:
serviceAccountName: httpbin
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
```
9) with the dashboard create an SSL resource with key and certificate for www.m02.net
9) Create a route and an upstream for www.m01.net pointing to the httpbin service. Verify that the URL "https://www.m01.net" works correctly
10) setup the openid connect plugin for the route following thew instructions at
```
https://www.keycloak.org/2021/12/apisix.html
```
11) try to access "https://www.m01.net" and receive a "500 Internal Server Error"
Looking at the apisix log you see:
```
2022-02-16T17:24:07.837Z | 127.0.0.6 - - [16/Feb/2022:17:24:05 +0000] www.m01.net "GET /spec.json HTTP/2.0" 200 41019 0.008 "https://www.m01.net/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-16T17:24:12.043Z | 127.0.0.6 - - [16/Feb/2022:17:24:09 +0000] www.m01.net "GET /headers HTTP/2.0" 499 0 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 - 0.000 "http://www.m01.net"
2022-02-16T17:24:12.043Z | 127.0.0.6 - - [16/Feb/2022:17:24:10 +0000] www.m01.net "GET /headers HTTP/2.0" 200 1116 0.003 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [error] 50#50: *1701601 [lua] openidc.lua:1378: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [error] 50#50: *1701601 [lua] openid-connect.lua:297: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [warn] 50#50: *1701601 [lua] plugin.lua:724: run_plugin(): openid-connect exits with http status code 500, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:53.975Z | 127.0.0.6 - - [16/Feb/2022:17:38:50 +0000] www.m01.net "GET / HTTP/2.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" - - - "http://www.m01.net"
2022-02-16T17:38:53.975Z | 127.0.0.6 - - [16/Feb/2022:17:38:51 +0000] www.m01.net "GET /favicon.ico HTTP/2.0" 302 142 0.011 "https://www.m01.net/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" - - - "http://www.m01.net"
Logs from Feb 16, 2022 to Feb 16, 2022 UTC
```
Trying to access the keycloak server from the apisix pod you see that the CA is not recognized (" SSL certificate problem: unable to get local issuer certificate")
```
bash-5.1# curl https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
bash-5.1#
```
### Actual result
Trying to access "https://www.m01.net" and receive a "500 Internal Server Error"
### Error log
Looking at the apisix log you see:
```
2022-02-16T17:24:07.837Z | 127.0.0.6 - - [16/Feb/2022:17:24:05 +0000] www.m01.net "GET /spec.json HTTP/2.0" 200 41019 0.008 "https://www.m01.net/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-16T17:24:12.043Z | 127.0.0.6 - - [16/Feb/2022:17:24:09 +0000] www.m01.net "GET /headers HTTP/2.0" 499 0 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 - 0.000 "http://www.m01.net"
2022-02-16T17:24:12.043Z | 127.0.0.6 - - [16/Feb/2022:17:24:10 +0000] www.m01.net "GET /headers HTTP/2.0" 200 1116 0.003 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [error] 50#50: *1701601 [lua] openidc.lua:1378: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [error] 50#50: *1701601 [lua] openid-connect.lua:297: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [warn] 50#50: *1701601 [lua] plugin.lua:724: run_plugin(): openid-connect exits with http status code 500, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:53.975Z | 127.0.0.6 - - [16/Feb/2022:17:38:50 +0000] www.m01.net "GET / HTTP/2.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" - - - "http://www.m01.net"
2022-02-16T17:38:53.975Z | 127.0.0.6 - - [16/Feb/2022:17:38:51 +0000] www.m01.net "GET /favicon.ico HTTP/2.0" 302 142 0.011 "https://www.m01.net/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" - - - "http://www.m01.net"
Logs from Feb 16, 2022 to Feb 16, 2022 UTC
```
Trying to access the keycloak server from the apisix pod you see that the CA is not recognized (" SSL certificate problem: unable to get local issuer certificate")
```
bash-5.1# curl https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
bash-5.1#
```
### Expected result
The keycloak login page should show up and after login the httpbin page is shown
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1042639046
Hi @MirtoBusico.
I think there are those ways you can have a try.
First:
> try to access "https://www.m01.net/" and receive a "500 Internal Server Error"
Looking at the apisix log you see:
Can you have a try for another URL like `https://www.m01.net/v1/xxx` ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #6345: bug: apisix openid plugin - how the logout path does work ?
