ojeker opened a new issue, #13408:
URL: https://github.com/apache/apisix/issues/13408
### Description
Hi
After several tries, I am struck im making the two plugins talk to each
other. Using a serverless-pre-function, I succeeded to extract the claim "sub"
and put it the header "X-Userinfo-Sub". authz-casbin does not read this
header, it always reports the sub to be "anonymous" and blocks access to the
upstream. I tried to tweak by setting the priorities (_meta.prirotity) of the
plugins and function, but to no avail. Any help appreciated!
My apisix.yaml:
```yaml
routes:
- id: users
uris:
- /
- /*
plugins:
openid-connect:
client_id: apisix
client_secret: secret
discovery:
http://authz_srv:8080/default/.well-known/openid-configuration
bearer_only: true
use_jwks: true
ssl_verify: false
serverless-pre-function:
phase: access
functions:
- |
return function(conf, ctx)
local core = require("apisix.core")
local cjson = require("cjson.safe")
local userinfo = core.request.header(ctx, "X-Userinfo")
local claims = userinfo and
cjson.decode(ngx.decode_base64(userinfo))
if claims and claims.sub then
core.request.set_header(ctx, "X-Userinfo-Sub", claims.sub)
end
end
authz-casbin:
model_path: casbin/acl_model.conf
policy_path: casbin/acl_perm.csv
username: X-Userinfo-Sub
upstream:
type: roundrobin
nodes:
"upstream:80": 1
#END
```
Log entry telling me that casbin does not receive the header X-Userinfo-Sub:
`apisix | 2026/05/21 06:05:19 [notice] 56#56: *155827 [lua] Log.lua:29:
info(): INFORequest: anonymous, /your-route, GET ---> false`
Full debug log of a failing request:
```
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua] ctx.lua:281:
__index(): serving ctx value from cache for key: uri
apisix | 2026/05/21 06:05:19 [info] 56#56: *155827 [lua]
trusted-addresses.lua:46: is_trusted(): trusted_addresses_matcher is not
initialized, client: 172.21.0.2, server: _, request: "GET /your-route
HTTP/1.1", host: "apisix:9080", request_id: "78478a277d4f2315c320770460f0cbb9"
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua] ctx.lua:281:
__index(): serving ctx value from cache for key: scheme
apisix | 2026/05/21 06:05:19 [info] 56#56: *155827 [lua] ai.lua:77:
match(): route match mode: ai_match, client: 172.21.0.2, server: _, request:
"GET /your-route HTTP/1.1", host: "apisix:9080", request_id:
"78478a277d4f2315c320770460f0cbb9"
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua] ctx.lua:281:
__index(): serving ctx value from cache for key: uri
apisix | 2026/05/21 06:05:19 [info] 56#56: *155827 [lua] ai.lua:80:
match(): route cache key: /your-route, client: 172.21.0.2, server: _, request:
"GET /your-route HTTP/1.1", host: "apisix:9080", request_id:
"78478a277d4f2315c320770460f0cbb9"
apisix | 2026/05/21 06:05:19 [info] 56#56: *155827 [lua] init.lua:749:
http_access_phase(): matched route:
{"clean_handlers":{},"orig_modifiedIndex":1779343480,"modifiedIndex":1779343480,"key":"/routes/users","has_domain":true,"value":{"uris":["/","/*"],"status":1,"plugins":{"openid-connect":{"introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","token_endpoint_auth_method":"client_secret_basic","bearer_only":true,"introspection_interval":0,"use_jwks":true,"unauth_action":"auth","jwt_verification_cache_ignore":false,"use_pkce":false,"_meta":{},"client_jwt_assertion_expires_in":60,"set_access_token_header":true,"renew_access_token_on_expiry":true,"discovery":"http://authz_srv:8080/default/.well-known/openid-configuration","set_userinfo_header":true,"client_id":"apisix","scope":"openid","iat_slack":120,"ssl_verify":false,"accept_none_alg":false,"access_token_in_authorization_header":false,"accept_unsupported_alg":true,"timeout":3,"set_id_token_header";
:true,"force_reauthorize":false,"client_secret":"secret","use_nonce":false,"realm":"apisix","revoke_tokens_on_logout":false,"set_refresh_token_header":false,"jwk_expires_in":86400,"access_token_expires_leeway":0},"authz-casbin":{"casbin_enforcer":{"modelPath":"casbin/acl_model.conf","model":{"logger":{"logger":{"fatal":"function:
