starsz commented on issue #2426: URL: https://github.com/apache/apisix/issues/2426#issuecomment-1091021687
> The reason could be that the openid-connect plugin probably checks if the user requested URI is identical to redirect_uri and if that is the case assumes that user has already been redirected back from the Auth server and should already have a valid session cookie. The plugin hence expects a session cookie and then fails with the error above if it finds no session state. @membphis or @moonming could you maybe confirm that this is what the plugin does? Hi @david-woelfle .Yes, that's true. Now, Apache APISIX uses "lua-resty-openidc" to deal with the openid-connect loginc. You can refer to the code here : https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L1472-L1481 > Assume you try to protect an upstream API with OpenID, say https://httpbin.org/image/png The exposed route for the upstream could be https://example.com/image/png If users without a session yet try to access https://example.com/image/png they should be redirected to the Auth server to redeem a session. (This redirect currently fails). After the authentication passed the users should be redirected back to the original target URI (https://example.com/image/png) because that is the resource they initially tried to access. (Please note that this what the openid-connect plugin actually tries to do by default as redirect_uri has a default value of "ngx.var.request_uri", which is IMHO the right thing to do and absolutely correct. The docs are correct too, just the implementation in the plugin seems to have a bug ;) ) Here, I think you may misunderstand the usage of `redirect_uri`. In fact: * Assume you try to protect an upstream API with OpenID, say https://httpbin.org/image/png * The exposed route for the upstream could be https://example.com/image/png * If users without a session yet try to access https://example.com/image/png they should be redirected to the Auth server to redeem a session **and Apache APISIX will store the target_url (default is request URI) in session.** You can refer : https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L366-L371 * After the authentication passed, the Auth server will redirect to the `redirect_uri` (which is config in Apache APISIX), and Apache APISIX will get the code and state from the redirection. You can refer: https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L1092-L1204 * And Apache APISIX will use the `code` and `state` to get the access_token, and use access_token to get the user info. * After this, Apache APISIX then will redirect to the target URI (which is stored in the session, is https://example.com/image/png).You can refer: https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L1205 So the flow should be like this:  In a conclusion, it's a bug.But I think it's a little bit hard to fix it. > Refer the following link, I solved my problem. https://stackoverflow.com/questions/49338403/openidc-with-keycloak-error-uthenticate-request-to-the-redirect-uri-path-but Your redirect URI must not be set to "/" but to some arbitrary path that is not supposed to return content (like /redirect_uri). It is a "vanity" URL that is handled by lua-resty-openidc It's a quick way to fix it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
