You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/12/13 19:17:10 UTC
[GitHub] [apisix] hndoss opened a new issue, #8514: help request: Graphql subscription fails with plugin authz-keycloak
hndoss opened a new issue, #8514:
URL: https://github.com/apache/apisix/issues/8514
### Description
After deploying Apisix to our Kubernetes cluster and configuring the [authz-keycloak](https://apisix.apache.org/docs/apisix/plugins/authz-keycloak/) plugin, we have verified that it works the way it is needed, except when our frontend and backend use graphql subscription. We understand that this happens via websockets and that an authorization header is not provided by the frontend for the reasons described in these sources: [1](https://security.stackexchange.com/questions/174349/why-cant-websockets-support-custom-headers), [2](https://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api)
## Error
```
apisix-575b5cdf74-2vvfk apisix 2022/12/13 18:51:40 [error] 45#45: *19638989 [lua] authz-keycloak.lua:796: phase_func(): failed to fetch JWT token: authorization header not available, client: 10.132.0.133, server: _, request: "GET /backend//config HTTP/2.0", host: "xxxx.com"
```
## Plugin configuration
```
apiVersion: apisix.apache.org/v2
kind: ApisixPluginConfig
metadata:
name: keycloak
namespace: dev-env
spec:
plugins:
- name: authz-keycloak
enable: true
config:
client_id: xxx
client_secret: "xxx"
discovery: "https://xxxx/auth/realms/ultraio/.well-known/uma2-configuration"
token_endpoint: "https://xxxx/auth/realms/ultraio/protocol/openid-connect/token"
ssl_verify: false
permissions:
- "default#default:test"
```
## Route json
```
{
"uris": [
"/explorer/exchange/v1/graphql"
],
"name": "ing_dev-env_exchange-service-dev_c8c6ebe0",
"desc": "Created by apisix-ingress-controller, DO NOT modify it manually",
"host": "xxxx.com",
"plugin_config_id": "402fd7b0",
"upstream_id": "880ced1a",
"labels": {
"managed-by": "apisix-ingress-controller"
},
"enable_websocket": true,
"status": 1
}
```
### Environment
- APISIX version (run `apisix version`): 2.15.0
- Operating system (run `uname -a`): Linux apisix-575b5cdf74-2vvfk 5.10.133+
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`): nginx version: openresty/1.21.4.1
---
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss commented on issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
Posted by GitBox <gi...@apache.org>.
hndoss commented on issue #8514:
URL: https://github.com/apache/apisix/issues/8514#issuecomment-1351639772
This also worked
```
_meta:
filter:
- var: graphql_operation
operator: "!="
val: subscription
```
I am not sure about the difference.
> Depending on the requested parameters, it is decided at runtime whether the plugin should be executed. Something like this: {{var, operator, val}, {var, operator, val}, ...}}. For example: {"arg_version", "==", "v2"}, indicating that the current request parameter version is v2. The variables here are consistent with NGINX internal variables. For details on supported operators, please see [lua-resty-expr](https://github.com/api7/lua-resty-expr#operator-list).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8514:
URL: https://github.com/apache/apisix/issues/8514#issuecomment-1350367601
> I tried creating two identical routes, but one of them doesn't have the authz-keycloak plugin enabled. Something like this:
If you plan to use two routes, then you can do this
1. match graphql requests
```json
{
"uris": [
"/explorer/exchange/v1/graphql"
],
"name": "exchange-service-dev-subs",
"host": "xxxx.com",
"vars": [
["graphql_name", "~=", null]
],
"upstream_id": "880ced1a"
"enable_websocket": true
}
```
1. match graphql requests
```json
{
"uris": [
"/explorer/exchange/v1/graphql"
],
"name": "exchange-service-dev-subs",
"host": "xxxx.com",
"vars": [
["graphql_name", "~=", null]
],
"upstream_id": "880ced1a"
"enable_websocket": true
}
```
2. match not graphql requests
```json
{
"uris": [
"/explorer/exchange/v1/graphql"
],
"name": "exchange-service-dev-subs",
"host": "xxxx.com",
"vars": [
["graphql_name", "==", null]
],
"upstream_id": "880ced1a"
"enable_websocket": true
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss commented on issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
Posted by GitBox <gi...@apache.org>.
