search

apache / apisix

The Cloud-Native API Gateway
https://apisix.apache.org/blog/
Apache License 2.0
14.19k stars 2.48k forks source link

bug: apisix openid plugin - how the logout path does work ? #6345

Closed MirtoBusico closed 2 years ago

MirtoBusico commented 2 years ago

Issue description

I'm trying to use a keycloak server for user authentication (and authorization) in Apisix installed in a kubernetes cluster along with Istio My keycloak server replies to 

https://k6k.m01.net"

The keycloak certificate is signed by my private Certification Authority (CA) My plugin setup followed these articles:

https://www.keycloak.org/2021/12/apisix.html
(another article: https://apisix.apache.org/blog/2021/12/10/integrate-keycloak-auth-in-apisix/ )

The definition is correct; but when I try to access a route with openid plugin enabled i receive an 500 internal error

Trying to access the keycloak server from the apisix pod shell I see that the CA is not recognized

bash-5.1# curl https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
bash-5.1#

Environment

Steps to reproduce

1) on 3 virtual machines install a K3S 3 node cluster 2) install Istio with "minimal" profile 3) verify versions of the three virtual machines cluster with K3S

sysop@m01serv:~$ kubectl get nodes -o wide
NAME     STATUS   ROLES                  AGE   VERSION        INTERNAL-IP       EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
m01kw1   Ready    <none>                 28d   v1.22.5+k3s1   192.168.102.122   <none>        Ubuntu 20.04.3 LTS   5.4.0-99-generic   containerd://1.5.8-k3s1
m01kw2   Ready    <none>                 28d   v1.22.5+k3s1   192.168.102.123   <none>        Ubuntu 20.04.3 LTS   5.4.0-99-generic   containerd://1.5.8-k3s1
m01km    Ready    control-plane,master   28d   v1.22.5+k3s1   192.168.102.121   <none>        Ubuntu 20.04.3 LTS   5.4.0-99-generic   containerd://1.5.8-k3s1
sysop@m01serv:~$

4) Istio version 1.12.2

sysop@m01serv:~$ istioctl version
client version: 1.12.2
control plane version: 1.12.2
data plane version: 1.12.2 (16 proxies)
sysop@m01serv:~$

5) Helm chart version

sysop@m01serv:~$ helm show chart apisix/apisix
apiVersion: v2
appVersion: 2.12.0
dependencies:
- condition: etcd.enabled
  name: etcd
  repository: https://charts.bitnami.com/bitnami
  version: 6.2.6
- alias: dashboard
  condition: dashboard.enabled
  name: apisix-dashboard
  repository: https://charts.apiseven.com
  version: 0.4.0
- alias: ingress-controller
  condition: ingress-controller.enabled
  name: apisix-ingress-controller
  repository: https://charts.apiseven.com
  version: 0.9.0
description: A Helm chart for Apache APISIX
icon: https://apache.org/logos/res/apisix/apisix.png
maintainers:
- name: tao12345666333
name: apisix
type: application
version: 0.8.2

sysop@m01serv:~$

6) changes in values.yaml

...
gateway:
  type: LoadBalancer
...
  tls:
    enabled: true
    servicePort: 443
    containerPort: 9443
    existingCASecret: "m01cacert"
    certCAFilename: "cert"
    http2:
      enabled: true
...
discovery:
  enabled: true
  registry:
    dns:
        servers:
            - "10.43.0.10:53"
...
dashboard:
  enabled: true

ingress-controller:
  enabled: true

7) Apisix installation:

