MirtoBusico opened a new issue, #9609: URL: https://github.com/apache/apisix/issues/9609
### Description Hi all, I'm trying to redo the Apisix-dashboard access through Apisix, authenticated by Keycloak, as I have done in the past. See this [blog post](https://apisix.apache.org/blog/2023/01/02/accessing_apisix-dashboard_from_everywhere_with_keycloak_authentication/#apisix-api-gateway) and issue #8452 When I try to access the Apisix-dashboard I'm redirected to keycloak but, after a successful login (I see the session in Keycloak) I receive an error from apisix. Looking at the apisix pod logs I see: ``` 2023/06/06 07:59:53 [error] 53#53: *353631 [lua] openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET /*?state=a046501da761a44531b9e4788ae4b36d&session_state=65557156-414d-468e-85ca-beac29fd3d63&code=1d8b512d-5062-4dae-82d3-f88b048545b5.65557156-414d-468e-85ca-beac29fd3d63.89cb3945-8ba7-449d-bec4-b5a668a090d6 HTTP/1.0", host: "apisix.h.net" 2023/06/06 07:59:53 [error] 53#53: *353631 [lua] openid-connect.lua:359: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET /*?state=a046501da761a44531b9e4788ae4b36d&session_state=65557156-414d-468e-85ca-beac29fd3d63&code=1d8b512d-5062-4dae-82d3-f88b048545b5.65557156-414d-468e-85ca-beac29fd3d63.89cb3945-8ba7-449d-bec4-b5a668a090d6 HTTP/1.0", host: "apisix.h.net" 2023/06/06 07:59:53 [warn] 53#53: *353631 [lua] plugin.lua:1102: run_plugin(): openid-connect exits with http status code 500, client: 127.0.0.6, server: _, request: "GET /*?state=a046501da761a44531b9e4788ae4b36d&session_state=65557156-414d-468e-85ca-beac29fd3d63&code=1d8b512d-5062-4dae-82d3-f88b048545b5.65557156-414d-468e-85ca-beac29fd3d63.89cb3945-8ba7-449d-bec4-b5a668a090d6 HTTP/1.0", host: "apisix.h.net" 2023/06/06 07:59:53 [alert] 53#53: *353631 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt), client: 127.0.0.6, server: _, request: "GET /*?state=a046501da761a44531b9e4788ae4b36d&session_state=65557156-414d-468e-85ca-beac29fd3d63&code=1d8b512d-5062-4dae-82d3-f88b048545b5.65557156-414d-468e-85ca-beac29fd3d63.89cb3945-8ba7-449d-bec4-b5a668a090d6 HTTP/1.0", host: "apisix.h.net" ``` The route definition is: ``` { "uri": "/*", "name": "apisix-dashboard", "desc": "apisix.h.net primary route", "methods": [ "GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE", "PURGE" ], "host": "apisix.h.net", "plugins": { "openid-connect": { "_meta": { "disable": false }, "access_token_in_authorization_header": true, "bearer_only": false, "client_id": "hcadmins", "client_secret": "08Xq1Av0txM0L06d0xdBTTjqgKica5C6", "discovery": "https://k6k.h.net/realms/hcluster_admins/.well-known/openid-configuration";, "introspection_endpoint_auth_method": "client_secret_post", "realm": "hcluster_admins", "redirect_uri": "https://apisix.h.net/*";, "scope": "openid profile" }, "redirect": { "http_to_https": true } }, "upstream_id": "462214514335548089", "status": 1 } ``` I'm using different Apisix and Keycloak versions from the past working configuration. Any hint? ### Environment - APISIX version (run `apisix version`): `/usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua version 3.3.0 apis` - Operating system (run `uname -a`): `Linux apisix-58f6bf8c79-zcw2v 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux` - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): `3.5.0` - APISIX Dashboard version, if relevant: `3.0.0` - Plugin runner version, for issues related to plugin runners: - LuaRocks version, for installation issues (run `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
