You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/12/02 17:33:03 UTC
[GitHub] [apisix] MirtoBusico opened a new issue, #8452: help request: how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
MirtoBusico opened a new issue, #8452:
URL: https://github.com/apache/apisix/issues/8452
### Description
Hi all,
I'm trying to setup a route for apisix dashboard usin openid-connect for authentication; but I receive an error after the keycloak login.
I'm trying to follow [this article](https://www.keycloak.org/2021/12/apisix) but the screen ad fields are different from the last apisix and keycloak versions.
When I try to access the apisix dashboard with this URL "https://apisix.h.net" (my home lab internal address) without enabling the openid-connect plugin everything works correctly.
If I enable the openid-connect plugin first I'm redirected to the keycloak login page (the login is correct and I can see the session in keycloak) then I receive the error page saying "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
The page URL is
```
https://apisix.h.net/*?state=663136eda8578d0c00fff11919cd886f&session_state=938a3031-66ad-4a96-bbc0-7b84c98b7f41&code=cc5e7778-a5ad-45e6-9e19-9489f4af5965.938a3031-66ad-4a96-bbc0-7b84c98b7f41.755e9ac7-b5a6-46d4-9660-fc6aa23d3756
```
The route definition:
```
{
"uri": "/*",
"name": "apisix-dashboard",
"desc": "apisix.h.net primary route",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "apisix.h.net",
"plugins": {
"openid-connect": {
"access_token_in_authorization_header": true,
"bearer_only": false,
"client_id": "apisix",
"client_secret": "ICLrl8NnZxJg8fj0bGrnC0nJxvhFM9fB",
"disable": false,
"discovery": "https://k6k.h.net/realms/apisix_realm/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"logout_path": "/logout",
"realm": "apisix_realm",
"redirect_uri": "https://apisix.h.net/*",
"scope": "openid profile"
},
"redirect": {
"http_to_https": true
}
},
"upstream_id": "436822533732303574",
"status": 1
}
```
The upstream (apisix gateway is of type loadbalancer) is:
```
{
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "http",
"discovery_type": "dns",
"pass_host": "pass",
"name": "apisix-dashboard",
"service_name": "apisix-dashboard.apisix.svc.cluster.local:80",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
}
}
```
What I'm doing wrong?
### Environment
- APISIX version (run `apisix version`):
```
root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# apisix version
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua version
2.15.1
root@apisix-64fffcfb4c-55vhw:/usr/local/apisix#
```
- Operating system (run `uname -a`):
```
root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# uname -a
Linux apisix-64fffcfb4c-55vhw 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022 x86_64 GNU/Linux
root@apisix-64fffcfb4c-55vhw:/usr/local/apisix#
```
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant: 2.13.0
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1338672249
maybe fix by: #8068
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1338673403
help this: https://github.com/apache/apisix/issues/6792#issuecomment-1126999266 would works for you
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1340530015
Hi @tzssangglass at the times of #6345 I was able to use openid-connect; but I had problems with the "/logout" url.
Now the openid-connect don't work and I never see the application pages.
Differences in the two cases:
- apisix version 2.12.0 instead of 2.15.1
- keycloak version 16.1.1 instead of 20.0.1
- the application was httpbin now is apisix-dashboard
- apisix was installed adding the private certification authority certificate
```
existingCASecret: "m01cacert"
certCAFilename: "cert"
```
Have I to try to reproduce the same configuration?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1366488814
> Hi @tzssangglass I discovered that the apisix pod cannot communicate with the keycloak server because I'm using a private CA.
>
> ```
> root@apisix-54cdc68f89-wtl8w:/usr/local/apisix# wget https://k6k.h.net
> --2022-12-25 10:07:55-- https://k6k.h.net/
> Resolving k6k.h.net (k6k.h.net)... 192.168.100.20
> Connecting to k6k.h.net (k6k.h.net)|192.168.100.20|:443... connected.
> ERROR: The certificate of 'k6k.h.net' is not trusted.
> ERROR: The certificate of 'k6k.h.net' doesn't have a known issuer.
> root@apisix-54cdc68f89-wtl8w:/usr/local/apisix#
> ```
>
> In the past i solved this issue adding the CA certificate in the helm chart.
>
> I'll redo the test after adding the CA certificate and will post the results in this thread
Hi @tzssangglass seems that my problem is not related to the CA so I'm trying to use the workaroud in https://github.com/apache/apisix/pull/8068#issuecomment-1355215821
If unsuccessful I'll wait for the new release
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] juzhiyuan commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
juzhiyuan commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1368341233
Hi @MirtoBusico, glad to know that your question has been resolved!