kubectl create ns apisix
kubectl label namespace apisix istio-injection=enabled
cat m01ca.pem
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIUfUAyqeAGoxCGB6V/5qxOS/ZczrEwDQYJKoZIhvcNAQEL
BQAwgZUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9t
ZTEVMBMGA1UECgwMQnVzaWNvIE1pcnRvMRMwEQYDVQQLDApMYWJvcmF0b3J5MRUw
EwYDVQQDDAxCdXNpY28gTWlydG8xJDAiBgkqhkiG9w0BCQEWFW1pcnRvYnVzaWNv
QGdtYWlsLmNvbTAeFw0yMjAxMTcxNzQ2MDZaFw0zMjAxMTUxNzQ2MDZaMIGVMQsw
CQYDVQQGEwJJVDEOMAwGA1UECAwFSXRhbHkxDTALBgNVBAcMBFJvbWUxFTATBgNV
BAoMDEJ1c2ljbyBNaXJ0bzETMBEGA1UECwwKTGFib3JhdG9yeTEVMBMGA1UEAwwM
QnVzaWNvIE1pcnRvMSQwIgYJKoZIhvcNAQkBFhVtaXJ0b2J1c2ljb0BnbWFpbC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7T89OolDaC7YprD0l
3q20y0cchShqovk8Nzo12prDX8CCGxv6zexaHYVKk6qFfSGJJcgHcuxLIHvnflVH
Ugx9/LWOxaVz6N0i7z8hjnzxyMb2CXaTOpsbp0CdLeoEHjoZlESzAg6blIL4szPn
O2VpWfA10qTGWLC0z/QvcPENOVw3NLBZNJWbCl+WmcsCi+ttyzmSdMDS2ANnk6z0
mTqnFVtiCiRYQCXq0A5dr//Jva2q/h0sGoKHSV9Yt/StMB79uRVCGSpiCJAhalh1
8Zs+O9CPnkk+E2jnKn4jgI8FAY0Cii61nn15+/6BrHMu9h6/SO4oKj8i9UXPyodf
NW+3AgMBAAGjUzBRMB0GA1UdDgQWBBSCmgdUoJ6HXR5wMoX47koWO5HNnzAfBgNV
HSMEGDAWgBSCmgdUoJ6HXR5wMoX47koWO5HNnzAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQBgZsZV87/e/8YauGLLGAen857V+NNvl1fMNPAF58O/
NG+iepahWxBJ5miEyMA6BH8ARUa1Q1fah8HC+/Q1dXEj17+h6d4QFS6PWBKp0a2N
MSnq0L4FYMnrUrhYxxyt4buNXDuYvaDit7lchKeHBJLBu/NBXH8WhMo/9g0Fg7YD
NRv6xg7wvYJf7YIc3RIg5bjklXKpdcvCZjuF8KVqv70x4eQx2m2zcf4CibvZKDFG
g/HY3btrW7fvhz9Ytj5w+SoCVLe3OKR0+koIyoGqsmiej9U4dbPTqVdsl3+XyfUF
oTpClYSDqa/kfmlT1o9FXpScRTQMOuHBiMYvEFiDBUGY
-----END CERTIFICATE-----
kubectl -n apisix create secret generic m01cacert --from-file=cert=./m01ca.pem
helm install apisix apisix/apisix -f apisix-values.yaml \
--set ingress-controller.config.apisix.serviceNamespace=apisix \
--set ingress-controller.config.apisix.serviceName=apisix-admin \
--set ingress-controller.config.kubernetes.apisixRouteVersion=apisix.apache.org/v2beta3 \
--namespace apisix

8) install an httpbin demo application with these definitions

# Copyright Istio Authors
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

##################################################################################################
# httpbin service
##################################################################################################
apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
    service: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
- containerPort: 80

9) with the dashboard create an SSL resource with key and certificate for www.m02.net

9) Create a route and an upstream for www.m01.net pointing to the httpbin service. Verify that the URL "https://www.m01.net" works correctly

10) setup the openid connect plugin for the route following thew instructions at

https://www.keycloak.org/2021/12/apisix.html

11) try to access "https://www.m01.net" and receive a "500 Internal Server Error" Looking at the apisix log you see:

