[GitHub] [apisix] MirtoBusico opened a new issue, #9935: bug: openid-connect: accessing an authenticated resource gives a 302 html error instead of 200

Mon, 31 Jul 2023 01:08:10 -0700 


MirtoBusico opened a new issue, #9935:
URL: https://github.com/apache/apisix/issues/9935

   ### Current Behavior
   
   When accessing a route that requires authentication, using Keycloak and 
openid-connect, you receive a 302 html error.
   
   Route definition
   ```
   {
       "uri": "/*",
       "desc": "apisix.h.net primary route",
       "host": "apisix.h.net",
       "plugins": {
         "openid-connect": {
           "_meta": {
             "disable": false
           },
           "unauth_action": "auth",
           "set_userinfo_header": true,
           "set_refresh_token_header": false,
           "client_secret": "S0EHhJMuQ6GmTewTlEn0smWUs7RzsAec",
           "introspection_endpoint_auth_method": "client_secret_post",
           "bearer_only": false,
           "realm": "master",
           "redirect_uri": "http://apisix.h.net:9080/*";,
           "use_pkce": false,
           "set_access_token_header": true,
           "access_token_in_authorization_header": true,
           "set_id_token_header": true,
           "scope": "openid profile",
           "ssl_verify": false,
           "timeout": 60,
           "discovery": 
"http://apisix.h.net:8080/realms/master/.well-known/openid-configuration";,
           "session": {
             "secret": "XlIcOaHBHcFKFaguNCkF/rE2rYKHKDXmgdRH8qt05tY="
           },
           "client_id": "client",
           "logout_path": "/logout"
         }
       },
       "upstream": {
         "pass_host": "pass",
         "nodes": {
           "httpbin.org:80": 1
         },
         "type": "roundrobin",
         "scheme": "http",
         "hash_on": "vars"
       },
       "priority": 0,
       "id": "1",
       "name": "apisix-dashboard",
       "methods": [
         "GET",
         "POST",
         "PUT",
         "DELETE",
         "PATCH",
         "HEAD",
         "OPTIONS",
         "CONNECT",
         "TRACE",
         "PURGE"
       ]
   }
   ```
   
   
   
   ### Expected Behavior
   
   What happeded in a 2.X Apisix version: receive a 200 html code and the 
resource page
   
   ### Error Logs
   
   In access.log
   ```
   192.168.152.186 - - [28/Jul/2023:18:57:45 +0200] apisix.h.net:9080 "GET 
/headers HTTP/1.1" 302 142 0.000 "-" "curl/7.74.0" - - - 
["http://apisix.h.net:9080";](http://apisix.h.net:9080/)
   ```
   
   In error.log
   ```
   [nothing]
   ```
   
   ### Steps to Reproduce
   
   Prepare the framework as in this document
   The complete instrictions to setup the framework and execute the tests are 
in the attached document
   
[Apisx-test_2023-07-28.pdf](https://github.com/apache/apisix/files/12212788/Apisx-test_2023-07-28.pdf)
   
   1. start etcd
   2. start Apisix
   3. execute the test
   
    Login to keycloak
   
   ```
   KC_USERNAME=test
   KC_PASSWORD=password
   KC_CLIENT_ID=client
   KC_CLIENT_SECRET=S0EHhJMuQ6GmTewTlEn0smWUs7RzsAec
   KC_ISSUER=http://apisix.h.net:8080/realms/master
   
   KC_RESPONSE=$( \
   curl \
     -d "client_id=$KC_CLIENT_ID" \
     -d "client_secret=$KC_CLIENT_SECRET" \
     -d "username=$KC_USERNAME" \
     -d "password=$KC_PASSWORD" \
     -d "grant_type=password" \
     -d "scope=profile openid" \
     "$KC_ISSUER/protocol/openid-connect/token" \
   )
   KC_ID_TOKEN=$(echo $KC_RESPONSE | jq -r .id_token)
   TOKEN=$(echo $KC_RESPONSE | jq -r .access_token)
   echo $TOKEN
   ````
   
