Open edyan opened 2 months ago
shreemaan-abhishek
commented
2 months ago I find it difficult to understand your problem. Right now, it seems that you are trying to use a feature from Casdoor but it doesn't work.
Are there any error logs? Is APISIX missing some configuration parameters? ?
edyan
commented
2 months ago Hello and thanks for your answer
The Resource Owner Password Credentials (ROPC) grant flow lets the client use the resource owner's user name and password to get an access token.
I have an API behind APISIX. APISIX check the authentication via Casdoor. When a user wants to get a token for the API, it goes to Casdoor, request a token by providing a client_id, username and password.
I would like to hide the client_id and that the user only provides his username / password. Exactly like what the keycloak plugin does : https://apisix.apache.org/docs/apisix/3.1/plugins/authz-keycloak/#generating-a-token-using-password-grant
Is it something I need to code myself or is it something that apisix is able to natively handle ?
Thanks
shreemaan-abhishek
commented
2 months ago I have minimal experience in working with the casdoor/keycloak/oidc plugins but I can confirm that client-secret is a required field for authz-casdoor plugin.
is it something that apisix is able to natively handle ?
No APISIX doesn't yet support this.
Description
Hello, I am doing a POC with Apisix and Casdoor. I wanted to use the flow "Resource owner password credentials grant" to let my user use only their username and password to authenticate to an application. Everything is done programmaticaly. Nevertheless, I don't see an option or a method to do that. It's natively supported by the keycloak plugin ("UMA") but not for openid-connect.
I believe the request rewrite could do the job but I am not sure about security. Thanks for your help !
Environment
apisix version): 3.9uname -a): Redhat (Docker Image apache/apisix:3.9.0-redhat)openresty -Vornginx -V): See abovecurl http://127.0.0.1:9090/v1/server_info): Not using etcd but standalone mode