You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/12/06 09:45:02 UTC
[GitHub] [apisix] alekskar commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."
alekskar commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1339045864
We have the similar issue when tried to configure login for kubernetes-dashboard. I've also tested it for simple nginx deployment.
Configuration pretty similar like it has a topicstarter, what I've tried is to change "redirect_uri" from `/` to `/*` and to `/callback` and so on. Not sure how to make it work in a real environment.
```
{
"uris": [
"/*",
"/"
],
"name": "nginx_k8s-nginx_nginx",
"desc": "Created by apisix-ingress-controller, DO NOT modify it manually",
"hosts": [
"nginx.test.mydomain.com"
],
"plugins": {
"openid-connect": {
"access_token_in_authorization_header": true,
"bearer_only": false,
"client_id": "kubernetes-test",
"client_secret": "someSecret",
"discovery": "https://keycloak.test.mydomain.com/auth/realms/main/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"logout_path": "/logout",
"realm": "main",
"redirect_uri": "https://nginx.test.mydomain.com/callback/",
"scope": "openid profile",
"set_access_token_header": true,
"set_id_token_header": true,
"set_refresh_token_header": false,
"set_userinfo_header": true,
"ssl_verify": false,
"timeout": 3,
"use_pkce": false
},
"redirect": {
"encode_uri": false,
"http_to_https": true,
"ret_code": 302
}
},
"upstream_id": "60f5e5f1",
"labels": {
"managed-by": "apisix-ingress-controller"
},
"status": 1
}
```
logs:
```
#10.0.4.87 - - [05/Dec/2022:18:53:06 +0000] nginx.test.mydomain "GET / HTTP/1.1" 302 142 0.000 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" - - - "http://nginx.test.mydomain"
#10.0.28.134 - - [05/Dec/2022:18:53:07 +0000] nginx.test.mydomain.com "GET / HTTP/1.1" 302 142 0.000 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" - - - "http://nginx.test.mydomain.com"
#2022/12/05 18:53:09 [error] 47#47: *325224574 [lua] openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found, client: 10.0.17.247, server: _, request: "GET /*?state=74e36fe6dfe033cd861104023284c7de&session_state=a67459e3-a96b-4e28-b297-91f7333fcbae&code=7724236d-1d4f-4ff5-be93-6e8072061c22.a67459e3-a96b-4e28-b297-91f7333fcbae.2175bf1b-3d62-47a4-a8ed-70e77af1da8f HTTP/1.1", host: "nginx.test.mydomain.com"
#2022/12/05 18:53:09 [error] 47#47: *325224574 [lua] openid-connect.lua:315: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 10.0.17.247, server: _, request: "GET /*?state=74e36fe6dfe033cd861104023284c7de&session_state=a67459e3-a96b-4e28-b297-91f7333fcbae&code=7724236d-1d4f-4ff5-be93-6e8072061c22.a67459e3-a96b-4e28-b297-91f7333fcbae.2175bf1b-3d62-47a4-a8ed-70e77af1da8f HTTP/1.1", host: "nginx.test.mydomain.com"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org