2022-02-16T17:24:07.837Z | 127.0.0.6 - - [16/Feb/2022:17:24:05 +0000] www.m01.net "GET /spec.json HTTP/2.0" 200 41019 0.008 "https://www.m01.net/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-16T17:24:12.043Z | 127.0.0.6 - - [16/Feb/2022:17:24:09 +0000] www.m01.net "GET /headers HTTP/2.0" 499 0 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 - 0.000 "http://www.m01.net"
2022-02-16T17:24:12.043Z | 127.0.0.6 - - [16/Feb/2022:17:24:10 +0000] www.m01.net "GET /headers HTTP/2.0" 200 1116 0.003 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [error] 50#50: *1701601 [lua] openidc.lua:1378: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [error] 50#50: *1701601 [lua] openid-connect.lua:297: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [warn] 50#50: *1701601 [lua] plugin.lua:724: run_plugin(): openid-connect exits with http status code 500, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:53.975Z | 127.0.0.6 - - [16/Feb/2022:17:38:50 +0000] www.m01.net "GET / HTTP/2.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" - - - "http://www.m01.net"
2022-02-16T17:38:53.975Z | 127.0.0.6 - - [16/Feb/2022:17:38:51 +0000] www.m01.net "GET /favicon.ico HTTP/2.0" 302 142 0.011 "https://www.m01.net/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" - - - "http://www.m01.net"
Logs from Feb 16, 2022 to Feb 16, 2022 UTC

Trying to access the keycloak server from the apisix pod you see that the CA is not recognized (" SSL certificate problem: unable to get local issuer certificate")

bash-5.1# curl https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
bash-5.1#

Actual result

Trying to access "https://www.m01.net" and receive a "500 Internal Server Error"

Error log

Looking at the apisix log you see:

2022-02-16T17:24:07.837Z | 127.0.0.6 - - [16/Feb/2022:17:24:05 +0000] www.m01.net "GET /spec.json HTTP/2.0" 200 41019 0.008 "https://www.m01.net/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-16T17:24:12.043Z | 127.0.0.6 - - [16/Feb/2022:17:24:09 +0000] www.m01.net "GET /headers HTTP/2.0" 499 0 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 - 0.000 "http://www.m01.net"
2022-02-16T17:24:12.043Z | 127.0.0.6 - - [16/Feb/2022:17:24:10 +0000] www.m01.net "GET /headers HTTP/2.0" 200 1116 0.003 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [error] 50#50: *1701601 [lua] openidc.lua:1378: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [error] 50#50: *1701601 [lua] openid-connect.lua:297: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:50.975Z | 2022/02/16 17:38:50 [warn] 50#50: *1701601 [lua] plugin.lua:724: run_plugin(): openid-connect exits with http status code 500, client: 127.0.0.6, server: _, request: "GET / HTTP/2.0", host: "www.m01.net"
2022-02-16T17:38:53.975Z | 127.0.0.6 - - [16/Feb/2022:17:38:50 +0000] www.m01.net "GET / HTTP/2.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" - - - "http://www.m01.net"
2022-02-16T17:38:53.975Z | 127.0.0.6 - - [16/Feb/2022:17:38:51 +0000] www.m01.net "GET /favicon.ico HTTP/2.0" 302 142 0.011 "https://www.m01.net/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" - - - "http://www.m01.net"
Logs from Feb 16, 2022 to Feb 16, 2022 UTC

Trying to access the keycloak server from the apisix pod you see that the CA is not recognized (" SSL certificate problem: unable to get local issuer certificate")

bash-5.1# curl https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
bash-5.1#

Expected result

The keycloak login page should show up and after login the httpbin page is shown

moonming commented 2 years ago

thanks for your detailed report, @starsz do you have time to dig this?

starsz commented 2 years ago

Hi, @MirtoBusico.Thanks for your detailed report.

try to access "https://www.m01.net/" and receive a "500 Internal Server Error" Looking at the apisix log you see:

Can you have a try for another URL like https://www.m01.net/v1/xxx ?

