-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug:enable openid-connect plugin without redirect_uri got 500 error #2426
Comments
Here is the doc for openid-connect, cc @membphis https://github.com/apache/apisix/blob/master/doc/plugins/openid-connect.md |
@nic-chen need your help to confirm a mini case |
This issue is related to apisix according to @nic-chen's feedback, so I transfer it here. |
I think it's a schema defined bug. @liuxiran Could you solve it together, please? It looks like you are solving issues of other plugins's schema 😄 https://github.com/apache/apisix/blob/master/apisix/plugins/openid-connect.lua#L45 |
A new PR to fix this bug is better. welcome PR |
@nic-chen |
@moonming Please confirm which way is correct. You wrote this code.
https://github.com/apache/apisix/blob/master/apisix/plugins/openid-connect.lua#L143-L146 |
yes, |
we got this error, I think it is fine. because you did not set a correct when missing
@liuxiran that is another error message of plugin |
@membphis Thank you very much~! since It has nothing wrong about the openid-connect schema, I'll try again to config a right then close this issue, thx again~! |
I had the same problem. |
I got the same error, how did you solve it finally? |
Refer the following link, I solved my problem.
|
@lemonrains do we need to update the code or docs of APISIX? |
Came across the same problem today and did some testing on the problem with an up-to-date apisix instance. It seems like this problem ( The reason could be that the openid-connect plugin probably checks if the user requested URI is identical to If my hypothesis is correct then I would assume this is a bug and I find that the approach of @lemonrains is not a good solutions. Here is why:
|
@david-woelfle thanks for your detailed report 👍 |
@starsz I have reopened this issue right now. Do you have time to check this bug? |
Sure. Let me have a check. |
Hi @david-woelfle .Yes, that's true.
Here, I think you may misunderstand the usage of
So the flow should be like this: In a conclusion, it's a bug.But I think it's a little bit hard to fix it.
It's a quick way to fix it. |
@liweitianux |
Yes, I could make a PR, but maybe a bit late due to various works at hand. By the way, I'm still a newbie to APISIX, so how should I obtain the current route's In addition, I still need to consider how to handle the |
For those still struggling with that, by default resty.session will try to use configurationSnippet:
httpSrv: |
set $session_secret 8044c47e83b5ac9bb7c868eb8b202e93; to generate that secret:
|
@liweitianux |
Previously the `redirect_uri` was set to `ngx.var.request_uri` if not configured. However, it caused the underlying `lua-resty-openidc` module to raise this error: ``` request to the redirect_uri path but there's no session state found ``` because `lua-resty-openidc` would think it was the redirection response from OP when the `redirect_uri` equals `ngx.var.request_uri`. Although the OAuth 2.0 Security Best Current Practice [1] recommends that the `redirect_uri` should be explicitly specified to prevent malicious redirection attacks, it would also be handy for APISIX to properly determine a default one if `redirect_uri` not given. Therefore, append the `.apisix/redirect` suffix to the current request URI to determine the default `redirect_uri`. It makes `lua-resty-openidc` happy and it's almost unlikely to conflict with user's URIs. Also note that the OP should be properly configured to accept such auto-determined redirect URIs. Update the documentation accordingly. Fix apache#2426. [1] https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
The nginx variable would make all openidc instances use the same secret. set_by_lua_block $session_secret {
local secrets = {
["foo.domain"] = "xxx",
["bar.domain"] = "yyy",
}
return secrets[ngx.var.host] or "zzz"
} |
Hi @Xarxavier, Did you find a solution for this? The strange thing is that if I remove the "callback" word of that URL, from the redirect_uri part, I get the response of the upstream API, authenticated: In my case, I'm trying to access to "http://apisixurl:9080/add_note", and as I saw in the documentation, I added a redirect_uri param with the value "http://apisixurl:9080/add_note/callback". My route is "/add_note*". This was working right, but using Chromium with --disable-web-security to disable CORS of Web Browser for Keycloak, and I put a Nginx Reverse Proxy in Front of Keycloak to add Access-Control-Allow-Origin * header to the Keycloak response. After that, I always get a 500 error from APISIX after the redirect from Keycloack. As somebody mentioned before, I cannot set the same access url and redirect url, because that is not working for this plugin. Is there any piece of advice that you can give me? Thanks in advance. |
Hello @canob the error 500 in my case was because something wasnt able to reach apisix... like the state look if the reverse proxy is passing all the parameters correctly and check if you have connectivity between those two(apisix and keycloack) in any case with the log maybe i can provide further help. |
Thanks @Xarxavier , I'm going to review the headers that my reverse proxy is passing. |
Hi,
When calling the api with a -H "Authorization: Bearer AUTH0_TOKEN" i get a 401 Authorization Required error, why is this? I see myself forced to use API SIX as a simple API GW without any security and handle the security in each upstream service individually. It is quite sad as this project has a lot of potential. If anybody has encountered this issue before and has a solution please do share! |
@monkeyDluffy6017 please take a look |
@Radu-Iuonac if your issue is not related to the Let use know if any feedback. |
Hi @kayx23, No unfortunately it is not working. When I make a request to a route that has
even if I send a valid token in the Authorization header I get a 401 Unauthorized |
I see the error with Introspection endpoint. Looking for a solution for this Auth0, but seems that for Auth0 opaque tokens are default. |
Hi @shreemaan-abhishek @monkeyDluffy6017 |
Hi @Radu-Iuonac |
@moonming @shreemaan-abhishek @monkeyDluffy6017 @starsz |
I'll continue to finish the work on #7690 to fix this bug |
Please answer these questions before submitting your issue.
Bug
redirect_uri
should be a reqired param in openid-connect pluginThe text was updated successfully, but these errors were encountered: