You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/04/19 07:21:36 UTC
[GitHub] [apisix] yzhaowei commented on issue #2426: bug:enable openid-connect plugin without redirect_uri got 500 error
yzhaowei commented on issue #2426:
URL: https://github.com/apache/apisix/issues/2426#issuecomment-1102187049
I had the same issue even I followed the solution given as above, which use a "vanity" URL like '/redirect'. I also followed the tutorial in [APISIX blog with Authing](https://apisix.apache.org/zh/blog/2022/01/04/authing), it failed too.
Some facts:
- The `redirect_uri ` in the `openid-connect` plugin configuration must be one of call backs in the IdP, e,.g Authing.cn.
- The login was successful. There is a successful record in the website of Authing.cn under '用户行为日志'.
- My browser shows something like `http://localhost:9080/redirect?code=<code>&state=<state>`.
It seems APISIX did not redirect to the redirect_uri. I also tried `redirect_uri: http://localhost:9080/` and failed too.
```
# a successful login but fails to redirect to /image/png
curl -X PUT \
http://127.0.0.1:9080/apisix/admin/routes/2 \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
-d '{
"uri": "/image/*",
"upstream_id": "1",
"plugins": {
"openid-connect": {
"client_id": "<client id>",
"client_secret": "<client secret>",
"discovery": "<.../.well-known/openid-configuration>",
"bearer_only": false,
"scope": "openid profile",
"redirect_uri": "http://localhost:9080/redirect"
}
}
}'
```
Here are the response after a successful user login using OIDC. Obviously, it was caused by accessing to `/redirect`.
```
{"error_msg":"404 Route Not Found"}
```
Here are the log information in `error.log` and `access.log`.
```
# error.log
2022/04/19 06:49:58 [error] 47#47: *480883 [lua] openidc.lua:1378: authenticate(): request to the redirect_uri path but there's no session state found, client: 172.18.0.1, server: _, request: "GET /image/png HTTP/1.1", host: "localhost:9080"
2022/04/19 06:49:58 [error] 47#47: *480883 [lua] openid-connect.lua:304: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 172.18.0.1, server: _, request: "GET /image/png HTTP/1.1", host: "localhost:9080"
2022/04/19 06:49:58 [warn] 47#47: *480883 [lua] plugin.lua:750: run_plugin(): openid-connect exits with http status code 500, client: 172.18.0.1, server: _, request: "GET /image/png HTTP/1.1", host: "localhost:9080"
```
```
# access.log
172.18.0.1 - - [19/Apr/2022:06:53:03 +0000] localhost:9080 "GET /image/png HTTP/1.1" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0" - - - "http://localhost:9080"
172.18.0.1 - - [19/Apr/2022:06:53:13 +0000] localhost:9080 "GET /redirect?code=<code>&state=<state> HTTP/1.1" 404 47 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0" - - - "http://localhost:9080"
```
Environment (Docker images):
- apache/apisix:2.13.1-alpine
- apache/apisix-dashboard:2.10.1-alpine
- bitnami/etcd:3.4.15
- prom/prometheus:v2.25.0
- grafana/grafana:7.3.7
@starsz, Do you tested the tutorial using Authing? Is there any further solution? Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org