theweakgod
commented
8 months ago can you show ur config.yaml and router json config?
Open mc-round2 opened 8 months ago
theweakgod
commented
8 months ago can you show ur config.yaml and router json config?
kayx23
commented
8 months ago "error": "invalid_grant"
Double check if your request's grant type is valid?
mc-round2
commented
8 months ago "error": "invalid_grant"
Double check if your request's grant type is valid?
It is. Im using Client Credentials which work fine with other applications.
mc-round2
commented
8 months ago can you show ur config.yaml and router json config?
Im using kubernetes, so I define everything in a values-wtv.yaml and a values.yaml.
values-wtv.yaml:
apisix:
replicaCount: 3
apisix:
admin:
credentials:
admin: "<path:wtv#admin>"
viewer: "<path:wtv#viewer>"
pluginAttrs:
opentelemetry:
resource:
service.name: APISIX
collector:
address: wtv:4318
request_timeout: 3
etcd:
persistence:
storageClass: "cinder-standard-delete"
ingress-controller:
enabled: true
config:
apisix:
serviceNamespace: wtv
serviceName: wtv
adminAPIVersion: v3
adminKey: "<path:wtv#adminKey>"
dashboard:
enabled: true
config:
conf:
etcd:
endpoints:
- apisix-wtv-etcd:2379
authentication:
users:
- username: "<path:wtv#username>"
password: "<path:wtvv#password>"
ingress:
enabled: true
hosts:
- host: "wtv-dashboard-wtv.wtv.wtv"
paths:
- "/"
redis:
master:
resources:
persistence:
storageClass: cinder-standard-delete
replica:
replicaCount: 1
persistence:
storageClass: cinder-standard-deletevalues.yaml:
apisix:
metrics:
serviceMonitor:
enabled: true
service:
externalTrafficPolicy: Local
apisix:
plugins: # plugin list (sorted by priority)
- real-ip # priority: 23000
- ai # priority: 22900
- client-control # priority: 22000
- proxy-control # priority: 21990
- request-id # priority: 12015
- zipkin # priority: 12011
#- skywalking # priority: 12010
- opentelemetry # priority: 12009
- ext-plugin-pre-req # priority: 12000
- fault-injection # priority: 11000
- mocking # priority: 10900
- serverless-pre-function # priority: 10000
#- batch-requests # priority: 4010
- cors # priority: 4000
- ip-restriction # priority: 3000
- ua-restriction # priority: 2999
- referer-restriction # priority: 2990
- csrf # priority: 2980
- uri-blocker # priority: 2900
- request-validation # priority: 2800
- chaitin-waf # priority: 2700
- multi-auth # priority: 2600
- openid-connect # priority: 2599
- cas-auth # priority: 2597
- authz-casbin # priority: 2560
- authz-casdoor # priority: 2559
- wolf-rbac # priority: 2555
- ldap-auth # priority: 2540
- hmac-auth # priority: 2530
- basic-auth # priority: 2520
- jwt-auth # priority: 2510
- jwe-decrypt # priority: 2509
- key-auth # priority: 2500
- consumer-restriction # priority: 2400
- forward-auth # priority: 2002
- opa # priority: 2001
- authz-keycloak # priority: 2000
#- error-log-logger # priority: 1091
- proxy-cache # priority: 1085
- body-transformer # priority: 1080
- proxy-mirror # priority: 1010
- proxy-rewrite # priority: 1008
- workflow # priority: 1006
- api-breaker # priority: 1005
- limit-conn # priority: 1003
- limit-count # priority: 1002
- limit-req # priority: 1001
#- node-status # priority: 1000
#- brotli # priority: 996
- gzip # priority: 995
- server-info # priority: 990
- traffic-split # priority: 966
- redirect # priority: 900
- response-rewrite # priority: 899
- degraphql # priority: 509
- kafka-proxy # priority: 508
#- dubbo-proxy # priority: 507
- grpc-transcode # priority: 506
- grpc-web # priority: 505
- public-api # priority: 501
- prometheus # priority: 500
- datadog # priority: 495
- loki-logger # priority: 414
- elasticsearch-logger # priority: 413
- echo # priority: 412
- loggly # priority: 411
- http-logger # priority: 410
- splunk-hec-logging # priority: 409
- skywalking-logger # priority: 408
- google-cloud-logging # priority: 407
- sls-logger # priority: 406
- tcp-logger # priority: 405
- kafka-logger # priority: 403
- rocketmq-logger # priority: 402
- syslog # priority: 401
- udp-logger # priority: 400
- file-logger # priority: 399
- clickhouse-logger # priority: 398
- tencent-cloud-cls # priority: 397
- inspect # priority: 200
#- log-rotate # priority: 100
# <- recommend to use priority (0, 100) for your custom plugins
- example-plugin # priority: 0
#- gm # priority: -43
#- ocsp-stapling # priority: -44
- aws-lambda # priority: -1899
- azure-functions # priority: -1900
- openwhisk # priority: -1901
- openfunction # priority: -1902
- serverless-post-function # priority: -2000
- ext-plugin-post-req # priority: -3000
- ext-plugin-post-resp # priority: -4000For the route:
spec:
http:
- match:
hosts:
- wtv.wtv.wtv
paths:
- /wtv/wtv/*
name: rule
plugins:
- config:
host: wtv-wtv-wtv.wtv.wtv
uri: /api
enable: true
name: proxy-rewrite
upstreams:
- name: wtv-wtv-wtv-upstreamFor the upstream:
spec:
externalNodes:
- name: wtv-wtv-wtv.wtv.wtv
type: Domain
scheme: httpsI can also add that before trying the authz-keycloak plugin, i was trying the openid-connect one and my issue was the complete oposite... every token was being accepted.
I leave the link to the other issue here https://github.com/apache/apisix/issues/11018 just in case... since I still have not figure out that one and thats why we are now trying this other plugin :/
Description
Hi,
Im trying to use the plugin authz-keycloak to authenticate my APIs, however, I keep getting a 401 with:
My token is 100% valid (I double check it using another application) so thats definitely not the issue.
My configuration is as follows:
I set ssl_verify as false because we use self-signed certificates.
In my token I have:
So, as far as I can tell, my permissions seem correct(?)
As far as logs, I can only see:
I found https://github.com/apache/apisix/issues/4616 and https://github.com/apache/apisix/issues/4645 but that seemed to lead to a deadend.
Environment
Trying using the Dashboard.