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1047668402
> "https://www.m01.net/logout" executes the logout but is redirected to this url
https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1N
But the user is logout. If you access https://www.m01.net/headers, it will show the keycloak login page.
So do you mean we can config a logout_redirect_url? Then we can redirect the logout_redirect_url.
You can refer to this PR: https://github.com/apache/apisix/issues/6362
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #6345: bug: apisix openid plugin - how the logout path does work ?
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1050743362
> Yes @starsz I mean exactly the PR: #6362
>
> So I think that I have to wait that this PR will be implemented
Yeah. We will support it as soon as possible.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz edited a comment on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
starsz edited a comment on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1044276279
> Setting logout_path to "https://www.m01.net/headers" I receive a 404 error and the user session is still active
Oh.If this, I think it's a bug. Let me have a try.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin - how the logout path does work ?
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1047730968
Yes @starsz I mean exactly the PR: https://github.com/apache/apisix/issues/6362
So I think that I have to wait that this PR will be implemented
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1042786941
> **UPDATE2** I changed the redirect uri to "https://www.m01.net/_" adding a "_" So the plugin definition now is:
>
> ```
> {
> "client_id":"apisix",
> "client_secret":"CFejdjaiPNgGXMQub467j10OzcuK43tB",
> "discovery":"https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
> "scope":"openid profile",
> "bearer_only":false,
> "realm":"apisix_test_realm",
> "introspection_endpoint_auth_method":"client_secret_post",
> "redirect_uri":"https://www.m01.net/*"
> }
> ```
>
> Now the access sequence and results are:
>
> * "https://www.m01.net/" --> appears login screen; I can do the login; the httpbin home page appears
> * "https://www.m01.net/image/png" --> the image appear correctly
> * "https://www.m01.net/logout" --> I'm redirected to
>
> ```
> "https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZQzh1bVRwQ2ZCRkxQSHpFNmh4dTZUM3QybnBQLUpOSG9hX2JYbnRIczZBIn0.eyJleHAiOjE2NDUwODc5NTMsImlhdCI6MTY0NTA4NzY1MywiYXV0aF90aW1lIjoxNjQ1MDg3NjUzLCJqdGkiOiI4ZGIxODdlYi05NGI5LTRlNmMtOTI3MC0xYzc4OWI2NjFmNDgiLCJpc3MiOiJodHRwczovL2s2ay5tMDEubmV0L2F1dGgvcmVhbG1zL2FwaXNpeF90ZXN0X3JlYWxtIiwiYXVkIjoiYXBpc2l4Iiwic3ViIjoiYjYzZTQ4NjMtZjhlNC00ZDdmLTk4NzctMjdlNmNkODRhMTk3IiwidHlwIjoiSUQiLCJhenAiOiJhcGlzaXgiLCJub25jZSI6ImJmMGNjYjA0Yjk1ZDgyNzBkMmU3YTY1ZGZjZmY3OWUxIiwic2Vzc2lvbl9zdGF0ZSI6IjI2ZWQ3OWE3LTJlMGItNGEwYy04Mzc3LTY3MDcwNGU1NmM2NSIsImF0X2hhc2giOiJVclo3ZHJRT0NhYTN6TV9pb2dndjNBIiwiYWNyIjoiMSIsInNpZCI6IjI2ZWQ3OWE3LTJlMGItNGEwYy04Mzc3LTY3MDcwNGU1NmM2NSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlBldGVyIFpodSIsInByZWZlcnJlZF91c2VybmFtZSI6InBldGVyIiwiZ2l2ZW5fbmFtZSI6IlBldGVyIiwiZmFtaWx5X25hbWUiOiJaaHUiLCJlbWFpbCI6InBldGVyQHRlc3QuY29tIn0.Kr3XQt2v-rXIpe-GXSWF-
Q11oBjt50m1guC6NmHEPz2f8TMC2uB2reHI4kyNsbqoqnv4N_egcrRchYoJQIH1ooRtb_ccRWk7Hm324GKt__0LrvoYhAdzjLVMMNNgzsgBPvUrWW2TpDoejuvLFuh56fOrJDkF98roWErWnWmMWqlCO0dpcGUNLRq8Get32b2aJhfbz4lMY8bRCHM2UfOsmnZe-Tozj5iPQiKCuDKuD99Ng4hrjldmHoDxe3owEHxMs3eJAKqtwc8D58hMI8Rx0PUkh0oGEgW9h79xe8UkyIHOxG4LxRuvs1hM3Zy2guRS_wV8FLNV8k4XKLX2LjUqbQ"
> ```
>
> but the user is correctly logged out
>
> I don't know how to cerrctly redirect the logout page
Hi @MirtoBusico . Thanks for your patient test.
