Unable to login with oidc enabled

rastiehaiev commented 11 months ago

Issue description

I'm using 3.0.0-alpine tag of apisix-dashboard Docker image. I configure oidc with Google provider. Then:

When I enter dashboard link in browser, it redirects me to /apisix/admin/user/login (it's not a redirect actually it just replaces the URL path and renders basic auth login page). If I enabled oidc, why it redirects me to basic auth?
When I manually enter /apisix/admin/oidc/login, the authorisation completes successfully and then leaves me on empty /apisix/admin/oidc/callback not redirecting to root, authorised (oidc cookie is present and the response from callback has 200 status code - link to codebase).
Even when I then manually enter apisix dashboard root link, UI thinks that I'm unauthorised as there is no token in browser's local storage - link to codebase.

The latest version of apisix dashboard image is 3.0.1 at the moment but it doesn't fix the mentioned problems.

Expected behavior

If oidc enabled, redirect unauthorised user to /apisix/admin/oidc/login.
After successful oidc authorisation, redirect user to dashboard root.
REST API itself does not require token to be in browser's local storage. oidc session via cookie is enough to authorise requests (I checked it executing API request /apisix/admin/upstreams?page=1&page_size=10 after oidc authorisation and it worked).

How to Reproduce

Install apisix dashboard with oidc config and make it available via $YOUR_DASHBOARD_HOST.
Go to apisix dashboard: $YOUR_DASHBOARD_HOST/. It redirects you to $YOUR_DASHBOARD_HOST/apisix/admin/user/login.
Enter manually the following link: $YOUR_DASHBOARD_HOST/apisix/admin/oidc/login. Follow google auth instructions and be redirected to $YOUR_DASHBOARD_HOST/apisix/admin/oidc/callback.
Go to apisix dashboard: $YOUR_DASHBOARD_HOST/. It redirects you to $YOUR_DASHBOARD_HOST/apisix/admin/user/login anyway even though you have just logged in with oidc.

Screenshots

No response

Environment

apisix version (cmd: apisix version): 3.6.0-debian
OS (cmd: uname -a): Darwin XXX.local 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:27:27 PDT 2023; root:xnu-10002.41.9~6/RELEASE_X86_64 x86_64.
etcd version, if have (cmd: run etcd --version): 3.5.7-debian-11-r14
apisix-dashboard version, if have: 3.0.0-alpine.
Browser version, if have: Google Chrome, Version 119.0.6045.159 (Official Build) (x86_64)

Additional context

No response

kanakamamidiakhil commented 11 months ago

Hello, I'm interested in working on this issue. Could you please assign it to me? Thanks!

rastiehaiev commented 11 months ago

@kanakamamidiakhil I'm not sure I have permissions to assign tasks.

DerLinne commented 10 months ago

Hey,

I have the same issue - I thought it was a problem in my helm chart extension.

When this is solved, I would be able to contribute the extended helm chart to configure the OIDC values via helm chart. This runs now.

@kanakamamidiakhil If you need test support - esp. embedded in a K8s Deployment, give me a hint.

kanakamamidiakhil commented 10 months ago

Okay @DerLinne, working on it, will inform you when its done.

spantaleev commented 9 months ago

I needed this for a project, so I worked on a fix in the fix-sso branch of my fork, which is based on current master (currently ad697c643908faf99fb33a0970f6d95573fcca87).

I've published a prebuilt container image for amd64 here: https://hub.docker.com/r/devture/apisix-dashboard (docker.io/devture/apisix-dashboard:sso-fixes).

As the commit message for https://github.com/devture/apisix-dashboard/commit/6ebb212eef5ad42df05dfaa873a92a7b5bc115df says, no auto-detection for OIDC support is done yet, so the SSO via OIDC tab always appears on the login page. This is fine for those of us currently affected by this issue, but additional work needs to be done before this can land into master.

If this approach to fixing the SSO issue seems in line with what the APISIX Dashboard team envisions, I may be able to spend a little more time on it and prepare my patches for getting upstreamed.

If anyone else would like to pick my fork/branch up and finish off the remaining work (e.g. auto-detection / auto-configuration of the login page based on the enabled/supported login methods), please go ahead!

malanverestack commented 8 months ago

Hi there Any progress on this bugfix?

restack-devanb commented 8 months ago

Running into the same issue, have the commits been tested and merged as of yet? A form of authentication beyond basic is really needed in a system aiming for ultimate security.

edwin-Marrima commented 8 months ago

Running into the same issue. Any update on this bugfix?

singhajitk commented 7 months ago

I am using apisix-dashboard (version 3.0.0) and facing same issue when integrating with keycloak. Any update on the fix ?

lework commented 6 months ago

@spantaleev Thanks for the fix, is it possible to provide a v2.15.1 version of the fix and would also like you to mention a pr.

aapelismith commented 6 months ago

fix-sso @spantaleev Are there plans to add the configuration "authenticated-emails" for the allowed email list? Allowing everyone（sso user） to log in may not be secure.

spantaleev commented 6 months ago

Both patches in my fix-sso branch can be applied cleanly against v3.0.1 and v2.15.1 (git cherry-pick fb0c5d16eaa616a36daed3f012e6c0a1261cc5a4 6ebb212eef5ad42df05dfaa873a92a7b5bc115df).

That said, I'm not providing prebuilt container images for these, because doing so takes some manual work and I don't have the time to do it now.

As for an "authenticated-emails" configuration option: for now I have no plans to spend additional time on this. My patches only fix things up, so that the existing OIDC feature (in its current state) would start working.

apache / apisix-dashboard