You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/04/07 09:18:02 UTC

[GitHub] [apisix] starsz opened a new issue, #6803: feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config

starsz opened a new issue, #6803:
URL: https://github.com/apache/apisix/issues/6803

   ### Description
   
   Hi,
   When I use openid-connect plugins with the wrong `redirect_uri` in Apache APISIX.
   
   Like flow:
   
   ```
    "plugins":{
           "openid-connect":{
                 ... 
               "scope":"openid profile",
               "bearer_only":false,
               "introspection_endpoint_auth_method":"client_secret_post",
               "redirect_uri":"http://127.0.0.1:9080/"
                ...
           }
       },
   ```
   
   Then, I request the "127.0.0.1:9080/", I will get 500, and the error log is as follow:
   <img width="424" alt="image" src="https://user-images.githubusercontent.com/25628854/162163091-2f333733-bba5-4258-8f38-6a881fcf3aee.png">
   
   ```
   2022/04/07 17:13:50 [error] 31780#3492140: *1959 [lua] openidc.lua:1378: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:9080"
   2022/04/07 17:13:50 [error] 31780#3492140: *1959 [lua] openid-connect.lua:304: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 127.0.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:9080"
   ```
   
   
   
   
   I think it's not clear, and as a user, I don't know what happens.So I think we should improve the error log so that we can improve the experience of using openid-connect plugins.
   
   associated：https://github.com/apache/apisix/issues/2426


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config [apisix]

Posted by "kayx23 (via GitHub)" <gi...@apache.org>.

kayx23 commented on issue #6803:
URL: https://github.com/apache/apisix/issues/6803#issuecomment-1837598921

   cc @monkeyDluffy6017 @shreemaan-abhishek @luoluoyuyu to see if anyone would like this address this next, as we're currently putting efforts into OIDC plugin and have some knowledge in `redirect_uri` behaviours.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #6803: feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config

Posted by GitBox <gi...@apache.org>.

starsz commented on issue #6803:
URL: https://github.com/apache/apisix/issues/6803#issuecomment-1092680260

   > What log do you suggest using?
   
   I think we can output `Why the error caused" and "How to avoid this error"?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] ro4i7 commented on issue #6803: feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config

Posted by "ro4i7 (via GitHub)" <gi...@apache.org>.

ro4i7 commented on issue #6803:
URL: https://github.com/apache/apisix/issues/6803#issuecomment-1465217700

   Hello @spacewander @starsz 
   
   if this issue is still open please assign it to me, and please give feedback on the below solution.
   
   To customize the error message for the openid-connect plugin in Apache APISIX, we can modify the `openid-connect.lua` file. Specifically, we can update the `phase_func` function to include additional error information.
   
   Here's how we can modify the `phase_func` function to include the specific reason for the error and how to avoid it:
   ```
   local function phase_func(...)
     -- existing code
     local opts = ngx.ctx.opts
     local res, err = authenticate(opts)
   
     if err then
       ngx.log(ngx.ERR, "OIDC authentication failed: " .. err)
       ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. ngx.var.host .. '",error="' .. err .. '"'
       ngx.exit(ngx.HTTP_UNAUTHORIZED)
     end
   
     if not res then
       ngx.log(ngx.ERR, "OIDC authentication failed: request to the redirect_uri path but there's no session state found. Please ensure that the redirect_uri is configured correctly and that the session state is present in the request.")
       ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. ngx.var.host .. '",error="OIDC authentication failed: request to the redirect_uri path but there\'s no session state found. Please ensure that the redirect_uri is configured correctly and that the session state is present in the request."'
       ngx.exit(ngx.HTTP_UNAUTHORIZED)
     end
   
     -- existing code
   end
   ```
   In this example, I have added an additional `if` statement that checks if `res` is `nil`. If it is, we log an error message that includes the specific reason for the error and how to avoid it. We also set the `WWW-Authenticate` header to include the same error message.
   
   By updating the error message in this way, users of the openid-connect plugin will have a clearer understanding of why the error occurred and what steps they can take to fix it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config [apisix]

Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.

shreemaan-abhishek commented on issue #6803:
URL: https://github.com/apache/apisix/issues/6803#issuecomment-1837775090

   @luoluoyuyu can take this up next.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #6803: feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #6803:
URL: https://github.com/apache/apisix/issues/6803#issuecomment-1092773930

   @starsz 
   Let's give it a try.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] ro4i7 commented on issue #6803: feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config

Posted by "ro4i7 (via GitHub)" <gi...@apache.org>.

ro4i7 commented on issue #6803:
URL: https://github.com/apache/apisix/issues/6803#issuecomment-1467906687

   > > 
   > 
   > Thanks for your contribution.Looking forwarded to it.
   
   Ok, please tag if any issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #6803: feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #6803:
URL: https://github.com/apache/apisix/issues/6803#issuecomment-1092345270

   > I think it's not clear, and as a user, I don't know what happens.So I think we should improve the error log so that we can improve the experience of using openid-connect plugins.
   
   What log do you suggest using?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] ro4i7 commented on issue #6803: feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config

Posted by "ro4i7 (via GitHub)" <gi...@apache.org>.

ro4i7 commented on issue #6803:
URL: https://github.com/apache/apisix/issues/6803#issuecomment-1474481165

   @spacewander @starsz please check it for #9108 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #6803: feat: As a user, I want to get a specific error log message instead of 500 and a bad error log when using openid-connect plugins with the wrong redirect_uri config

Posted by "starsz (via GitHub)" <gi...@apache.org>.

starsz commented on issue #6803:
URL: https://github.com/apache/apisix/issues/6803#issuecomment-1467827451

   > 
   
   Thanks for your contribution.Looking forwarded to it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org