[GitHub] [apisix] MirtoBusico commented on issue #6345: bug: apisix openid plugin - how the logout path does work ?

[GitBox]

MirtoBusico commented on issue #6345:
URL: https://github.com/apache/apisix/issues/6345#issuecomment-1046303035


   Well, with the new framework I'm not able to complete the login redirect.
   I created two routes:
   
   - a simple route for **https://www.m01.net** without any plugin 
   - a route for **https://www.m01.net/user/*** with proxy-rewrite and 
openid-connect plugins
   
   All routes use an httpbin service as upstream
   
   The first route definition is
   ```
   {
     "uri": "/",
     "name": "m01-www-home",
     "desc": "home page for entire application",
     "methods": [
       "GET",
       "POST",
       "PUT",
       "DELETE",
       "PATCH",
       "HEAD",
       "OPTIONS",
       "CONNECT",
       "TRACE"
     ],
     "host": "www.m01.net",
     "plugins": {
       "redirect": {
         "http_to_https": true
       }
     },
     "upstream_id": "394941006623015714",
     "status": 1
   }
   ```
   The second route definition is 
   ```
   {
     "uri": "/user/*",
     "name": "m01-www-user",
     "desc": "services for users - access with authentication and role=user",
     "methods": [
       "GET",
       "POST",
       "PUT",
       "DELETE",
       "PATCH",
       "HEAD",
       "OPTIONS",
       "CONNECT",
       "TRACE"
     ],
     "host": "www.m01.net",
     "plugins": {
       "openid-connect": {
         "access_token_in_authorization_header": true,
         "bearer_only": false,
         "client_id": "apisix",
         "client_secret": "CFejdjaiPNgGXMQub467j10OzcuK43tB",
         "disable": false,
         "discovery": 
"https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration";,
         "introspection_endpoint_auth_method": "client_secret_post",
         "logout_path": "/logout",
         "realm": "apisix_test_realm",
         "redirect_uri": "https://www.m01.net/*";,
         "scope": "openid profile"
       },
       "proxy-rewrite": {
         "regex_uri": [
           "^/user/(.*)",
           "/$1"
         ]
       },
       "redirect": {
         "http_to_https": true
       }
     },
     "upstream_id": "394941006623015714",
     "status": 1
   }
   ```
   The first route works (the httpbin home page is partially shown - other 
parts of the page that have a path different from "/" are not served by the 
route)
   The second route works without the openid-connect plugin and the url 
"https://www.m01.net/user/headers"; shows correctly the httpbin headers page
   
   Adding to the second route this openid-connect definition
   ```
   {
       "client_id":"apisix",
       "client_secret":"CFejdjaiPNgGXMQub467j10OzcuK43tB",
       
"discovery":"https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration";,
       "scope":"openid profile",
       "bearer_only":false,
       "realm":"apisix_test_realm",
       "introspection_endpoint_auth_method":"client_secret_post",
       "redirect_uri":"https://www.m01.net/*";,
       "access_token_in_authorization_header":true,
       "logout_path":"/logout"
   }
   ```
   Now trying to access the url "https://www.m01.net/user/headers"; shows the 
keycloak login page, executes the login, but I receive an error
   ```
   {"error_msg":"404 Route Not Found"}
   ```
   on this redirected urt
   ```
   
https://www.m01.net/*?state=840922be85ba9af5299cf264c48b67b9&session_state=b0de06e4-6c71-48d4-8201-ae7c6f6924a3&code=8bf3d0a2-b535-4a7e-ac5f-253aa5f0b42e.b0de06e4-6c71-48d4-8201-ae7c6f6924a3.43a0343a-7fb2-471c-b6c8-6f361a8a5bae
   ```
   In the apisix log I see
   ```
   2022-02-20T19:09:37.263Z | 2022/02/20 19:09:37 [alert] 47#47: *1726843 
ignoring stale global SSL error (SSL: error:06065064:digital envelope 
routines:EVP_DecryptFinal_ex:bad decrypt) while processing HTTP/2 connection, 
client: 127.0.0.6, server: 0.0.0.0:9443
   2022-02-20T19:09:40.260Z | 127.0.0.6 - - [20/Feb/2022:19:09:37 +0000] 
www.m01.net "GET /user/headers HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; 
Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - 
"http://www.m01.net";
   2022-02-20T19:09:44.430Z | 127.0.0.6 - - [20/Feb/2022:19:09:41 +0000] 
www.m01.net "GET 
/*?state=840922be85ba9af5299cf264c48b67b9&session_state=b0de06e4-6c71-48d4-8201-ae7c6f6924a3&code=8bf3d0a2-b535-4a7e-ac5f-253aa5f0b42e.b0de06e4-6c71-48d4-8201-ae7c6f6924a3.43a0343a-7fb2-471c-b6c8-6f361a8a5bae
 HTTP/2.0" 404 36 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) 
Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net";
   2022-02-20T19:09:44.430Z | 127.0.0.6 - - [20/Feb/2022:19:09:41 +0000] 
www.m01.net "GET /favicon.ico HTTP/2.0" 404 36 0.000 
"https://www.m01.net/*?state=840922be85ba9af5299cf264c48b67b9&session_state=b0de06e4-6c71-48d4-8201-ae7c6f6924a3&code=8bf3d0a2-b535-4a7e-ac5f-253aa5f0b42e.b0de06e4-6c71-48d4-8201-ae7c6f6924a3.43a0343a-7fb2-471c-b6c8-6f361a8a5bae";
 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 
- - - "http://www.m01.net";
   ```
   Mybe there is a conflict with the proxy-rewrite plugin
   
   Now I'll try to find an echo program to replace httpbin so to avoid  the 
rewite rules
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org