Because you had config the redirect_uri in the openid-connect plugins. This URL means that when you login in the keycloak. The keycloak will redirect to the URL with the code and state parameters. But you request the URL directly without the code and state parameter, so it reports the 500 error.

MirtoBusico commented 2 years ago

Well, if I try 

https://www.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/token/introspect

the login screen appear, I can login and then I receive a 404 error

Not Found
The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

But now the user is authenticated and if I try

https://www.m01.net/image/png

it works correctly

It seems I don't understand how to use this plugin as explained here

https://apisix.apache.org/docs/apisix/plugins/openid-connect

What I'm trying to do is

I don't know how to do this

MirtoBusico commented 2 years ago

UPDATE I tried this access sequence with these resulsts:

1) "https://www.m01.net" --> 500 internal server error 2) "https://www.m01.net/login" --> 404 not found error; but login screen appears and the user is logged in 3) "https://www.m01.net/image/png" --> the image appear correctly 4) "https://www.m01.net/logout" --> I'm redirected to "https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout" but the user is correctly logged out

MirtoBusico commented 2 years ago

UPDATE2 I changed the redirect uri to "https://www.m01.net/" adding a "" So the plugin definition now is:

{
    "client_id":"apisix",
    "client_secret":"CFejdjaiPNgGXMQub467j10OzcuK43tB",
    "discovery":"https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
    "scope":"openid profile",
    "bearer_only":false,
    "realm":"apisix_test_realm",
    "introspection_endpoint_auth_method":"client_secret_post",
    "redirect_uri":"https://www.m01.net/*"
}

Now the access sequence and results are:

I don't know how to cerrctly redirect the logout page

starsz commented 2 years ago

UPDATE2 I changed the redirect uri to "https://www.m01.net/_" adding a "_" So the plugin definition now is:

{
    "client_id":"apisix",
    "client_secret":"CFejdjaiPNgGXMQub467j10OzcuK43tB",
    "discovery":"https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
    "scope":"openid profile",
    "bearer_only":false,
    "realm":"apisix_test_realm",
    "introspection_endpoint_auth_method":"client_secret_post",
    "redirect_uri":"https://www.m01.net/*"
}

Now the access sequence and results are:

"https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZQzh1bVRwQ2ZCRkxQSHpFNmh4dTZUM3QybnBQLUpOSG9hX2JYbnRIczZBIn0.eyJleHAiOjE2NDUwODc5NTMsImlhdCI6MTY0NTA4NzY1MywiYXV0aF90aW1lIjoxNjQ1MDg3NjUzLCJqdGkiOiI4ZGIxODdlYi05NGI5LTRlNmMtOTI3MC0xYzc4OWI2NjFmNDgiLCJpc3MiOiJodHRwczovL2s2ay5tMDEubmV0L2F1dGgvcmVhbG1zL2FwaXNpeF90ZXN0X3JlYWxtIiwiYXVkIjoiYXBpc2l4Iiwic3ViIjoiYjYzZTQ4NjMtZjhlNC00ZDdmLTk4NzctMjdlNmNkODRhMTk3IiwidHlwIjoiSUQiLCJhenAiOiJhcGlzaXgiLCJub25jZSI6ImJmMGNjYjA0Yjk1ZDgyNzBkMmU3YTY1ZGZjZmY3OWUxIiwic2Vzc2lvbl9zdGF0ZSI6IjI2ZWQ3OWE3LTJlMGItNGEwYy04Mzc3LTY3MDcwNGU1NmM2NSIsImF0X2hhc2giOiJVclo3ZHJRT0NhYTN6TV9pb2dndjNBIiwiYWNyIjoiMSIsInNpZCI6IjI2ZWQ3OWE3LTJlMGItNGEwYy04Mzc3LTY3MDcwNGU1NmM2NSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlBldGVyIFpodSIsInByZWZlcnJlZF91c2VybmFtZSI6InBldGVyIiwiZ2l2ZW5fbmFtZSI6IlBldGVyIiwiZmFtaWx5X25hbWUiOiJaaHUiLCJlbWFpbCI6InBldGVyQHRlc3QuY29tIn0.Kr3XQt2v-rXIpe-GXSWF-Q11oBjt50m1guC6NmHEPz2f8TMC2uB2reHI4kyNsbqoqnv4N_egcrRchYoJQIH1ooRtb_ccRWk7Hm324GKt__0LrvoYhAdzjLVMMNNgzsgBPvUrWW2TpDoejuvLFuh56fOrJDkF98roWErWnWmMWqlCO0dpcGUNLRq8Get32b2aJhfbz4lMY8bRCHM2UfOsmnZe-Tozj5iPQiKCuDKuD99Ng4hrjldmHoDxe3owEHxMs3eJAKqtwc8D58hMI8Rx0PUkh0oGEgW9h79xe8UkyIHOxG4LxRuvs1hM3Zy2guRS_wV8FLNV8k4XKLX2LjUqbQ"

