You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/02/21 08:40:25 UTC
[GitHub] [apisix] MirtoBusico edited a comment on issue #6345: bug: apisix openid plugin - how the logout path does work ?
MirtoBusico edited a comment on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1046308685
Hi @starsz another try and the first results: wrong redirect on logout (so seems that there is a proxy-rewrite conflict)
I created two routes:
- a simple route for **https://www.m01.net** without any plugin
- a route for **https://www.m01.net/*** with proxy-rewrite and openid-connect plugins
All routes use an httpbin service as upstream
The first route definition is
```
{
"uri": "/",
"name": "m01-www-home",
"desc": "home page for entire application",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "www.m01.net",
"plugins": {
"redirect": {
"http_to_https": true
}
},
"upstream_id": "394941006623015714",
"status": 1
}
```
The second route definition is
```
{
"uri": "/*",
"name": "m01-www-user",
"desc": "services for users - access with authentication and role=user",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"host": "www.m01.net",
"plugins": {
"openid-connect": {
"access_token_in_authorization_header": true,
"bearer_only": false,
"client_id": "apisix",
"client_secret": "CFejdjaiPNgGXMQub467j10OzcuK43tB",
"disable": false,
"discovery": "https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"logout_path": "/logout",
"realm": "apisix_test_realm",
"redirect_uri": "https://www.m01.net/*",
"scope": "openid profile"
},
"redirect": {
"http_to_https": true
}
},
"upstream_id": "394941006623015714",
"status": 1
}
```
Now
- "https://www.m01.net/" shows the (complete) httpbin home page
- "https://www.m01.net/headers" show the keycloak login page and then the httpbin headers page
- "https://www.m01.net/logout" executes the logout but is redirected to this url
```
https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZQzh1bVRwQ2ZCRkxQSHpFNmh4dTZUM3QybnBQLUpOSG9hX2JYbnRIczZBIn0.eyJleHAiOjE2NDUzODY0MTksImlhdCI6MTY0NTM4NjExOSwiYXV0aF90aW1lIjoxNjQ1Mzg2MTE5LCJqdGkiOiI5ZDJjNzcxYi1mNjY0LTRmZWItODI0My1kYzRjMzEyYTQzYWEiLCJpc3MiOiJodHRwczovL2s2ay5tMDEubmV0L2F1dGgvcmVhbG1zL2FwaXNpeF90ZXN0X3JlYWxtIiwiYXVkIjoiYXBpc2l4Iiwic3ViIjoiYjYzZTQ4NjMtZjhlNC00ZDdmLTk4NzctMjdlNmNkODRhMTk3IiwidHlwIjoiSUQiLCJhenAiOiJhcGlzaXgiLCJub25jZSI6ImY3NjJhOTA3MzAyNzkyM2M1OWRkMzU0YzE3ZTY4NzdhIiwic2Vzc2lvbl9zdGF0ZSI6ImEyYjY5ZTA2LTJiN2ItNDBjZi1hODM5LTUwYjUyZDNiNDJkMSIsImF0X2hhc2giOiJPUWlPUGxqWFJJaGs0ZFRkbS1LQlB3IiwiYWNyIjoiMSIsInNpZCI6ImEyYjY5ZTA2LTJiN2ItNDBjZi1hODM5LTUwYjUyZDNiNDJkMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlBldGVyIFpodSIsInByZWZlcnJlZF91c2VybmFtZSI6InBldGVyIiwiZ2l2ZW5fbmFtZSI6IlBldGVyIiwiZmFtaWx5X25hbWUiOiJaaHUiLCJlbWFpbCI6InBldGVyQHRlc3QuY29tIn0.N2iDI-T_dbfRXvAx9y9iyqQD
6IWOo2m9ADfUjvVqbhJkRK31054mhQVphzcXa3hnXd8jcKOP5iLtCMP0hGrHZ0_LftH_Czag9zsSqgNPMAoBDMvBYsjb8Yv-xoRBqYx6vmQVPzMEc3CV15sFYrAFHGPrW-rOq0H_sfTYSnrDN6bmaTzV4ZEdgktgGwUKw0pGQObVEN4IZVL4tphOh0o5Rc2icIZAwgbnnToAd_hs7MOgntF-u_vDsPINNjhMIkuG2TW4G3SilAvg1b3xGOa_B4isNZNKiNX4fyCw4TGCOfAmvdd0wpJzq3IsDw1yD-dTSdOg5gPoFqZqpu-EnG7fLg
```
In the apisix log I see
```
2022-02-20T19:42:06.215Z | 127.0.0.6 - - [20/Feb/2022:19:42:05 +0000] www.m01.net "GET /headers HTTP/2.0" 200 9355 0.003 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-20T19:42:23.016Z | 127.0.0.6 - - [20/Feb/2022:19:42:20 +0000] www.m01.net "GET /logout HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:30.419Z | 127.0.0.6 - - [20/Feb/2022:19:50:27 +0000] www.m01.net "GET /headers HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:34.133Z | 127.0.0.6 - - [20/Feb/2022:19:50:31 +0000] www.m01.net "GET /*?state=a1bdba4c994e54f5f12f787e3babc849&session_state=4d9e0e6e-d35c-4936-88bf-893cd464b92d&code=97503336-93e4-4793-9a68-0142f9af31ee.4d9e0e6e-d35c-4936-88bf-893cd464b92d.43a0343a-7fb2-471c-b6c8-6f361a8a5bae HTTP/2.0" 302 142 0.014 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:34.133Z | 127.0.0.6 - - [20/Feb/2022:19:50:31 +0000] www.m01.net "GET /headers HTTP/2.0" 200 9320 0.005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-20T19:50:50.053Z | 127.0.0.6 - - [20/Feb/2022:19:50:47 +0000] www.m01.net "GET /logout HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
```
Maybe it is a keycloak installation or version problem?
I'm using keycloak on a virtual machine separated from the kubernetes cluster
The keycloak version is 16.1.1
I use an apache2 as reverse proxy for https termination
What is your test configuration?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org