If possible,
1. You can summarize the process of configuring keycloak with APISIX in this scenario as a blog.
2. Publish the blog on APISIX's website.
The community needs such practice content to help user onboarding with APISIX.
If you have interest, please cc me to let me know :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1339035421
Thanks.
I subscribed #8068 and wait for release.
For now I don't use authentication
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1367968954
Hi @tzssangglass the workaroud in https://github.com/apache/apisix/pull/8068#issuecomment-1355215821 worked for me
After modifying the values.yaml file as in the workaround I'm able to work with apisix dashboard using these openid-connect plugin settings
```
{
"client_id":"hcadmins",
"client_secret":"MoqLUhwgsEDi36II0KuJldKq4YGLHxl3",
"discovery":"https://k6k.h.net/realms/hcluster_admins/.well-known/openid-configuration",
"scope":"openid profile",
"bearer_only":false,
"realm":"hcluster_admins",
"introspection_endpoint_auth_method":"client_secret_post",
"redirect_uri":"https://apisix.h.net/*",
"access_token_in_authorization_header":true
}
```
I think this issue can be closed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1336766623
any error logs about this in `logs/error.log`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1337138440
> 2022/12/05 08:19:27 [alert] 49#49: *48972 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt), client: 127.0.0.6, server: _, request: "GET /*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
how did you add SSL object to APISIX which sni is `apisix.h.net`?
It looks like APISIX found an SSL resource with the sni of `apisix.h.net` based on the `apisix.h.net` host of request, but it failed to load the cert or key, perhaps due to a formatting issue, or perhaps a problem with the cert itself.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] alekskar commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
alekskar commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1340696167
@tzssangglass Hi! Basically I have the error when trying to access resource. Let me explain what I'm trying to achieve.
We would like to use Apisix facilities to provide auth with openid-connect for kubernetes-dashboard web-ui.
Currently we use oauth2-proxy and point apisixRoute to it. Where all magic happens on the proxy side.
Apisix is 2.15
```
---
apiVersion: apisix.apache.org/v2beta3
kind: ApisixRoute
metadata:
labels:
name: k8s-dash-oauth2
spec:
http:
- backends:
- serviceName: oauth2-proxy
servicePort: 4180
match:
hosts:
- dashb.platform.company.com
paths:
- /*
name: dashb-oauth
```
where oauth2-proxy container has oidc provider configuration which is 99% relevant to this plugin
```
- args:
- --provider=oidc
- --upstream=https://k8s-dash.k8s-dash.svc.cluster.local
- --pass-authorization-header=true
- --set-authorization-header=true
- --client-secret=SomeSecret
- --client-id=kubernetes-test
- --oidc-issuer-url=https://keycloak.platform.company.com/auth/realms/main
- *NON_OIDC_OMMITED
```
So when I migrated configuration to apisix plugin side I've added the following resources:
```
---
apiVersion: apisix.apache.org/v2beta3
kind: ApisixUpstream
metadata:
name: k8s-dash
spec:
scheme: https
```
and Route to:
```
spec:
http:
- backends:
- serviceName: k8s-dash
servicePort: 443
match:
hosts:
- dashb.platform.company.com
paths:
- /*
name: dash
plugins:
- name: "openid-connect"
config:
access_token_in_authorization_header: true
client_id: "kubernetes-test"
client_secret: "someSecret"
discovery: "https://keycloak.platform.company.com/auth/realms/main/.well-known/openid-configuration"
scope: "openid profile groups"
introspection_endpoint_auth_method: "client_secret_post"
bearer_only: false
redirect_uri: "https://dashb.platform.company.com/*"
realm: main
enable: true
```
after successful sso I see 500 error **["An error occurred. You can report issue to APISIX Faithfully yours, APISIX."]**
where in logs there are 2 messages regarding session and state.
```
openid-connect.lua:315: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found
plugin.lua:901: run_plugin(): openid-connect exits with http status code 500
```
Am I missing something? Based on example in documentation it should work like a charm). Thanks in advance!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1336950429
Not sure which log I have to look at.
Using the Kubernetes dashboard, the last lines of apisix pods are
For apisix-dashboard pod
```
2022-12-05T08:19:48.453Z filter/logging.go:45 /ping {"status": 200, "host": "10.42.2.191:9000", "query": "", "requestId": "39633564-4ccb-4ded-8709-675ad8ab7277", "latency": 0, "remoteIP": "127.0.0.6", "method": "GET", "errs": []}
2022-12-05T08:19:57.252Z filter/logging.go:45 /ping {"status": 200, "host": "10.42.2.191:9000", "query": "", "requestId": "18464495-fb71-4bb1-89dc-03b6374e92e2", "latency": 0, "remoteIP": "127.0.0.6", "method": "GET", "errs": []}
2022-12-05T08:19:58.452Z filter/logging.go:45 /ping {"status": 200, "host": "10.42.2.191:9000", "query": "", "requestId": "c902793d-c008-494c-a93d-6bb648332bb8", "latency": 0, "remoteIP": "127.0.0.6", "method": "GET", "errs": []}
```
for apisix pod
```
2022/12/05 08:19:27 [warn] 49#49: *48972 [lua] plugin.lua:934: run_plugin(): openid-connect exits with http status code 500, client: 127.0.0.6, server: _, request: "GET /*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [alert] 49#49: *48972 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt), client: 127.0.0.6, server: _, request: "GET /*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [alert] 47#47: *48973 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt), client: 127.0.0.6, server: _, request: "GET /favicon.ico HTTP/1.0", host: "apisix.h.net", referrer: "https://apisix.h.net/*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756"
2022/12/05 08:19:27 [error] 48#48: *48980 [lua] openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [error] 48#48: *48980 [lua] openid-connect.lua:315: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [warn] 48#48: *48980 [lua] plugin.lua:934: run_plugin(): openid-connect exits with http status code 500, client: 127.0.0.6, server: _, request: "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [alert] 48#48: *48980 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt), client: 127.0.0.6, server: _, request: "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
127.0.0.6 - - [05/Dec/2022:08:19:27 +0000] apisix.h.net "GET /*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" - - - "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:08:19:27 +0000] apisix.h.net "GET /favicon.ico HTTP/1.0" 302 217 0.000 "https://apisix.h.net/*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" - - - "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:08:19:27 +0000] apisix.h.net "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" - - - "http://apisix.h.net"
```
For apisix-ingress-controller pod
```
2022-12-05T16:24:27+08:00 �[34minfo�[0m gin@v1.8.1/context.go:173 path: /healthz, status: 200, method: GET, query: , ip: 127.0.0.6, user-agent: kube-probe/1.24, errors: , cost: 26.839µs
2022-12-05T16:24:36+08:00 �[34minfo�[0m gin@v1.8.1/context.go:173 path: /healthz, status: 200, method: GET, query: , ip: 127.0.0.6, user-agent: kube-probe/1.24, errors: , cost: 32.611µs
2022-12-05T16:24:37+08:00 �[34minfo�[0m gin@v1.8.1/context.go:173 path: /healthz, status: 200, method: GET, query: , ip: 127.0.0.6, user-agent: kube-probe/1.24, errors: , cost: 33.589µs
Logs from Dec 5, 2022 to Dec 5, 2022 UTC
```
BTW is it correct to have the state in the URL instead of in the authorization header?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1340316656
> Configuration pretty similar like it has a topicstarter, what I've tried is to change "redirect_uri" from `/` to `/*` and to `/callback` and so on. Not sure how to make it work in a real environment.
same as: #6345?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1342347669
Thanks. I'll wait for the next version.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1364657766
Hi @tzssangglass I discovered that the apisix pod cannot communicate with the keycloak server because I'm using a private CA.
```
root@apisix-54cdc68f89-wtl8w:/usr/local/apisix# wget https://k6k.h.net
--2022-12-25 10:07:55-- https://k6k.h.net/
Resolving k6k.h.net (k6k.h.net)... 192.168.100.20
Connecting to k6k.h.net (k6k.h.net)|192.168.100.20|:443... connected.
ERROR: The certificate of 'k6k.h.net' is not trusted.
ERROR: The certificate of 'k6k.h.net' doesn't have a known issuer.
root@apisix-54cdc68f89-wtl8w:/usr/local/apisix#
```
In the past i solved this issue adding the CA certificate in the helm chart.