but the user is correctly logged out

I don't know how to cerrctly redirect the logout page

Hi @MirtoBusico . Thanks for your patient test. After reading your reply, I think you are confused by the logout URL?

You can refer to the config of the APISIX OpenID-Connect Plugin. There is a logout_path in the config. Refer: https://apisix.apache.org/docs/apisix/plugins/openid-connect#attributes

MirtoBusico commented 2 years ago

Seems I don't understand the documentation Setting logout_path to "https://www.m01.net/headers" I receive a 404 error and the user session is still active

Setting teh logout_path to "/logout" (that should be the default) I'm redirect to

https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZQzh1bVRwQ2ZCRkxQSHpFNmh4dTZUM3QybnBQLUpOSG9hX2JYbnRIczZBIn0.eyJleHAiOjE2NDUxMDY1MzMsImlhdCI6MTY0NTEwNjIzMywiYXV0aF90aW1lIjoxNjQ1MTA2MjMzLCJqdGkiOiJlOTQzY2ViZS1iMGFiLTRlODQtYjM2OC0wMWMxZjFmYzQ3M2UiLCJpc3MiOiJodHRwczovL2s2ay5tMDEubmV0L2F1dGgvcmVhbG1zL2FwaXNpeF90ZXN0X3JlYWxtIiwiYXVkIjoiYXBpc2l4Iiwic3ViIjoiYjYzZTQ4NjMtZjhlNC00ZDdmLTk4NzctMjdlNmNkODRhMTk3IiwidHlwIjoiSUQiLCJhenAiOiJhcGlzaXgiLCJub25jZSI6IjJhNjYwNDQyMGU4NWYxMThkMTk0NmI4ZGQzMDczNThlIiwic2Vzc2lvbl9zdGF0ZSI6IjNhODliOGQ5LTRmNDYtNDhkOC04Y2FhLWNkMWEwMzJmYjJmZCIsImF0X2hhc2giOiJSMG81d1A5UUNuZjE3NEhCZS0xcTdnIiwiYWNyIjoiMSIsInNpZCI6IjNhODliOGQ5LTRmNDYtNDhkOC04Y2FhLWNkMWEwMzJmYjJmZCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlBldGVyIFpodSIsInByZWZlcnJlZF91c2VybmFtZSI6InBldGVyIiwiZ2l2ZW5fbmFtZSI6IlBldGVyIiwiZmFtaWx5X25hbWUiOiJaaHUiLCJlbWFpbCI6InBldGVyQHRlc3QuY29tIn0.B9EQYmBeMS0StnHjBlVPNkDd3XOkMO9UP2bzZ7RM-dGtT3JH14jW9NMYOnK2zeEzWzyJ736ZRjVS3CnYW0TUucXfpSD7N9f6ynne3-zywskTQ-L7Z8IwcVA06sEYz5vnfIhpT_JGWhHImcxX6DIqs9yE016xWCF3oB-OfXkp-HXaY7kVi4J24x9xpKj0a6LzoWR14dRDgmYHL0PK_6foAWbZFbdSwQsTdugGA9i4-ntVdyw_PTz-NgQDjN8Zinmdtsn3a1TAl-Jzi5a5RV6eUiFQI3nX0iiabhH1P3F2QwiDunZngOGMB5rwvy4IXfjtG0_41RFcNZpJcW7mkoMu3A