After reading your reply, I think you are confused by the logout URL?
You can refer to the config of the APISIX OpenID-Connect Plugin. There is a logout_path in the config.
Refer: https://apisix.apache.org/docs/apisix/plugins/openid-connect#attributes
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] moonming commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
moonming commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1042630410
thanks for your detailed report, @starsz do you have time to dig this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1046274160
> Setting logout_path to "https://www.m01.net/headers" I receive a 404 error and the user session is still active
Hi, @MirtoBusico.I had tested it on my local env. It looks good.
Can you try to test it again or provide the step to reproduce it? (Now the question is the logout path does work ?)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1044276279
> Setting logout_path to "https://www.m01.net/headers" I receive a 404 error and the user session is still active
Oh.If this, I think it's a bug.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz removed a comment on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
starsz removed a comment on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1042639046
Hi @MirtoBusico.
I think there are those ways you can have a try.
First:
> try to access "https://www.m01.net/" and receive a "500 Internal Server Error"
Looking at the apisix log you see:
Can you have a try for another URL like `https://www.m01.net/v1/xxx` ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin - how the logout path does work ?
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1046303035
Well, with the new framework I'm not able to complete the login redirect.
I created two routes:
- a simple route for **https://www.m01.net** without any plugin
- a route for **https://www.m01.net/user/*** with proxy-rewrite and openid-connect plugins
All routes use an httpbin service as upstream
The first route definition is
```
{
"uri": "/",
"name": "m01-www-home",
"desc": "home page for entire application",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "www.m01.net",
"plugins": {
"redirect": {
"http_to_https": true
}
},
"upstream_id": "394941006623015714",
"status": 1
}
```
The second route definition is
```
{
"uri": "/user/*",
"name": "m01-www-user",
"desc": "services for users - access with authentication and role=user",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "www.m01.net",
"plugins": {
"openid-connect": {
"access_token_in_authorization_header": true,
"bearer_only": false,
"client_id": "apisix",
"client_secret": "CFejdjaiPNgGXMQub467j10OzcuK43tB",
"disable": false,
"discovery": "https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"logout_path": "/logout",
"realm": "apisix_test_realm",
"redirect_uri": "https://www.m01.net/*",
"scope": "openid profile"
},
"proxy-rewrite": {
"regex_uri": [
"^/user/(.*)",
"/$1"
]
},
"redirect": {
"http_to_https": true
}
},
"upstream_id": "394941006623015714",
"status": 1
}
```
The first route works (the httpbin home page is partially shown - other parts of the page that have a path different from "/" are not served by the route)
The second route works without the openid-connect plugin and the url "https://www.m01.net/user/headers" shows correctly the httpbin headers page
Adding to the second route this openid-connect definition
```
{
"client_id":"apisix",
"client_secret":"CFejdjaiPNgGXMQub467j10OzcuK43tB",
"discovery":"https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
"scope":"openid profile",
"bearer_only":false,
"realm":"apisix_test_realm",
"introspection_endpoint_auth_method":"client_secret_post",
"redirect_uri":"https://www.m01.net/*",
"access_token_in_authorization_header":true,
"logout_path":"/logout"
}
```
Now trying to access the url "https://www.m01.net/user/headers" shows the keycloak login page, executes the login, but I receive an error
```
{"error_msg":"404 Route Not Found"}
```
on this redirected urt
```
https://www.m01.net/*?state=840922be85ba9af5299cf264c48b67b9&session_state=b0de06e4-6c71-48d4-8201-ae7c6f6924a3&code=8bf3d0a2-b535-4a7e-ac5f-253aa5f0b42e.b0de06e4-6c71-48d4-8201-ae7c6f6924a3.43a0343a-7fb2-471c-b6c8-6f361a8a5bae