I'll redo the test after adding the CA certificate and will post the results in this thread
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] juzhiyuan closed issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
juzhiyuan closed issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
URL: https://github.com/apache/apisix/issues/8452
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1337608561
Well,
to create the sni I used the Apisix dashboard
and used the upload method
the two files are (added .txt extension to be able to upload)
[apisix.crt.txt](https://github.com/apache/apisix/files/10155554/apisix.crt.txt)
[apisix.key.txt](https://github.com/apache/apisix/files/10155555/apisix.key.txt)
These files are signed by a private certification authority whose key and pem are
[hservca.pem.txt](https://github.com/apache/apisix/files/10155579/hservca.pem.txt)
[hservca.key.txt](https://github.com/apache/apisix/files/10155580/hservca.key.txt)
I have also another route (without openid-connect) "www.h.net" that works correctly and when I access this route I see in the apisix logs
```
127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.066 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.065 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET /static/bootstrap/js/bootstrap.min.js HTTP/1.0" 304 0 0.039 "https://www.h.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 304 0.039 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET /static/bootstrap/css/bootstrap.min.css HTTP/1.0" 304 0 0.040 "https://www.h.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 304 0.039 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET /static/jquery.min.js HTTP/1.0" 304 0 0.038 "https://www.h.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 304 0.038 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET /static/bootstrap/css/bootstrap-theme.min.css HTTP/1.0" 304 0 0.041 "https://www.h.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 304 0.039 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:26 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.021 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.021 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:27 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.005 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.005 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:27 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.004 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.003 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:27 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.003 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.003 "http://www.h.net"
```
without errors
Also deleting the openid-connect plugin the "apisix.h.net" route works correctly and in apisix pod log I see
```
127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /apisix/admin/labels/route HTTP/1.0" 401 70 0.036 "https://apisix.h.net/routes/list" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 401 0.034 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /p__User__Logout.0055155e.async.js HTTP/1.0" 200 2985 0.031 "https://apisix.h.net/user/logout?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.031 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /user/login?redirect=%2Froutes%2Flist HTTP/1.0" 200 2100 0.011 "https://apisix.h.net/user/logout?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.010 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:43 +0000] apisix.h.net "POST /apisix/admin/user/login HTTP/1.0" 200 237 0.003 "https://apisix.h.net/user/login?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.002 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /p__User__Login.b2bf8b62.async.js HTTP/1.0" 200 4425 0.005 "https://apisix.h.net/user/login?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.004 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /p__User__Login.93c6ad4d.chunk.css HTTP/1.0" 200 685 0.013 "https://apisix.h.net/user/login?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.012 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:44 +0000] apisix.h.net "GET /apisix/admin/labels/route HTTP/1.0" 200 122 0.006 "https://apisix.h.net/routes/list" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.004 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:44 +0000] apisix.h.net "GET /apisix/admin/routes?label=&page=1&page_size=10 HTTP/1.0" 200 410 0.002 "https://apisix.h.net/routes/list" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.001 "http://apisix.h.net"
```
What can I try?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] alekskar commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
alekskar commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1339045864
We have the similar issue when tried to configure login for kubernetes-dashboard. I've also tested it for simple nginx deployment.
Configuration pretty similar like it has a topicstarter, what I've tried is to change "redirect_uri" from `/` to `/*` and to `/callback` and so on. Not sure how to make it work in a real environment.
```
{
"uris": [
"/*",
"/"
],
"name": "nginx_k8s-nginx_nginx",
"desc": "Created by apisix-ingress-controller, DO NOT modify it manually",
"hosts": [
"nginx.test.mydomain.com"
],
"plugins": {
"openid-connect": {
"access_token_in_authorization_header": true,
"bearer_only": false,
"client_id": "kubernetes-test",
"client_secret": "someSecret",
"discovery": "https://keycloak.test.mydomain.com/auth/realms/main/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"logout_path": "/logout",
"realm": "main",
"redirect_uri": "https://nginx.test.mydomain.com/callback/",
"scope": "openid profile",
"set_access_token_header": true,
"set_id_token_header": true,
"set_refresh_token_header": false,
"set_userinfo_header": true,
"ssl_verify": false,
"timeout": 3,
"use_pkce": false
},
"redirect": {
"encode_uri": false,
"http_to_https": true,
"ret_code": 302
}
},
"upstream_id": "60f5e5f1",
"labels": {
"managed-by": "apisix-ingress-controller"
},
"status": 1
}
```
logs:
```
#10.0.4.87 - - [05/Dec/2022:18:53:06 +0000] nginx.test.mydomain "GET / HTTP/1.1" 302 142 0.000 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" - - - "http://nginx.test.mydomain"
#10.0.28.134 - - [05/Dec/2022:18:53:07 +0000] nginx.test.mydomain.com "GET / HTTP/1.1" 302 142 0.000 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" - - - "http://nginx.test.mydomain.com"
#2022/12/05 18:53:09 [error] 47#47: *325224574 [lua] openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found, client: 10.0.17.247, server: _, request: "GET /*?state=74e36fe6dfe033cd861104023284c7de&session_state=a67459e3-a96b-4e28-b297-91f7333fcbae&code=7724236d-1d4f-4ff5-be93-6e8072061c22.a67459e3-a96b-4e28-b297-91f7333fcbae.2175bf1b-3d62-47a4-a8ed-70e77af1da8f HTTP/1.1", host: "nginx.test.mydomain.com"
#2022/12/05 18:53:09 [error] 47#47: *325224574 [lua] openid-connect.lua:315: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 10.0.17.247, server: _, request: "GET /*?state=74e36fe6dfe033cd861104023284c7de&session_state=a67459e3-a96b-4e28-b297-91f7333fcbae&code=7724236d-1d4f-4ff5-be93-6e8072061c22.a67459e3-a96b-4e28-b297-91f7333fcbae.2175bf1b-3d62-47a4-a8ed-70e77af1da8f HTTP/1.1", host: "nginx.test.mydomain.com"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1341885439
> Can I modify the apisix helm chart to use a particular version/branch of Apisix setting in the "image" section a different tag?
