MirtoBusico opened a new issue, #8642: URL: https://github.com/apache/apisix/issues/8642
### Description Hi all, I've setup a working environment to access apisix-dashboard from everywere. The access path is user -> nginx load balancer -> apisix (authenticated with openid-connect plugin) -> apisix dashboard The framework is the one described in #8452 Now that openid-connect works correctly, I'm trying to add authorization to the route. What happen is: - try to access the apisix-dashboard at "https://apisix.h.net"; - I'm redirected to the keycloak login page - I login with an authorized user - the apisix-dashboard login pgage is showed; but the login is not accepted and I always remain in the login page The route definition is ``` { "uri": "/*", "name": "apisix-dashboard", "desc": "apisix.h.net route", "methods": [ "GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE" ], "host": "apisix.h.net", "plugins": { "authz-keycloak": { "client_id": "hcadmins", "disable": false, "permissions": [ "adm-apisix-resource" ], "token_endpoint": "https://k6k.h.net/realms/hcluster_admins/protocol/openid-connect/token"; }, "openid-connect": { "access_token_in_authorization_header": true, "bearer_only": false, "client_id": "hcadmins", "client_secret": "MoqLUhwgsEDi36II0KuJldKq4YGLHxl3", "disable": false, "discovery": "https://k6k.h.net/realms/hcluster_admins/.well-known/openid-configuration";, "introspection_endpoint_auth_method": "client_secret_post", "realm": "hcluster_admins", "redirect_uri": "https://apisix.h.net/*";, "scope": "openid profile" }, "redirect": { "http_to_https": true } }, "upstream_id": "440140633500287791", "status": 1 } ``` What works: - testing authorization in keycloak or the resource gives **permit** to the authorized user - testing authorization in keycloak or the resource gives **deny** to the unauthorized user - accessing another dashboard (in my case the Kiali dashboard) work as expected - accessing the apisix-dashboard with an unauthorized user gives correctly the **{"error":"access_denied","error_description":"not_authorized"}** page What don't work: - accessing the apisix-dashboard with an authorized user gives the apisix-dashboard login page; but the login is not accepted and the page don't change I don't see anything interesting in the apisix pod logs and in the apisix-dashboard pod log What can I do? ### Environment - APISIX version (run `apisix version`): ``` root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# apisix version /usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua version 2.15.1 root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# ``` - Operating system (run `uname -a`): ``` root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# uname -a Linux apisix-64fffcfb4c-55vhw 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022 x86_64 GNU/Linux root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# ``` - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): - APISIX Dashboard version, if relevant: 2.13.0 - Plugin runner version, for issues related to plugin runners: - LuaRocks version, for installation issues (run `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
