ronnybremer commented on issue #12495:
URL: https://github.com/apache/apisix/issues/12495#issuecomment-3410090266
I have been configuring the exact same scenario a few months ago. Both `/*`
and `/api/*` routes share the same openid-connect configuration with one small
difference. On the API route I set
```
unauth_action = deny
```
hoping that this might prevent redirects from an API call to the login page
if the token has expired in the meantime and letting APISIX request a new auth
token from the IDP. However, this doesn't work as I never see a refresh token
call in the IDPs backend (also not from the frontend route).
@RegMTS would you mind sharing your openid route config?
Mine looks like this:
```
routes:
-
name: PORTAL
methods: ["GET", "POST"]
uris: [ "/portal", "/portal/*", "/favicon.ico" ]
plugins:
openid-connect:
client_id: *redacted*
client_secret: *redacted*
use_nonce: true
use_pkce: true
use_jwks: true
timeout: 10
session.cookie.lifetime: 1800
set_access_token_header: true
access_token_in_authorization_header: true
discovery:
https://idp.example.com:444/idp/.well-known/openid-configuration
redirect_uri: https://idp.example.com:9443/aiportal/.apisix/redirect
logout_path: /portal/.apisix/logout
post_logout_redirect_uri: https://idp.example.com:444/idp/logout
bearer_only: false
realm: APP
session:
secret: *redacted*
unauth_action: auth
redirect:
http_to_https: true
opentelemetry:
sampler:
name: always_on
upstream:
scheme: https
nodes:
"app-backend.exmaple.com:443": 1
type: chash
hash_on: cookie
key: PHPSESSID
-
name: API
methods: ["GET", "POST", "PUT", "PATCH", "DELETE"]
uris: [ "/webservice/OData4Service.svc/*", "/webservice/rest/*" ]
plugins:
openid-connect:
client_id: *redacted*
client_secret: *redacted*
use_jwks: true
timeout: 10
session.cookie.lifetime: 1800
set_access_token_header: true
access_token_in_authorization_header: true
discovery:
https://idp.example.com:444/idp/.well-known/openid-configuration
bearer_only: false
realm: APP
session:
secret: *redacted*
unauth_action: deny
redirect:
http_to_https: true
opentelemetry:
sampler:
name: always_on
upstream:
scheme: https
nodes:
"api-backend1.example.com:8443": 1
"api-backend2.example.com:8443": 2
type: roundrobin
timeout:
connect: 60
send: 180
read: 180
```
The session is shared (with the same secret) and true, it sends a pretty
large cookie back to the client. I would also like to avoid that, if possible.
Since APISIX needs to be clustered, the `shdict` approach does not work for me,
so I gotta wait for Redis.
So, just like your original post, the first approach of yours works best, so
far. The cookie is a bit long, but now we know why, and the automatic token
refresh doesn't seem to occur. Hopefully its just a difference between your and
my config.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