and the user is logged out

starsz commented 2 years ago

Setting logout_path to "https://www.m01.net/headers" I receive a 404 error and the user session is still active

Oh.If this, I think it's a bug. Let me have a try.

starsz commented 2 years ago

Setting logout_path to "https://www.m01.net/headers" I receive a 404 error and the user session is still active

Hi, @MirtoBusico.I had tested it on my local env. It looks good. Can you try to test it again or provide the step to reproduce it? (Now the question is the logout path does work ?)

MirtoBusico commented 2 years ago

Yes, I'm trying to setup a different logout route that don't use the openid connect. I changed the bug title

MirtoBusico commented 2 years ago

Well, with the new framework I'm not able to complete the login redirect. I created two routes:

All routes use an httpbin service as upstream

The first route definition is

{
  "uri": "/",
  "name": "m01-www-home",
  "desc": "home page for entire application",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE"
  ],
  "host": "www.m01.net",
  "plugins": {
    "redirect": {
      "http_to_https": true
    }
  },
  "upstream_id": "394941006623015714",
  "status": 1
}

The second route definition is 

{
  "uri": "/user/*",
  "name": "m01-www-user",
  "desc": "services for users - access with authentication and role=user",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE"
  ],
  "host": "www.m01.net",
  "plugins": {
    "openid-connect": {
      "access_token_in_authorization_header": true,
      "bearer_only": false,
      "client_id": "apisix",
      "client_secret": "CFejdjaiPNgGXMQub467j10OzcuK43tB",
      "disable": false,
      "discovery": "https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
      "introspection_endpoint_auth_method": "client_secret_post",
      "logout_path": "/logout",
      "realm": "apisix_test_realm",
      "redirect_uri": "https://www.m01.net/*",
      "scope": "openid profile"
    },
    "proxy-rewrite": {
      "regex_uri": [
        "^/user/(.*)",
        "/$1"
      ]
    },
    "redirect": {
      "http_to_https": true
    }
  },
  "upstream_id": "394941006623015714",
  "status": 1
}

The first route works (the httpbin home page is partially shown - other parts of the page that have a path different from "/" are not served by the route) The second route works without the openid-connect plugin and the url "https://www.m01.net/user/headers" shows correctly the httpbin headers page

Adding to the second route this openid-connect definition

{
    "client_id":"apisix",
    "client_secret":"CFejdjaiPNgGXMQub467j10OzcuK43tB",
    "discovery":"https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
    "scope":"openid profile",
    "bearer_only":false,
    "realm":"apisix_test_realm",
    "introspection_endpoint_auth_method":"client_secret_post",
    "redirect_uri":"https://www.m01.net/*",
    "access_token_in_authorization_header":true,
    "logout_path":"/logout"
}

Now trying to access the url "https://www.m01.net/user/headers" shows the keycloak login page, executes the login, but I receive an error

{"error_msg":"404 Route Not Found"}

on this redirected urt

https://www.m01.net/*?state=840922be85ba9af5299cf264c48b67b9&session_state=b0de06e4-6c71-48d4-8201-ae7c6f6924a3&code=8bf3d0a2-b535-4a7e-ac5f-253aa5f0b42e.b0de06e4-6c71-48d4-8201-ae7c6f6924a3.43a0343a-7fb2-471c-b6c8-6f361a8a5bae