you can try `apisix:dev` :https://hub.docker.com/r/apache/apisix/tags?page=1&name=dev
Or you can wait for the next version to be released and then verify it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1340994153
> Have I to try to reproduce the same configuration?
My mistake. `same as: https://github.com/apache/apisix/issues/6345?` is the reply for @alekskar 's question.
@MirtoBusico It looks like the issue you raised at the beginning of this issue will be resolved by #8068, and if you can verify this, then you can close the issue.
@alekskar Please open a new issue to describe your problem. From your error logs, what you describe is not related to this issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1341324379
Thanks @tzssangglass
If I understand correctly #8068 ins merged in master branch
How can I say in which release it will be included?
How can I modify the apisix helm chart to use a particular versino/branch of Apisix?
Again thanks for your time
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] juzhiyuan commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
juzhiyuan commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1368905734
Hi @MirtoBusico, for your records, there also have a form about our Guest Blogger Program: https://apisix.apache.org/guest-blog-post. You can also have a look for a better understanding of this program. 😉
@EmilyKeer is in charge of this program, she will be glad to help you as well.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1368930000
> Hi @MirtoBusico, for your records, there also have a form about our Guest Blogger Program: https://apisix.apache.org/guest-blog-post. You can also have a look for a better understanding of this program. wink
>
> @EmilyKeer is in charge of this program, she will be glad to help you as well.
Hi @juzhiyuan and @EmilyKeer thanks for your time. Any help will be greatly appreciated.
I started the blog post at https://github.com/MirtoBusico/apisix-website/blob/master/blog/en/blog/2023/01/02/accessing_apisix-dashboard_from_everywhere_with_keycloak_authentication.md
And I'm using as model this post https://github.com/MirtoBusico/apisix-website/blob/master/blog/en/blog/2022/07/06/use-keycloak-with-api-gateway-to-secure-apis.md
The first help I need is how to manage tables: seems that the markup syntax is not accepted; but the article header is rendered as a table.
Any hint on managing tables?
Is it preferred to use mail on requesting help on this article?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] MirtoBusico commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
MirtoBusico commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1339055803
I'll try asap
Thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] juzhiyuan commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
Posted by GitBox <gi...@apache.org>.
juzhiyuan commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1369310220
> The first help I need is how to manage tables: seems that the markup syntax is not accepted; but the article header is rendered as a table.
Hi @MirtoBusico, do you mean the markdown meta is rendered as a table?
<img width="1263" alt="image" src="https://user-images.githubusercontent.com/2106987/210289412-5a0d05a1-2919-4d65-9cc8-e941cfcdf456.png">
It's expected behavior in GitHub :)
If you mean tables like this, then you can use this tool to generate table: https://www.tablesgenerator.com/markdown_tables
<img width="457" alt="image" src="https://user-images.githubusercontent.com/2106987/210289464-88942ca3-1c79-4466-a728-afac4201adbd.png">
>
Hi @MirtoBusico, for your records, there also have a form about our Guest Blogger Program: https://apisix.apache.org/guest-blog-post. You can also have a look for a better understanding of this program. wink
@EmilyKeer is in charge of this program, she will be glad to help you as well.
Hi @juzhiyuan and @EmilyKeer thanks for your time. Any help will be greatly appreciated.
I started the blog post at https://github.com/MirtoBusico/apisix-website/blob/master/blog/en/blog/2023/01/02/accessing_apisix-dashboard_from_everywhere_with_keycloak_authentication.md
And I'm using as model this post https://github.com/MirtoBusico/apisix-website/blob/master/blog/en/blog/2022/07/06/use-keycloak-with-api-gateway-to-secure-apis.md
The first help I need is how to manage tables: seems that the markup syntax is not accepted; but the article header is rendered as a table.
> Is it preferred to use mail on requesting help on this article?
Sure, no problem :) Just mail me.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org