jensg-st opened a new issue, #9198: URL: https://github.com/apache/apisix/issues/9198
### Current Behavior I have setup a simple application and I want to use keycloak and the OIDC plugin. It is supposed to be a very simple configuration but I can not get it to work as expected. I'm using the following setup: - Keycloak (URL: http://127.0.0.1:8080) - APISix (URL: http://127.0.0.1:9080) - App: (URL: http://127.0.0.1:9999) Two simple routes are managing the protected and unprotected parts of the app: ```json { "uri": "/secure/*", "plugins":{ "openid-connect":{ "client_id": "demo", "client_secret": "KN7ac3NcvS9ihwmXZJMPBexnEKlxX7H2", "discovery": "http://127.0.0.1:8080/realms/demo/.well-known/openid-configuration";, "bearer_only": false, "realm": "master", "redirect_uri": "/secure/redirect_uri", "post_logout_redirect_uri": "http://127.0.0.1:9080/index.html";, "logout_path": "/secure/logout" } }, "upstream":{ "type": "roundrobin", "nodes":{ "127.0.0.1:9999":1 } } } { "uri": "/index.html", "upstream":{ "type": "roundrobin", "nodes":{ "127.0.0.1:9999":1 } } } ``` When I use the logout link `/secure/logout` the first time it seems that the plugin is managing the logout and it is getting redirected to the logout page of Keycloak. But I'm still able to navigate to the secure part of the application and it looks like I'm not logged out properly. The second time hitting the logout link fails because there is not really a session available. ### Expected Behavior Executing the link configured in `logout_path` should log out the user from keycloak and destroy the plugin session. ### Error Logs First Logout ``` compose-apisix-1 | 2023/03/29 13:10:18 [debug] 63#63: *149990 [lua] openidc.lua:1484: authenticate(): Logout path (/secure/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process compose-apisix-1 | 2023/03/29 13:10:18 [debug] 63#63: *149990 [lua] openidc.lua:560: openidc_discover(): openidc_discover: URL is: http://127.0.0.1:8080/realms/demo/.well-known/openid-configuration compose-apisix-1 | 2023/03/29 13:10:18 [debug] 63#63: *149990 [lua] openidc.lua:115: openidc_cache_get(): cache hit: type=discovery key=http://127.0.0.1:8080/realms/demo/.well-known/openid-configuration compose-apisix-1 | 2023/03/29 13:10:18 [debug] 63#63: *149990 [lua] openidc.lua:678: openidc_get_token_auth_method(): 1 => private_key_jwt compose-apisix-1 | 2023/03/29 13:10:18 [debug] 63#63: *149990 [lua] openidc.lua:72: supported(): Can't use private_key_jwt without opts.client_rsa_private_key compose-apisix-1 | 2023/03/29 13:10:18 [debug] 63#63: *149990 [lua] openidc.lua:678: openidc_get_token_auth_method(): 2 => client_secret_basic compose-apisix-1 | 2023/03/29 13:10:18 [debug] 63#63: *149990 [lua] openidc.lua:681: openidc_get_token_auth_method(): no configuration setting for option so select the first supported method specified by the OP: client_secret_basic compose-apisix-1 | 2023/03/29 13:10:18 [debug] 63#63: *149990 [lua] openidc.lua:695: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_basic ``` Second Logout ``` compose-apisix-1 | 2023/03/29 13:10:55 [debug] 63#63: *149990 [lua] openidc.lua:1484: authenticate(): Logout path (/secure/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process compose-apisix-1 | 2023/03/29 13:10:55 [debug] 63#63: *149990 [lua] openidc.lua:560: openidc_discover(): openidc_discover: URL is: http://127.0.0.1:8080/realms/demo/.well-known/openid-configuration compose-apisix-1 | 2023/03/29 13:10:55 [debug] 63#63: *149990 [lua] openidc.lua:115: openidc_cache_get(): cache hit: type=discovery key=http://127.0.0.1:8080/realms/demo/.well-known/openid-configuration compose-apisix-1 | 2023/03/29 13:10:55 [debug] 63#63: *149990 [lua] openidc.lua:678: openidc_get_token_auth_method(): 1 => private_key_jwt compose-apisix-1 | 2023/03/29 13:10:55 [debug] 63#63: *149990 [lua] openidc.lua:72: supported(): Can't use private_key_jwt without opts.client_rsa_private_key compose-apisix-1 | 2023/03/29 13:10:55 [debug] 63#63: *149990 [lua] openidc.lua:678: openidc_get_token_auth_method(): 2 => client_secret_basic compose-apisix-1 | 2023/03/29 13:10:55 [debug] 63#63: *149990 [lua] openidc.lua:681: openidc_get_token_auth_method(): no configuration setting for option so select the first supported method specified by the OP: client_secret_basic compose-apisix-1 | 2023/03/29 13:10:55 [debug] 63#63: *149990 [lua] openidc.lua:695: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_basic compose-keycloak-1 | 2023-03-29 13:10:55,434 WARN [org.keycloak.protocol.oidc.endpoints.LogoutEndpoint] (executor-thread-1) Either the parameter 'client_id' or the parameter 'id_token_hint' is required when 'post_logout_redirect_uri' is used. compose-keycloak-1 | 2023-03-29 13:10:55,445 WARN [org.keycloak.events] (executor-thread-1) type=LOGOUT_ERROR, realmId=9371bee4-9950-47ed-be46-8ab352f09486, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_request ``` ### Steps to Reproduce I have created a little docker compose application here: https://github.com/jensg-st/keycloak-apisix This shows the configuration and the behaviour I have tried to explain. ### Environment - APISIX version: 3.2.0 - Operating system: 5.19.0-35-generic 36~22.04.1-Ubuntu SMP -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