```
In the apisix log I see
```
2022-02-20T19:09:37.263Z | 2022/02/20 19:09:37 [alert] 47#47: *1726843 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt) while processing HTTP/2 connection, client: 127.0.0.6, server: 0.0.0.0:9443
2022-02-20T19:09:40.260Z | 127.0.0.6 - - [20/Feb/2022:19:09:37 +0000] www.m01.net "GET /user/headers HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:09:44.430Z | 127.0.0.6 - - [20/Feb/2022:19:09:41 +0000] www.m01.net "GET /*?state=840922be85ba9af5299cf264c48b67b9&session_state=b0de06e4-6c71-48d4-8201-ae7c6f6924a3&code=8bf3d0a2-b535-4a7e-ac5f-253aa5f0b42e.b0de06e4-6c71-48d4-8201-ae7c6f6924a3.43a0343a-7fb2-471c-b6c8-6f361a8a5bae HTTP/2.0" 404 36 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:09:44.430Z | 127.0.0.6 - - [20/Feb/2022:19:09:41 +0000] www.m01.net "GET /favicon.ico HTTP/2.0" 404 36 0.000 "https://www.m01.net/*?state=840922be85ba9af5299cf264c48b67b9&session_state=b0de06e4-6c71-48d4-8201-ae7c6f6924a3&code=8bf3d0a2-b535-4a7e-ac5f-253aa5f0b42e.b0de06e4-6c71-48d4-8201-ae7c6f6924a3.43a0343a-7fb2-471c-b6c8-6f361a8a5bae" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
```
Mybe there is a conflict with the proxy-rewrite plugin
Now I'll try to find an echo program to replace httpbin so to avoid the rewite rules
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1042672701
Well,
if I try
```
https://www.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/token/introspect
```
the login screen appear, I can login and then I receive a 404 error
```
Not Found
The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
```
But now the user is authenticated and if I try
```
https://www.m01.net/image/png
```
it works correctly
It seems I don't understand how to use this plugin as explained here
```
https://apisix.apache.org/docs/apisix/plugins/openid-connect
```
What I'm trying to do is
- if a user go to "https://www.m01.net/*" and is not authenticated, the user have to be redirect to the keycloak login page and then redirect to the application home page
- if the user go to "https://www.m01.net/user/*" and is authenticated the page access is permitted if the user have "role=user"
- if the user go to "https://www.m01.net/editor/*" and is authenticated the page access is permitted if the user have "role=editor"
- exists a "logout" url
I don't know how to do this
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1042984115
Seems I don't understand the documentation
Setting logout_path to "https://www.m01.net/headers" I receive a 404 error and the user session is still active
Setting teh logout_path to "/logout" (that should be the default) I'm redirect to
```
https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZQzh1bVRwQ2ZCRkxQSHpFNmh4dTZUM3QybnBQLUpOSG9hX2JYbnRIczZBIn0.eyJleHAiOjE2NDUxMDY1MzMsImlhdCI6MTY0NTEwNjIzMywiYXV0aF90aW1lIjoxNjQ1MTA2MjMzLCJqdGkiOiJlOTQzY2ViZS1iMGFiLTRlODQtYjM2OC0wMWMxZjFmYzQ3M2UiLCJpc3MiOiJodHRwczovL2s2ay5tMDEubmV0L2F1dGgvcmVhbG1zL2FwaXNpeF90ZXN0X3JlYWxtIiwiYXVkIjoiYXBpc2l4Iiwic3ViIjoiYjYzZTQ4NjMtZjhlNC00ZDdmLTk4NzctMjdlNmNkODRhMTk3IiwidHlwIjoiSUQiLCJhenAiOiJhcGlzaXgiLCJub25jZSI6IjJhNjYwNDQyMGU4NWYxMThkMTk0NmI4ZGQzMDczNThlIiwic2Vzc2lvbl9zdGF0ZSI6IjNhODliOGQ5LTRmNDYtNDhkOC04Y2FhLWNkMWEwMzJmYjJmZCIsImF0X2hhc2giOiJSMG81d1A5UUNuZjE3NEhCZS0xcTdnIiwiYWNyIjoiMSIsInNpZCI6IjNhODliOGQ5LTRmNDYtNDhkOC04Y2FhLWNkMWEwMzJmYjJmZCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlBldGVyIFpodSIsInByZWZlcnJlZF91c2VybmFtZSI6InBldGVyIiwiZ2l2ZW5fbmFtZSI6IlBldGVyIiwiZmFtaWx5X25hbWUiOiJaaHUiLCJlbWFpbCI6InBldGVyQHRlc3QuY29tIn0.B9EQYmBeMS0StnHjBlVPNkDd
3XOkMO9UP2bzZ7RM-dGtT3JH14jW9NMYOnK2zeEzWzyJ736ZRjVS3CnYW0TUucXfpSD7N9f6ynne3-zywskTQ-L7Z8IwcVA06sEYz5vnfIhpT_JGWhHImcxX6DIqs9yE016xWCF3oB-OfXkp-HXaY7kVi4J24x9xpKj0a6LzoWR14dRDgmYHL0PK_6foAWbZFbdSwQsTdugGA9i4-ntVdyw_PTz-NgQDjN8Zinmdtsn3a1TAl-Jzi5a5RV6eUiFQI3nX0iiabhH1P3F2QwiDunZngOGMB5rwvy4IXfjtG0_41RFcNZpJcW7mkoMu3A
```
and the user is logged out
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico edited a comment on issue #6345: bug: apisix openid plugin - how the logout path does work ?
