jp-gouin opened a new issue #3593:
URL: https://github.com/apache/apisix/issues/3593
### Issue description
Hi,
I'm trying to implement a use case for Apisix and Apisix ingress controller.
It uses Keycloak as OIDC provider and the following Apisix plugins :
- OIDC (relay and introspection)
- authz-keycloak (fine-grain, `lazy_path` and `http_methods_as_scope`)
- Cors (with `allow_credentials`)
I have a webapplication , a backend for this webapp and an external api.
- This webapp call an api expose by it's backends
- The backend then call an external API
- The webapp also call directly the external API **(and this is where it
fail)**
Here is the configuration for the webapp
```
apiVersion: apisix.apache.org/v1
kind: ApisixRoute
metadata:
name: foo-route
namespace: poc-front-app
spec:
rules:
- host: myawesomeapp.pocpoc.poc
http:
paths:
- backend:
serviceName: poc-front-appsvc
servicePort: 80
path: /*
plugins:
- name: openid-connect
enable: true
config:
client_id: poc-apisix
client_secret: edffb54f-3b2d-48a0-abcd-d2891824a722
discovery:
https://keycloak.example.lan/auth/realms/master/.well-known/openid-configuration
introspection_endpoint:
https://keycloak.example.lan/auth/realms/master/protocol/openid-connect/token/introspect
bearer_only: false
realm: master
access_token_in_authorization_header: true
introspection_endpoint_auth_method: "client_secret_basic"
redirect_uri: "/redirect_uri"
```
Resources of the API:
```
apiVersion: apisix.apache.org/v1
kind: ApisixRoute
metadata:
name: foo-route
namespace: poc-go-api
spec:
rules:
- host: myawesomeapi.pocpoc.poc
http:
paths:
- backend:
serviceName: poc-go-apisvc
servicePort: 80
path: /*
plugins:
- name: cors
enable: true
config:
allow_credential: true
allow_origins:
http://myawesomeapp.pocpoc.poc:30438,http://myawesomeapi.pocpoc.poc:30438
allow_methods: HEAD,GET,POST,PUT,PATCH,DELETE
expose_headers:
Set-Cookie,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,openID,audiotoken
allow_headers:
Set-Cookie,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,openID,audiotoken
#allow_origins: "**"
#allow_methods: "**"
#expose_headers: "**"
#allow_headers: "**"
- name: authz-keycloak
enable: true
config:
token_endpoint:
https://keycloak.example.lan/auth/realms/master/protocol/openid-connect/token
#permissions: ["View authors resources#authors:GET"]
http_method_as_scope: true
lazy_load_paths: true
client_id: poc-apisix
audience: poc-apisix
client_secret: edffb54f-3b2d-48a0-abcd-d2891824a722
discovery:
https://keycloak.example.lan/auth/realms/master/.well-known/uma2-configuration
realm: master
ssl_verify: false
```
First (working) scenario
Here is the schematic of the use case and what is working and not :
I can see in my backends that i have a Authorization header (guessing that
it came from Apisix plugin directly)
Now i also have an external api exposing through Apisix as well ; here is
the configuration :
I use the Cors plugin to allow cross call and i also use the keycloak plugin
to perform fin-grain authorisation on the incoming request
When the call is made by the backend of the webapp (and by setting manually
the Authorization header from the request from the webapp to request to the
external api) , everything works fine.
Not working scenario
But when the call is made directly by the webapplication (using Cors) there
is no session cookies in the request nor Authorization header ... And the
answser from Apisix is pretty explicit : `{"message":"Missing JWT token in
request"}`
The Cors plugin is configure to `allow_credential: true` and i can see this
in the `GET response from the server` :
```
HTTP/1.1 401 Unauthorized
Date: Sun, 14 Feb 2021 14:57:27 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.3
Access-Control-Allow-Origin: http://myawesomeapp.pocpoc.poc:30438
Vary: Origin
Access-Control-Allow-Methods: HEAD,GET,POST,PUT,PATCH,DELETE
Access-Control-Max-Age: 5
Access-Control-Expose-Headers:
Set-Cookie,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,openID,audiotoken
Access-Control-Allow-Headers:
Set-Cookie,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,openID,audiotoken
Access-Control-Allow-Credentials: true
```
So how to have this authorization header ? Is this something Apisix can add
like for the first scenario ?
Thanks !
### Environment
* apisix version (cmd: `apisix version`): 2.3-alpine
* apisix version (cmd: `apisix version`): 2.3-alpine
* OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
