jenskeiner commented on issue #2347: URL: https://github.com/apache/apisix/issues/2347#issuecomment-759439652
@Caelebs Sorry I'm late to this conversation. The `opened-connect` plugin enforces that a valid bearer token is present in incoming requests. It supports different modes of operation. When setting `bearer_only` to `true`, it will basically act as a resource server (RS) and only validate incoming tokens. If no token is presented or if it is invalid, the request is rejected. Additionally, if `bearer_only` is `false`, the plugin will answer with a redirect to the ID providers authorization endpoint to initiate the OIDC authorization code flow. In this case, the plugin acts as a Relying Party (RP). This only really works nicely if you're sending the initial request from a web browser that will follow the request and present you with the ID providers authentication options, typically some sort of login form. More redirects follow until the plugin can obtain a token on your behalf and store it for you, typically in a session cookie. Subsequent requests then send the cookie and the plugin can extract the token from there and validate it. The RP flow is not really suitable for service-to-service communication where redirects may often be undesired. The `auth-keycloak` plugin will be of no use here since it's only concerned with authorization of already authenticated requests. It already expects a (valid) token in a request header (so you should use the `opened-connect` plugin in front of it to enforce the token gets put into at the `Authorization` header when it's coming in through a cookie). It then leverages Keycloaks half-standardized Authorization Services API endpoints to check if the requestor has the needed permissions. Let me know if I can help you with the setup because I've got both plugins running together with Keycloak just fine now (after some recent code changes). You should be able to get the RP flow working if your ID provider/authentication service is OIDC compliant. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