hndoss commented on issue #8514:
URL: https://github.com/apache/apisix/issues/8514#issuecomment-1351702104
Actually, we had some errors and the plugin was not being synced. But after some tests we were able to make it work with this filter:
```
_meta:
filter:
- - http_upgrade
- "~="
- websocket
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss closed issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
Posted by GitBox <gi...@apache.org>.
hndoss closed issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
URL: https://github.com/apache/apisix/issues/8514
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] mscb402 commented on issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
Posted by GitBox <gi...@apache.org>.
mscb402 commented on issue #8514:
URL: https://github.com/apache/apisix/issues/8514#issuecomment-1350362191
I think you can't create two same route. I think plugin _meta filter is what you want https://apisix.apache.org/docs/apisix/terminology/plugin/#plugin-common-configuration
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss commented on issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
Posted by GitBox <gi...@apache.org>.
hndoss commented on issue #8514:
URL: https://github.com/apache/apisix/issues/8514#issuecomment-1351563302
> I think you can't create two same route. I think plugin _meta filter is what you want https://apisix.apache.org/docs/apisix/terminology/plugin/#plugin-common-configuration
The _meta filter solved our issue.
```
apiVersion: apisix.apache.org/v2
kind: ApisixPluginConfig
metadata:
name: keycloak
namespace: dev-env
spec:
plugins:
- name: authz-keycloak
enable: true
config:
client_id: xxx
client_secret: "xxx"
discovery: "https://xxxx/auth/realms/ultraio/.well-known/uma2-configuration"
token_endpoint: "https://xxxx/auth/realms/ultraio/protocol/openid-connect/token"
ssl_verify: false
permissions:
- "default#default:test"
_meta:
filter:
- graphql_operation
- "!="
- subscription
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] mscb402 commented on issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
Posted by GitBox <gi...@apache.org>.
mscb402 commented on issue #8514:
URL: https://github.com/apache/apisix/issues/8514#issuecomment-1350219853
The authz-keycloak plugin only read token from the `Authorization` header. Do you mean, you want to send the `Authorization` header using WebSocket?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] mscb402 commented on issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
Posted by GitBox <gi...@apache.org>.
mscb402 commented on issue #8514:
URL: https://github.com/apache/apisix/issues/8514#issuecomment-1350221723
You can read document from WebSocket https://websockets.readthedocs.io/en/stable/topics/authentication.html#machine-to-machine-authentication
```
websockets.connect(
"wss://example.com",
extra_headers={"Authorization": f"Bearer {token}"}
)
```
But this looks like not supported by safari.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss commented on issue #8514: help request: Graphql subscription fails with plugin authz-keycloak
Posted by GitBox <gi...@apache.org>.
hndoss commented on issue #8514:
URL: https://github.com/apache/apisix/issues/8514#issuecomment-1350281497
> The authz-keycloak plugin only read token from the `Authorization` header. Do you mean, you want to send the `Authorization` header using WebSocket?
So far, we have tried everything on our client side to be able to add the Authorization header without success.
The last thing we're trying to do is to not use the authz-keycloak plugin when using graphql subscriptions, but we haven't been able to do that.
I tried creating two identical routes, but one of them doesn't have the authz-keycloak plugin enabled. Something like this:
## For graphql subscriptions
```
{
"uris": [
"/explorer/exchange/v1/graphql"
],
"name": "exchange-service-dev-subs",
"host": "xxxx.com",
"vars": [
["graphql_operation", "==", "subscription"]
],
"upstream_id": "880ced1a"
"enable_websocket": true
}
```
## For everything else
```
{
"uris": [
"/explorer/exchange/v1/graphql"
],
"name": "exchange-service-dev",
"host": "xxxx.com",
"vars": [
["graphql_operation", "!=", "subscription"]
],
"upstream_id": "880ced1a"
"enable_websocket": true,
"plugin_config_id": "402fd7b0"
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org