[GitHub] [apisix] alekskar commented on issue #8452: help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."

[GitBox]

alekskar commented on issue #8452:
URL: https://github.com/apache/apisix/issues/8452#issuecomment-1340696167

   @tzssangglass Hi! Basically I have the error when trying to access resource. 
Let me explain what I'm trying to achieve.
   We would like to use Apisix facilities to provide auth with openid-connect 
for kubernetes-dashboard web-ui.
   Currently we use oauth2-proxy and point apisixRoute to it. Where all magic 
happens on the proxy side.
   Apisix is 2.15
   ```
   ---
   apiVersion: apisix.apache.org/v2beta3
   kind: ApisixRoute
   metadata:
     labels:
     name: k8s-dash-oauth2
   spec:
     http:
     - backends:
       - serviceName: oauth2-proxy
         servicePort: 4180
       match:
         hosts:
         - dashb.platform.company.com
         paths:
         - /*
       name: dashb-oauth
   ```
   where oauth2-proxy container has oidc provider configuration which is 99% 
relevant to this plugin
   ```
         - args:
           - --provider=oidc
           - --upstream=https://k8s-dash.k8s-dash.svc.cluster.local
           - --pass-authorization-header=true
           - --set-authorization-header=true
           - --client-secret=SomeSecret
           - --client-id=kubernetes-test
           - 
--oidc-issuer-url=https://keycloak.platform.company.com/auth/realms/main
           - *NON_OIDC_OMMITED
     ```
   So when I migrated configuration to apisix plugin side I've added the 
following resources:
   ```
   ---
   apiVersion: apisix.apache.org/v2beta3
   kind: ApisixUpstream
   metadata:
     name: k8s-dash
   spec:
     scheme: https
   ```
   
   and Route to:
   
   ```
   spec:
     http:
     - backends:
       - serviceName: k8s-dash
         servicePort: 443
       match:
         hosts:
         - dashb.platform.company.com
         paths:
         - /*
       name: dash
       plugins:
       - name: "openid-connect"
         config:
           access_token_in_authorization_header: true
           client_id: "kubernetes-test"
           client_secret: "someSecret"
           discovery: 
"https://keycloak.platform.company.com/auth/realms/main/.well-known/openid-configuration";
           scope: "openid profile groups"
           introspection_endpoint_auth_method: "client_secret_post"
           bearer_only: false
           redirect_uri: "https://dashb.platform.company.com/*";
           realm: main
         enable: true
      ```
   
   after successful sso I see 500 error **["An error occurred. You can report 
issue to APISIX Faithfully yours, APISIX."]**
   where in logs there are 2 messages regarding session and state.
   ```
   openid-connect.lua:315: phase_func(): OIDC authentication failed: request to 
the redirect_uri path but there's no session state found
   plugin.lua:901: run_plugin(): openid-connect exits with http status code 500
   ```
   Am I missing something? Based on example in documentation it should work 
like a charm).  Thanks in advance!
   
   
   
   
   
   
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org