Posted by GitBox <gi...@apache.org>.
MirtoBusico edited a comment on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1046308685
Hi @starsz another try and the first results: wrong redirect on logout (so seems that there is a proxy-rewrite conflict)
I created two routes:
- a simple route for **https://www.m01.net** without any plugin
- a route for **https://www.m01.net/*** with proxy-rewrite and openid-connect plugins
All routes use an httpbin service as upstream
The first route definition is
```
{
"uri": "/",
"name": "m01-www-home",
"desc": "home page for entire application",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "www.m01.net",
"plugins": {
"redirect": {
"http_to_https": true
}
},
"upstream_id": "394941006623015714",
"status": 1
}
```
The second route definition is
```
{
"uri": "/*",
"name": "m01-www-user",
"desc": "services for users - access with authentication and role=user",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "www.m01.net",
"plugins": {
"openid-connect": {
"access_token_in_authorization_header": true,
"bearer_only": false,
"client_id": "apisix",
"client_secret": "CFejdjaiPNgGXMQub467j10OzcuK43tB",
"disable": false,
"discovery": "https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"logout_path": "/logout",
"realm": "apisix_test_realm",
"redirect_uri": "https://www.m01.net/*",
"scope": "openid profile"
},
"redirect": {
"http_to_https": true
}
},
"upstream_id": "394941006623015714",
"status": 1
}
```
Now
- "https://www.m01.net/" shows the (complete) httpbin home page
- "https://www.m01.net/headers" show the keycloak login page and then the httpbin headers page
- "https://www.m01.net/logout" executes the logout but is redirected to this url
```
https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZQzh1bVRwQ2ZCRkxQSHpFNmh4dTZUM3QybnBQLUpOSG9hX2JYbnRIczZBIn0.eyJleHAiOjE2NDUzODY0MTksImlhdCI6MTY0NTM4NjExOSwiYXV0aF90aW1lIjoxNjQ1Mzg2MTE5LCJqdGkiOiI5ZDJjNzcxYi1mNjY0LTRmZWItODI0My1kYzRjMzEyYTQzYWEiLCJpc3MiOiJodHRwczovL2s2ay5tMDEubmV0L2F1dGgvcmVhbG1zL2FwaXNpeF90ZXN0X3JlYWxtIiwiYXVkIjoiYXBpc2l4Iiwic3ViIjoiYjYzZTQ4NjMtZjhlNC00ZDdmLTk4NzctMjdlNmNkODRhMTk3IiwidHlwIjoiSUQiLCJhenAiOiJhcGlzaXgiLCJub25jZSI6ImY3NjJhOTA3MzAyNzkyM2M1OWRkMzU0YzE3ZTY4NzdhIiwic2Vzc2lvbl9zdGF0ZSI6ImEyYjY5ZTA2LTJiN2ItNDBjZi1hODM5LTUwYjUyZDNiNDJkMSIsImF0X2hhc2giOiJPUWlPUGxqWFJJaGs0ZFRkbS1LQlB3IiwiYWNyIjoiMSIsInNpZCI6ImEyYjY5ZTA2LTJiN2ItNDBjZi1hODM5LTUwYjUyZDNiNDJkMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlBldGVyIFpodSIsInByZWZlcnJlZF91c2VybmFtZSI6InBldGVyIiwiZ2l2ZW5fbmFtZSI6IlBldGVyIiwiZmFtaWx5X25hbWUiOiJaaHUiLCJlbWFpbCI6InBldGVyQHRlc3QuY29tIn0.N2iDI-T_dbfRXvAx9y9iyqQD
6IWOo2m9ADfUjvVqbhJkRK31054mhQVphzcXa3hnXd8jcKOP5iLtCMP0hGrHZ0_LftH_Czag9zsSqgNPMAoBDMvBYsjb8Yv-xoRBqYx6vmQVPzMEc3CV15sFYrAFHGPrW-rOq0H_sfTYSnrDN6bmaTzV4ZEdgktgGwUKw0pGQObVEN4IZVL4tphOh0o5Rc2icIZAwgbnnToAd_hs7MOgntF-u_vDsPINNjhMIkuG2TW4G3SilAvg1b3xGOa_B4isNZNKiNX4fyCw4TGCOfAmvdd0wpJzq3IsDw1yD-dTSdOg5gPoFqZqpu-EnG7fLg
```
In the apisix log I see
```
2022-02-20T19:42:06.215Z | 127.0.0.6 - - [20/Feb/2022:19:42:05 +0000] www.m01.net "GET /headers HTTP/2.0" 200 9355 0.003 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-20T19:42:23.016Z | 127.0.0.6 - - [20/Feb/2022:19:42:20 +0000] www.m01.net "GET /logout HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:30.419Z | 127.0.0.6 - - [20/Feb/2022:19:50:27 +0000] www.m01.net "GET /headers HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:34.133Z | 127.0.0.6 - - [20/Feb/2022:19:50:31 +0000] www.m01.net "GET /*?state=a1bdba4c994e54f5f12f787e3babc849&session_state=4d9e0e6e-d35c-4936-88bf-893cd464b92d&code=97503336-93e4-4793-9a68-0142f9af31ee.4d9e0e6e-d35c-4936-88bf-893cd464b92d.43a0343a-7fb2-471c-b6c8-6f361a8a5bae HTTP/2.0" 302 142 0.014 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:34.133Z | 127.0.0.6 - - [20/Feb/2022:19:50:31 +0000] www.m01.net "GET /headers HTTP/2.0" 200 9320 0.005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-20T19:50:50.053Z | 127.0.0.6 - - [20/Feb/2022:19:50:47 +0000] www.m01.net "GET /logout HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
```
Maybe it is a keycloak installation or version problem?
I'm using keycloak on a virtual machine separated from the kubernetes cluster
The keycloak version is 16.1.1
I use an apache2 as reverse proxy for https termination
What is your test configuration?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1042681492
**UPDATE**
I tried this access sequence with these resulsts:
1) "https://www.m01.net" --> 500 internal server error
2) "https://www.m01.net/login" --> 404 not found error; but login screen appears and the user is logged in
3) "https://www.m01.net/image/png" --> the image appear correctly
4) "https://www.m01.net/logout" --> I'm redirected to "https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout" but the user is correctly logged out
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1046290924
Yes, I'm trying to setup a different logout route that don't use the openid connect.
I changed the bug title
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin - how the logout path does work ?
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1046308685
Another try and the first results: wrong redirect on logout (so seems that there is a proxy-rewrite conflict)
I created two routes:
- a simple route for **https://www.m01.net** without any plugin
- a route for **https://www.m01.net/*** with proxy-rewrite and openid-connect plugins
All routes use an httpbin service as upstream
The first route definition is
```
{
"uri": "/",
"name": "m01-www-home",
"desc": "home page for entire application",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "www.m01.net",
"plugins": {
"redirect": {
"http_to_https": true
}
},
"upstream_id": "394941006623015714",
"status": 1
}
```
The second route definition is
```
{
"uri": "/*",
"name": "m01-www-user",
"desc": "services for users - access with authentication and role=user",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "www.m01.net",
"plugins": {
"openid-connect": {
"access_token_in_authorization_header": true,
"bearer_only": false,
"client_id": "apisix",
"client_secret": "CFejdjaiPNgGXMQub467j10OzcuK43tB",
"disable": false,
"discovery": "https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"logout_path": "/logout",
"realm": "apisix_test_realm",
