You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/04/02 17:39:36 UTC
[GitHub] [apisix] MirtoBusico opened a new issue #6789: help request: How to use the access_denied_redirect_uri in authz-keycloak plugin?
MirtoBusico opened a new issue #6789:
URL: https://github.com/apache/apisix/issues/6789
### Description
Hi all,
I'm trying to use two new features in apisix 2.13:
- access_denied_redirect_uri in authz-keycloak plugin
- post_logout_redirect_uri in openid-connect plugin
The post_logout_redirect_uri works perfectly as expected.
But the access_denied_redirect_uri leaves me on the uri that I tried to access with this body
```
{
"error": "access_denied",
"error_description": "not_authorized"
}
```
instead of redirect to the uri specified in the plugin
```
{
"access_denied_redirect_uri": "https://www.m01.net/pres/?notauthorized",
"client_id": "m01client",
"disable": false,
"permissions": [
"user-resource"
],
"token_endpoint": "https://k6k.m01.net/auth/realms/m01project/protocol/openid-connect/token"
}
```
Mybe I'm misinterpreting instruction at [authz-keycloak manual](https://apisix.apache.org/docs/apisix/plugins/authz-keycloak/)
How can I use the "access_denied_redirect_uri" parameter?
The route definition is:
```
{
"uri": "/user/*",
"name": "m01-www-user",
"desc": "services for users - authenticated and role=user",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "www.m01.net",
"plugins": {
"authz-keycloak": {
"access_denied_redirect_uri": "https://www.m01.net/pres/?notauthorized",
"client_id": "m01client",
"disable": false,
"permissions": [
"user-resource"
],
"token_endpoint": "https://k6k.m01.net/auth/realms/m01project/protocol/openid-connect/token"
},
"cors": {
"allow_credential": false,
"allow_headers": "*",
"allow_methods": "*",
"allow_origins": "*",
"disable": true,
"expose_headers": "*",
"max_age": 5
},
"openid-connect": {
"access_token_in_authorization_header": true,
"bearer_only": false,
"client_id": "m01client",
"client_secret": "NtAdqj1ZtsAOHzKzHFjrkBatwHvpDw1U",
"disable": false,
"discovery": "https://k6k.m01.net/auth/realms/m01project/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"logout_path": "/user/logout",
"post_logout_redirect_uri": "https://www.m01.net/pres/?loggedout",
"realm": "m01project",
"redirect_uri": "https://www.m01.net/user/*",
"scope": "openid profile"
},
"redirect": {
"http_to_https": true
}
},
"upstream_id": "396140811927945844",
"status": 1
}
```
### Environment
- APISIX version (run `apisix version`):
```
bash-5.1# apisix version
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua version
2.13.0
bash-5.1#
```
- Operating system (run `uname -a`)of the POD hosting apisix:
```
bash-5.1# uname -a
Linux apisix-5b569f7674-hzmnk 5.4.0-107-generic #121-Ubuntu SMP Thu Mar 24 16:04:27 UTC 2022 x86_64 Linux
bash-5.1#
```
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
```
bash-5.1# openresty -V
nginx version: openresty/1.19.9.1
built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.19.9.1.4 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-ap
i/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../mod_dubbo --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../ngx_multi_upstream_module --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../apisix-nginx-module --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../apisix-nginx-module/src/stream --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../wasm-nginx-module --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_modul
e --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
bash-5.1#
```
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
Don't know if it can work inside a POD
Kubernetes dashboard gives "docker.io/bitnami/etcd:3.4.16-debian-10-r14" for image version
```
bash-5.1# curl http://127.0.0.1:9090/v1/server_info
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>openresty</center>
</body>
</html>
bash-5.1#
```
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org