   Command output
   ```
   sysop@api6test:~/apisix$ KC_USERNAME=test
   KC_PASSWORD=password
   KC_CLIENT_ID=client
   KC_CLIENT_SECRET=S0EHhJMuQ6GmTewTlEn0smWUs7RzsAec
   KC_ISSUER=http://apisix.h.net:8080/realms/master
   
   KC_RESPONSE=$( \
   curl \
     -d "client_id=$KC_CLIENT_ID" \
     -d "client_secret=$KC_CLIENT_SECRET" \
     -d "username=$KC_USERNAME" \
     -d "password=$KC_PASSWORD" \
     -d "grant_type=password" \
     -d "scope=profile openid" \
     "$KC_ISSUER/protocol/openid-connect/token" \
   )
   KC_ID_TOKEN=$(echo $KC_RESPONSE | jq -r .id_token)
   TOKEN=$(echo $KC_RESPONSE | jq -r .access_token)
   echo $TOKEN
     % Total    % Received % Xferd  Average Speed   Time    Time     Time  
Current
                                    Dload  Upload   Total   Spent    Left  Speed
   100  3506  100  3370  100   136  88684   3578 --:--:-- --:--:-- --:--:-- 
92263
   
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJNd09wd0tWaXdaZzZrbmM2bk80OU5NNm03VzdTTnFISnEwVkpHaEdvY0xJIn0.eyJleHAiOjE2OTA1NjM0NzcsImlhdCI6MTY5MDU2MzQxNywianRpIjoiNzA0YjkwNjEtNzNkZC00MjhiLWE5ZDMtNGQzODI4ODgyZWRiIiwiaXNzIjoiaHR0cDovL2FwaXNpeC5oLm5ldDo4MDgwL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMjEzYTY0OTAtZWQ2Mi00NmI5LTk2MGEtZjY2Yjg2NDIzYzUwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjI1NWQ4OTZiLWNiOWQtNDAxYS04ZGExLTdlZDZlZWZmMjM4ZSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1tYXN0ZXIiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6IjI1NWQ4OTZiLWNiOWQtNDAxYS04ZGExLTdlZDZlZWZmMjM4ZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRlc3QgVXNlciIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiVGVzdCIsImZhbWlseV9uYW1lIjoiVXNlciIsImVtYWlsIjo
 
idGVzdEBoLm5ldCJ9.MNk_QiOMC_8yPAlLresdW2mxQ_5HIze1u4YJYNU_0wBSmWxKsuCMr0cRIUf1HcQBAoTn5YI9h6HsFSTQRVRlJ_HfGqwqvfWtK_NPaWlLqwS1GqI9BH3a0eAcn93ZgtPmNs8_5B4sY2yKgTIHb2O_rL6wK5V7xyPHJYdGYy7FLiBx_0KS0nh9dPo3NUg3APr_F8LWrKkr5QxgfD56WbWxmmKem37IgAzmKyZ9B2u6ymQtQSZEOs4PDx1GxVM1x993ixoBGrWsZ2UxswwsaOxgH8JebeWT7dGwFntlqIwgKUJAOTBuvGxkMP0xHl286kRpmHH4nq4a3RE3H8Vhhr1R6Q
   sysop@api6test:~/apisix$ 
   ```
   
   Access the service using the token
   
   ```
   curl -v --header "Authorization: Bearer $TOKEN" 
http://apisix.h.net:9080/headers
   ```
   