"redirect_uri": "https://www.m01.net/*",
"scope": "openid profile"
},
"redirect": {
"http_to_https": true
}
},
"upstream_id": "394941006623015714",
"status": 1
}
```
Now
- "https://www.m01.net/" shows the (complete) httpbin home page
- "https://www.m01.net/headers" show the keycloak login page and then the httpbin headers page
- "https://www.m01.net/logout" executes the logout but is redirected to this url
```
https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZQzh1bVRwQ2ZCRkxQSHpFNmh4dTZUM3QybnBQLUpOSG9hX2JYbnRIczZBIn0.eyJleHAiOjE2NDUzODY0MTksImlhdCI6MTY0NTM4NjExOSwiYXV0aF90aW1lIjoxNjQ1Mzg2MTE5LCJqdGkiOiI5ZDJjNzcxYi1mNjY0LTRmZWItODI0My1kYzRjMzEyYTQzYWEiLCJpc3MiOiJodHRwczovL2s2ay5tMDEubmV0L2F1dGgvcmVhbG1zL2FwaXNpeF90ZXN0X3JlYWxtIiwiYXVkIjoiYXBpc2l4Iiwic3ViIjoiYjYzZTQ4NjMtZjhlNC00ZDdmLTk4NzctMjdlNmNkODRhMTk3IiwidHlwIjoiSUQiLCJhenAiOiJhcGlzaXgiLCJub25jZSI6ImY3NjJhOTA3MzAyNzkyM2M1OWRkMzU0YzE3ZTY4NzdhIiwic2Vzc2lvbl9zdGF0ZSI6ImEyYjY5ZTA2LTJiN2ItNDBjZi1hODM5LTUwYjUyZDNiNDJkMSIsImF0X2hhc2giOiJPUWlPUGxqWFJJaGs0ZFRkbS1LQlB3IiwiYWNyIjoiMSIsInNpZCI6ImEyYjY5ZTA2LTJiN2ItNDBjZi1hODM5LTUwYjUyZDNiNDJkMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlBldGVyIFpodSIsInByZWZlcnJlZF91c2VybmFtZSI6InBldGVyIiwiZ2l2ZW5fbmFtZSI6IlBldGVyIiwiZmFtaWx5X25hbWUiOiJaaHUiLCJlbWFpbCI6InBldGVyQHRlc3QuY29tIn0.N2iDI-T_dbfRXvAx9y9iyqQD
6IWOo2m9ADfUjvVqbhJkRK31054mhQVphzcXa3hnXd8jcKOP5iLtCMP0hGrHZ0_LftH_Czag9zsSqgNPMAoBDMvBYsjb8Yv-xoRBqYx6vmQVPzMEc3CV15sFYrAFHGPrW-rOq0H_sfTYSnrDN6bmaTzV4ZEdgktgGwUKw0pGQObVEN4IZVL4tphOh0o5Rc2icIZAwgbnnToAd_hs7MOgntF-u_vDsPINNjhMIkuG2TW4G3SilAvg1b3xGOa_B4isNZNKiNX4fyCw4TGCOfAmvdd0wpJzq3IsDw1yD-dTSdOg5gPoFqZqpu-EnG7fLg
```
In the apisix log I see
```
2022-02-20T19:42:06.215Z | 127.0.0.6 - - [20/Feb/2022:19:42:05 +0000] www.m01.net "GET /headers HTTP/2.0" 200 9355 0.003 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-20T19:42:23.016Z | 127.0.0.6 - - [20/Feb/2022:19:42:20 +0000] www.m01.net "GET /logout HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:30.419Z | 127.0.0.6 - - [20/Feb/2022:19:50:27 +0000] www.m01.net "GET /headers HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:34.133Z | 127.0.0.6 - - [20/Feb/2022:19:50:31 +0000] www.m01.net "GET /*?state=a1bdba4c994e54f5f12f787e3babc849&session_state=4d9e0e6e-d35c-4936-88bf-893cd464b92d&code=97503336-93e4-4793-9a68-0142f9af31ee.4d9e0e6e-d35c-4936-88bf-893cd464b92d.43a0343a-7fb2-471c-b6c8-6f361a8a5bae HTTP/2.0" 302 142 0.014 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:34.133Z | 127.0.0.6 - - [20/Feb/2022:19:50:31 +0000] www.m01.net "GET /headers HTTP/2.0" 200 9320 0.005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-20T19:50:50.053Z | 127.0.0.6 - - [20/Feb/2022:19:50:47 +0000] www.m01.net "GET /logout HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] starsz commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
starsz commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1042643994
Hi, @MirtoBusico.Thanks for your detailed report.
> try to access "https://www.m01.net/" and receive a "500 Internal Server Error"
Looking at the apisix log you see:
Can you have a try for another URL like https://www.m01.net/v1/xxx ?
