david-woelfle commented on issue #2426: URL: https://github.com/apache/apisix/issues/2426#issuecomment-1092126054
Thank you for the detailed insights @starsz and for the super fast reply to @membphis and @moonming! > Hi @david-woelfle .Yes, that's true. Now, Apache APISIX uses "lua-resty-openidc" to deal with the openid-connect loginc. You can refer to the code here : > > https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L1472-L1481 I see the problem. OK I should probably open an issue in that repo then, right? > So the flow should be like this: Thanks once more, the graph and the explanation above is really useful for me. But there is one thing which I do not understand, maybe you can help me out with, it's about this step: > After the authentication passed, the Auth server will redirect to the redirect_uri (which is config in Apache APISIX), and Apache APISIX will get the code and state from the redirection. You can refer: https://github.com/zmartzone/lua-resty-openidc/blob/a468d13283d62ef5e3d14f02404294f7777c053d/lib/resty/openidc.lua#L1092-L1204 Seems like the `redirect_uri` (aka the `proxiex-token-url` in your sequence diagram) is an internal endpoint that APISIX needs to finish the the auth process, that is, to trigger the exchange code for an access token, right? It doesn't even depend on the upstream/resource server at all as those are not involved in the information exchange. Neither is the user btw. and the user agents just follows redirects. Now the question: Why should the admin of an APISIX gateway decide about the `redirect_uri` at all? Couldn't APISIX provide some generic auth callback endpoint that is automatically send to the auth server? I mean like e.g. Grafana that provides a hardcoded endpoint (https://your-grafana-server/login/generic_oauth -> [see docs here](https://your-grafana-server/login/generic_oauth)). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