   Command output
   
   ```
   sysop@api6test:~/apisix$ curl -v --header "Authorization: Bearer $TOKEN" 
http://apisix.h.net:9080/headers
   *   Trying 192.168.152.186:9080...
   * Connected to apisix.h.net (192.168.152.186) port 9080 (#0)
   > GET /headers HTTP/1.1
   > Host: apisix.h.net:9080
   > User-Agent: curl/7.74.0
   > Accept: */*
   > Authorization: Bearer 
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJNd09wd0tWaXdaZzZrbmM2bk80OU5NNm03VzdTTnFISnEwVkpHaEdvY0xJIn0.eyJleHAiOjE2OTA1NjM0NzcsImlhdCI6MTY5MDU2MzQxNywianRpIjoiNzA0YjkwNjEtNzNkZC00MjhiLWE5ZDMtNGQzODI4ODgyZWRiIiwiaXNzIjoiaHR0cDovL2FwaXNpeC5oLm5ldDo4MDgwL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMjEzYTY0OTAtZWQ2Mi00NmI5LTk2MGEtZjY2Yjg2NDIzYzUwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjI1NWQ4OTZiLWNiOWQtNDAxYS04ZGExLTdlZDZlZWZmMjM4ZSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1tYXN0ZXIiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6IjI1NWQ4OTZiLWNiOWQtNDAxYS04ZGExLTdlZDZlZWZmMjM4ZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRlc3QgVXNlciIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoiVGVzdCIsImZhbWlseV9uYW1
 
lIjoiVXNlciIsImVtYWlsIjoidGVzdEBoLm5ldCJ9.MNk_QiOMC_8yPAlLresdW2mxQ_5HIze1u4YJYNU_0wBSmWxKsuCMr0cRIUf1HcQBAoTn5YI9h6HsFSTQRVRlJ_HfGqwqvfWtK_NPaWlLqwS1GqI9BH3a0eAcn93ZgtPmNs8_5B4sY2yKgTIHb2O_rL6wK5V7xyPHJYdGYy7FLiBx_0KS0nh9dPo3NUg3APr_F8LWrKkr5QxgfD56WbWxmmKem37IgAzmKyZ9B2u6ymQtQSZEOs4PDx1GxVM1x993ixoBGrWsZ2UxswwsaOxgH8JebeWT7dGwFntlqIwgKUJAOTBuvGxkMP0xHl286kRpmHH4nq4a3RE3H8Vhhr1R6Q
   > 
   * Mark bundle as not supporting multiuse
   < HTTP/1.1 302 Moved Temporarily
   < Date: Fri, 28 Jul 2023 16:57:45 GMT
   < Content-Type: text/html
   < Content-Length: 142
   < Connection: keep-alive
   < Set-Cookie: 
session=tAUgzl2Myac71L1xvP_Vgw|1690567065|4N8RZpYdkvOX3pH4YN6Zfl4c4HwGa8iCZPpUjJf5eoLZLVyw5OgkcRaooLBXhPyHcitplw-NUejjsu3Kyv3jTJI4tibcYakR-VWCX7JXzYo7EqaEdb9qQIC0YqaMUVIGjnNunrT0ASrS_87tec_XU9MxvfKmcbzxgiW75fQkd1S8y3YOvFEeuefuRcu3KTdJLZdmbvonbXzsE9-NwMIu9yDaco1eB_s3op6P-VpDGKI|QGgTudaTldU-JcSfkHk3yPM5VKI;
 Path=/; SameSite=Lax; HttpOnly
   < Cache-Control: no-cache, no-store, max-age=0
   < Location: 
http://apisix.h.net:8080/realms/master/protocol/openid-connect/auth?response_type=code&redirect_uri=http%3A%2F%2Fapisix.h.net%3A9080%2F*&scope=openid%20profile&client_id=client&state=702b058547085741275c1b4751178e7a&nonce=eef26fee11a11bac86d8173009cc950f
   < Server: APISIX/3.4.0
   < 
   <html>
   <head><title>302 Found</title></head>
   <body>
   <center><h1>302 Found</h1></center>
   <hr><center>openresty</center>
   </body>
   </html>
   * Connection #0 to host apisix.h.net left intact
   sysop@api6test:~/apisix$ 
   ```
   All the software is installed inside a Virtual Machine
   
   
   
   
   ### Environment
   
   - APISIX version (run `apisix version`): github master branch
   - Operating system (run `uname -a`): Linux api6test 5.10.0-23-amd64 #1 SMP 
Debian 5.10.179-2 (2023-07-14) x86_64 GNU/Linux
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): nginx 
version: openresty/1.21.4.2
   - etcd version, if relevant (run `curl 
http://127.0.0.1:9090/v1/server_info`): 
{"hostname":"api6test","etcd_version":"unknown","id":"107c4e89-1f8b-4b1b-b44d-8609731ea8e0","boot_time":1690789155,"version":"3.4.0"}
   - APISIX Dashboard version, if relevant:
   - Plugin runner version, for issues related to plugin runners:
   - LuaRocks version, for installation issues (run `luarocks --version`):
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to