[GitHub] [apisix] haowang-pony edited a comment on issue #5253: request help: Apisix use as apisix ingress controller and integrate with keycloak

Sun, 17 Oct 2021 20:33:57 -0700 


haowang-pony edited a comment on issue #5253:
URL: https://github.com/apache/apisix/issues/5253#issuecomment-945332261


   > `authz-keycloak` alse connect with keycloak server, take a look 
at:https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/authz-keycloak.md#examples
   
   Seems we have some gap for this. Let me illustrate my questions again:
   
   1. I never said the `auth-keycloak` couldn't connet to keycloak. My meaning 
is if I want to use `auth-keycloak` plugin, the request from client to apisix 
has to add access token in header.
    ![Screenshot 
(48)](https://user-images.githubusercontent.com/67166358/137663446-036053f9-f0dc-4712-a15c-6bbdde6b3768.png)
   
   I also checked 
[code](https://github.com/apache/apisix/blob/c46213a6e2e579f59473a0145940bbe05a0aebfb/apisix/plugins/authz-keycloak.lua#L693).
 **This plugin did check the jwt token firstly. This is not what I want.** 
   
   I want to implement this architecture: The user don't need to add jwt token 
when talk with apisix. After receive request from user, the apisix could ask 
keycloak and onelogin to authenticate this request. And then froward request 
back to apisix. The apisix checked the jwt token already in header and redirect 
the request to service.  
   
![137556507-e333f3ce-05aa-4525-af0d-002ea02933c5](https://user-images.githubusercontent.com/67166358/137663756-7f84f55a-bae2-42e9-b1fc-f0aecce4b914.png)
   
   **Therefore, I think the `auth-keycloak` is not work for my case.** 
   
   2. I think the `openid-connect` is suitable plugin for my usage after 
reading [this 
article](https://apisix.apache.org/blog/2021/08/25/Using-the-Apache-APISIX-OpenID-Connect-Plugin-for-Centralized-Authentication/).
 
   
   As for `openid-connect`, it doesn't require me add jwt token when user first 
talk to apisix. 
    
   ![Screenshot 
(49)](https://user-images.githubusercontent.com/67166358/137664632-2b1e4d30-1c96-426d-8e0a-4bab5a81b382.png)
   
   Actually I care more about the second question which is the question I want 
to ask in this pr. **I just want to whether openid-connect could read jwt token 
from cookie or not.** If not, could I come up with this feature request? For 
your convenience, the related code could be found at here 
https://github.com/apache/apisix/blob/153e643674f13df98fb0929085ff61240aa73c66/apisix/plugins/openid-connect.lua#L294.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to