You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/08/15 22:12:07 UTC
[GitHub] [apisix] desidia26 opened a new issue, #7689: help request: Setting up OIDC plugin with proxy-rewrite
desidia26 opened a new issue, #7689:
URL: https://github.com/apache/apisix/issues/7689
### Description
I am attempting to put some services behind APISIX in such a manner that some services are behind an OIDC plugin, and others are not.
Deployment was done via the [apisix/docker docker-compose](https://github.com/apache/apisix-docker/blob/master/example/docker-compose.yml)
Configuration:
Routes:
```
{
"uri": "/thing/*",
"name": "httpbin",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"plugins": {
"openid-connect": {
"bearer_only": false,
"client_id": "apisix",
"client_secret": "somesecret",
"disable": false,
"discovery": "http://host.docker.internal:8091/auth/realms/my-realm/.well-known/openid-configuration",
"introspection_endpoint_auth_method": "client_secret_post",
"realm": "my-realm",
"redirect_uri": "http://localhost:9080/",
"scope": "openid profile"
},
"proxy-rewrite": {
"regex_uri": [
"/thing/(.*)",
"/$1"
]
}
},
"upstream_id": "421225011701875398",
"status": 1
}
```
Upstreams:
```
{
"nodes": [
{
"host": "httpbin.org",
"port": 80,
"weight": 1
}
],
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "http",
"pass_host": "pass",
"name": "httpbin",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
}
}
```
If I visit `http://localhost:9080/thing/get` (what I expect would be the equivalent of http://httpbin.org/get), I am routed to my IdP as expected, and then am redirected to: `http://localhost:9080/?state=3f8d35d79a43728d1419a0ba3192c82a&session_state=129b46da-8448-4dbe-8a90-01dc51844d21&code=bfa03039-ba35-413b-9bbd-ae97042f0d99.129b46da-8448-4dbe-8a90-01dc51844d21.3be76236-43a2-4f3f-a3a9-ccce5defb966`, which APISIX give a `{"error_msg":"404 Route Not Found"}` for.
I tried setting the `redirect_uri` to something like `http://localhost:9080/thing/redirect`, but that sends me down the `request to the redirect_uri path but there's no session state found` rabbit hole.
Of course everything works if I change the route to match on`/*`, but doesn't this make it so that I can no longer have some services that *aren't* behind the plugin?
Any help on the matter would be greatly appreciated.
Also let me know if I'm forgetting to elaborate on anything.
### Environment
- APISIX version (run `apisix version`): `**2.15.0**`
- Operating system (run `uname -a`): `**Linux dad329b3f8dd 5.10.104-linuxkit #1 SMP Thu Mar 17 17:08:06 UTC 2022 x86_64 Linux**`
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`): `**nginx version: openresty/1.21.4.1**`
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kingluo commented on issue #7689: help request: Setting up OIDC plugin with proxy-rewrite
Posted by GitBox <gi...@apache.org>.
kingluo commented on issue #7689:
URL: https://github.com/apache/apisix/issues/7689#issuecomment-1216164046
@desidia26 When `bearer_only` is false (by default), the `redirect_uri` must be provided. Otherwise, the plugin has no way to recognize the "code" authorization response from the OP/IdP. And to be simple and no typo, the `rediect_uri` is normally a path without `scheme://host:port` part, e.g. `/thing/_callback`. Note that you should not access `redirect_uri` directly (otherwise it would warn no session found), because it's only for OP/IdP to callback.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] github-actions[bot] commented on issue #7689: help request: Setting up OIDC plugin with proxy-rewrite
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #7689:
URL: https://github.com/apache/apisix/issues/7689#issuecomment-1663702104
This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] github-actions[bot] closed issue #7689: help request: Setting up OIDC plugin with proxy-rewrite
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] closed issue #7689: help request: Setting up OIDC plugin with proxy-rewrite
URL: https://github.com/apache/apisix/issues/7689
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #7689: help request: Setting up OIDC plugin with proxy-rewrite
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #7689:
URL: https://github.com/apache/apisix/issues/7689#issuecomment-1216048752
That's indeed a quit implicit requirement that the `redirect_uri` should be matched to the same route which the OIDC starts.
In your case, try to set `redirect_uri` to something like `/thing/_callback`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] github-actions[bot] commented on issue #7689: help request: Setting up OIDC plugin with proxy-rewrite
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #7689:
URL: https://github.com/apache/apisix/issues/7689#issuecomment-1683678073
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org