0x7f10553fe590","FATAL":"FATAL","log":"function:
0x7f10553fe2b0","OFF":"OFF","WARN":"WARN","error":"function:
0x7f10553fe518","INFO":"INFO","DEBUG":"DEBUG","debug":"function:
0x7f10553fe3b8","level":"DEBUG","level_order":1,"warn":"function:
0x7f10553fe470","setLevel":"function:
0x7f10553fe218","ERROR":"ERROR","getPrint":"function:
0x7f10553fe368","append":"function: 0x7f10553fe120","info":"function:
0x7f10553fe3f8","off":"function:
0x7f1052c8bf68"}},"requiredSections":["r","p","e","m"],"modCount":4,"sectionNameMap":{"e":"policy_effect","m":"matchers","r":"request_definition","g":"role_definition","p":"policy_definition"},"model":{"e":{"e":{"RM":{},"value":"
some(where (p_eft ==
allow))","key":"e","tokens":{},"priorityIndex":-1,"policy":{},"policyMap":{}}},"m":{"m":{"RM":{},"value":"keyMatch(r_sub,
p_sub) && keyMatch(r_obj, p_obj) && keyMatch(r_act,
p_act)","key":"m","tokens":{},"priorityIndex":-1,"policy":{},"policyMap":{}}},"p":{"p":{"RM":{},"value":"sub,
obj,
act","key":"p","tokens":["p_sub","p_obj","p_act"],"priorityIndex":-1,"policy":[["reader","/kbs*","GET"],["writer","/kbs*","*"]],"policyMap":{"reader,/kbs*,GET":1,"writer,/kbs*,*":2}}},"r":{"r":{"RM":{},"value":"sub,
obj,
act","key":"r","tokens":["r_sub","r_obj","r_act"],"priorityIndex":-1,"policy":{},"policyMap":{}}}},"PolicyOperations":{"POLICY_ADD":"POLICY_ADD","POLICY_REMOVE":"POLICY_REMOVE"}},"autoBuildRoleLinks":true,"enabled":true,"adapter":{"filePath":"casbin/acl_perm.csv"},"autoSave":true,"rmMap":{},"autoNotifyDispatcher":true},"policy_path":"casbin/acl_perm.csv","_meta":{},"model_path":"casbin/acl_model.conf","username":"X-Userinfo-Sub"},"serverless-pre-function":{"_met
a":{},"phase":"access","functions":["return function(conf, ctx)\n local core
= require(\"apisix.core\")\n local cjson = require(\"cjson.safe\")\n\n local
userinfo = core.request.header(ctx, \"X-Userinfo\")\n local claims = userinfo
and cjson.decode(ngx.decode_base64(userinfo))\n\n if claims and claims.sub
then\n core.request.set_header(ctx, \"X-Userinfo-Sub\", claims.sub)\n
end\nend\n"]}},"id":"users","upstream":{"resource_id":"users","pass_host":"pass","hash_on":"vars","resource_key":"/routes/users","scheme":"http","nodes":[{"weight":1,"port":80,"host":"upstream"}],"resource_version":1779343480,"type":"roundrobin","dns_nodes":"table:
0x7f1052fc9008"},"priority":0}}, client: 172.21.0.2, server: _, request: "GET
/your-route HTTP/1.1", host: "apisix:9080", request_id:
"78478a277d4f2315c320770460f0cbb9"
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua] ctx.lua:281:
__index(): serving ctx value from cache for key: request_uri
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua] ctx.lua:281:
__index(): serving ctx value from cache for key: uri
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua]
openid-connect.lua:653: phase_func(): auto set redirect_uri:
/your-route/.apisix/redirect
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua]
openidc.lua:555: openidc_discover(): openidc_discover: URL is:
http://authz_srv:8080/default/.well-known/openid-configuration
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua]
openidc.lua:117: openidc_cache_get(): cache hit: type=discovery
key=http://authz_srv:8080/default/.well-known/openid-configuration
apisix | 2026/05/21 06:05:19 [info] 56#56: *155827 [lua]
openid-connect.lua:519: introspect(): valid_issuers not provided explicitly,
using issuer from discovery doc: http://authz_srv:8080/default, client:
172.21.0.2, server: _, request: "GET /your-route HTTP/1.1", host:
"apisix:9080", request_id: "78478a277d4f2315c320770460f0cbb9"
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua]
openidc.lua:1924: bearer_jwt_verify(): access_token:
eyJraWQiOiJkZWZhdWx0IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJyZWFkZXIiLCJuYmYiOjE3NzkzNDE5NTEsImlzcyI6Imh0dHA6Ly9hdXRoel9zcnY6ODA4MC9kZWZhdWx0IiwiZXhwIjoxNzc5MzQ1NTUxLCJpYXQiOjE3NzkzNDE5NTEsImp0aSI6IjRlNmI0YTcwLTRjM2EtNDU2MS05ZjBkLTNkMWEyMjg0MjI4MyIsInRpZCI6ImRlZmF1bHQifQ.WjEGdYLeDMYEAz2wB0bJmFzSP8xmy5ks5UhoBrUxat99dwDX7uf4agVUSfRKJhaa6C6ZIMRyv2KWLgwne37VRy9eyeuCh08Lot8xRGUg4jvxIgbX96irvAMGPb6EnhVIfLFCzvw0231bN0ySd4cUwqISkn96h4-PKFIiRQNEsy-pxUfVgX8CTenMBi8NWlPEPjmBnsHmGdn_kEJYrSq1Qh3DR012HUVk71Xe1sM96G2FQmwAXSGp4R0AABw_abdr1-uj4rvmg63EyGc3MplxI4qDumqy3UkRNiUXCtZx9l6eog9W870KeHqxlIKfO6hhyDB883lfAqM0fGoPbBhTsw
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua]
openidc.lua:1012: openidc_load_jwt_and_verify_crypto(): using discovery to find
key
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua]
openidc.lua:117: openidc_cache_get(): cache hit: type=jwks
key=http://authz_srv:8080/default/jwks#default
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua]
openidc.lua:1040: openidc_load_jwt_and_verify_crypto(): jwt:
{"raw_payload":"eyJzdWIiOiJyZWFkZXIiLCJuYmYiOjE3NzkzNDE5NTEsImlzcyI6Imh0dHA6Ly9hdXRoel9zcnY6ODA4MC9kZWZhdWx0IiwiZXhwIjoxNzc5MzQ1NTUxLCJpYXQiOjE3NzkzNDE5NTEsImp0aSI6IjRlNmI0YTcwLTRjM2EtNDU2MS05ZjBkLTNkMWEyMjg0MjI4MyIsInRpZCI6ImRlZmF1bHQifQ","valid":true,"verified":true,"payload":{"exp":1779345551,"iat":1779341951,"jti":"4e6b4a70-4c3a-4561-9f0d-3d1a22842283","tid":"default","nbf":1779341951,"sub":"reader","iss":"http://authz_srv:8080/default"},"signature":"WjEGdYLeDMYEAz2wB0bJmFzSP8xmy5ks5UhoBrUxat99dwDX7uf4agVUSfRKJhaa6C6ZIMRyv2KWLgwne37VRy9eyeuCh08Lot8xRGUg4jvxIgbX96irvAMGPb6EnhVIfLFCzvw0231bN0ySd4cUwqISkn96h4-PKFIiRQNEsy-pxUfVgX8CTenMBi8NWlPEPjmBnsHmGdn_kEJYrSq1Qh3DR012HUVk71Xe1sM96G2FQmwAXSGp4R0AABw_abdr1-uj4rvmg63EyGc3MplxI4qDumqy3UkRNiUXCtZx9l6eog9W870KeHqxlIKfO6hhyDB883lfAqM0fGoPbBhTsw","typ":"JWT","header":{"kid":"default","alg":"RS256","typ":"JWT"},"reas
on":"everything is awesome~
:p","raw_header":"eyJraWQiOiJkZWZhdWx0IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ"}
,valid: true, verified: true
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua]
openidc.lua:1893: jwt_verify(): jwt:
{"exp":1779345551,"iat":1779341951,"jti":"4e6b4a70-4c3a-4561-9f0d-3d1a22842283","tid":"default","nbf":1779341951,"sub":"reader","iss":"http://authz_srv:8080/default"}
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua]
openid-connect.lua:538: introspect(): token validate successfully by jwks
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua] ctx.lua:281:
__index(): serving ctx value from cache for key: uri
apisix | 2026/05/21 06:05:19 [notice] 56#56: *155827 [lua] Log.lua:29:
info(): INFORequest: anonymous, /your-route, GET ---> false
apisix | , client: 172.21.0.2, server: _, request: "GET /your-route
HTTP/1.1", host: "apisix:9080", request_id: "78478a277d4f2315c320770460f0cbb9"
apisix | 2026/05/21 06:05:19 [warn] 56#56: *155827 [lua] plugin.lua:1224:
run_plugin(): authz-casbin exits with http status code 403, client: 172.21.0.2,
server: _, request: "GET /your-route HTTP/1.1", host: "apisix:9080",
request_id: "78478a277d4f2315c320770460f0cbb9"
apisix | 2026/05/21 06:05:19 [debug] 56#56: *155827 [lua] ctx.lua:281:
__index(): serving ctx value from cache for key: apisix_upstream_response_time
apisix | 2026/05/21 06:05:19 [info] 56#56: *155827 client 172.21.0.2
closed keepalive connection
apisix | 172.21.0.2 - - [21/May/2026:06:05:19 +0000] apisix:9080 "GET
/your-route HTTP/1.1" 403 39 0.000 "-" "curl/8.17.0" - - - "http://apisix:9080";
"78478a277d4f2315c320770460f0cbb9"
```
Folder in github with my trial setup:
https://github.com/sogis/next-p/tree/main/proxy
### Environment
- APISIX version: (run `apisix version`): 3.16.0
- Operating system (run `uname -a`): Docker image
apache/apisix:3.16.0-debian running on Ubuntu host
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