Because you had config the `redirect_uri` in the openid-connect plugins. This URL means that when you login in the keycloak. The keycloak will redirect to the URL with the `code` and `state` parameters. But you request the URL directly without the `code` and `state` parameter, so it reports the 500 error.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin gives a 500 error when using a pivate Certification Authority
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1042709894
**UPDATE2**
I changed the redirect uri to "https://www.m01.net/*" adding a "*"
So the plugin definition now is:
```
{
"client_id":"apisix",
"client_secret":"CFejdjaiPNgGXMQub467j10OzcuK43tB",
"discovery":"https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
"scope":"openid profile",
"bearer_only":false,
"realm":"apisix_test_realm",
"introspection_endpoint_auth_method":"client_secret_post",
"redirect_uri":"https://www.m01.net/*"
}
```
Now the access sequence and results are:
- "https://www.m01.net/" --> appears login screen; I can do the login; the httpbin home page appears
- "https://www.m01.net/image/png" --> the image appear correctly
- "https://www.m01.net/logout" --> I'm redirected to
```
"https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZQzh1bVRwQ2ZCRkxQSHpFNmh4dTZUM3QybnBQLUpOSG9hX2JYbnRIczZBIn0.eyJleHAiOjE2NDUwODc5NTMsImlhdCI6MTY0NTA4NzY1MywiYXV0aF90aW1lIjoxNjQ1MDg3NjUzLCJqdGkiOiI4ZGIxODdlYi05NGI5LTRlNmMtOTI3MC0xYzc4OWI2NjFmNDgiLCJpc3MiOiJodHRwczovL2s2ay5tMDEubmV0L2F1dGgvcmVhbG1zL2FwaXNpeF90ZXN0X3JlYWxtIiwiYXVkIjoiYXBpc2l4Iiwic3ViIjoiYjYzZTQ4NjMtZjhlNC00ZDdmLTk4NzctMjdlNmNkODRhMTk3IiwidHlwIjoiSUQiLCJhenAiOiJhcGlzaXgiLCJub25jZSI6ImJmMGNjYjA0Yjk1ZDgyNzBkMmU3YTY1ZGZjZmY3OWUxIiwic2Vzc2lvbl9zdGF0ZSI6IjI2ZWQ3OWE3LTJlMGItNGEwYy04Mzc3LTY3MDcwNGU1NmM2NSIsImF0X2hhc2giOiJVclo3ZHJRT0NhYTN6TV9pb2dndjNBIiwiYWNyIjoiMSIsInNpZCI6IjI2ZWQ3OWE3LTJlMGItNGEwYy04Mzc3LTY3MDcwNGU1NmM2NSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlBldGVyIFpodSIsInByZWZlcnJlZF91c2VybmFtZSI6InBldGVyIiwiZ2l2ZW5fbmFtZSI6IlBldGVyIiwiZmFtaWx5X25hbWUiOiJaaHUiLCJlbWFpbCI6InBldGVyQHRlc3QuY29tIn0.Kr3XQt2v-rXIpe-GXSWF-Q1
1oBjt50m1guC6NmHEPz2f8TMC2uB2reHI4kyNsbqoqnv4N_egcrRchYoJQIH1ooRtb_ccRWk7Hm324GKt__0LrvoYhAdzjLVMMNNgzsgBPvUrWW2TpDoejuvLFuh56fOrJDkF98roWErWnWmMWqlCO0dpcGUNLRq8Get32b2aJhfbz4lMY8bRCHM2UfOsmnZe-Tozj5iPQiKCuDKuD99Ng4hrjldmHoDxe3owEHxMs3eJAKqtwc8D58hMI8Rx0PUkh0oGEgW9h79xe8UkyIHOxG4LxRuvs1hM3Zy2guRS_wV8FLNV8k4XKLX2LjUqbQ"
```
but the user is correctly logged out
I don't know how to cerrctly redirect the logout page
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico edited a comment on issue #6345: bug: apisix openid plugin - how the logout path does work ?
Posted by GitBox <gi...@apache.org>.
MirtoBusico edited a comment on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1050813681
Thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin - how the logout path does work ?
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1050813681
Thank
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander closed issue #6345: bug: apisix openid plugin - how the logout path does work ?
Posted by GitBox <gi...@apache.org>.
spacewander closed issue #6345:
URL: https://github.com/apache/apisix/issues/6345
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org