In the apisix log I see

2022-02-20T19:09:37.263Z | 2022/02/20 19:09:37 [alert] 47#47: *1726843 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt) while processing HTTP/2 connection, client: 127.0.0.6, server: 0.0.0.0:9443
2022-02-20T19:09:40.260Z | 127.0.0.6 - - [20/Feb/2022:19:09:37 +0000] www.m01.net "GET /user/headers HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:09:44.430Z | 127.0.0.6 - - [20/Feb/2022:19:09:41 +0000] www.m01.net "GET /*?state=840922be85ba9af5299cf264c48b67b9&session_state=b0de06e4-6c71-48d4-8201-ae7c6f6924a3&code=8bf3d0a2-b535-4a7e-ac5f-253aa5f0b42e.b0de06e4-6c71-48d4-8201-ae7c6f6924a3.43a0343a-7fb2-471c-b6c8-6f361a8a5bae HTTP/2.0" 404 36 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:09:44.430Z | 127.0.0.6 - - [20/Feb/2022:19:09:41 +0000] www.m01.net "GET /favicon.ico HTTP/2.0" 404 36 0.000 "https://www.m01.net/*?state=840922be85ba9af5299cf264c48b67b9&session_state=b0de06e4-6c71-48d4-8201-ae7c6f6924a3&code=8bf3d0a2-b535-4a7e-ac5f-253aa5f0b42e.b0de06e4-6c71-48d4-8201-ae7c6f6924a3.43a0343a-7fb2-471c-b6c8-6f361a8a5bae" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"

Mybe there is a conflict with the proxy-rewrite plugin

Now I'll try to find an echo program to replace httpbin so to avoid the rewite rules

MirtoBusico commented 2 years ago

Hi @starsz another try and the first results: wrong redirect on logout (so seems that there is a proxy-rewrite conflict)

I created two routes:

All routes use an httpbin service as upstream

The first route definition is

{
  "uri": "/",
  "name": "m01-www-home",
  "desc": "home page for entire application",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE"
  ],
  "host": "www.m01.net",
  "plugins": {
    "redirect": {
      "http_to_https": true
    }
  },
  "upstream_id": "394941006623015714",
  "status": 1
}

The second route definition is 

{
  "uri": "/*",
  "name": "m01-www-user",
  "desc": "services for users - access with authentication and role=user",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE"
  ],
  "host": "www.m01.net",
  "plugins": {
    "openid-connect": {
      "access_token_in_authorization_header": true,
      "bearer_only": false,
      "client_id": "apisix",
      "client_secret": "CFejdjaiPNgGXMQub467j10OzcuK43tB",
      "disable": false,
      "discovery": "https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration",
      "introspection_endpoint_auth_method": "client_secret_post",
      "logout_path": "/logout",
      "realm": "apisix_test_realm",
      "redirect_uri": "https://www.m01.net/*",
      "scope": "openid profile"
    },
    "redirect": {
      "http_to_https": true
    }
  },
  "upstream_id": "394941006623015714",
  "status": 1
}

Now 

https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZQzh1bVRwQ2ZCRkxQSHpFNmh4dTZUM3QybnBQLUpOSG9hX2JYbnRIczZBIn0.eyJleHAiOjE2NDUzODY0MTksImlhdCI6MTY0NTM4NjExOSwiYXV0aF90aW1lIjoxNjQ1Mzg2MTE5LCJqdGkiOiI5ZDJjNzcxYi1mNjY0LTRmZWItODI0My1kYzRjMzEyYTQzYWEiLCJpc3MiOiJodHRwczovL2s2ay5tMDEubmV0L2F1dGgvcmVhbG1zL2FwaXNpeF90ZXN0X3JlYWxtIiwiYXVkIjoiYXBpc2l4Iiwic3ViIjoiYjYzZTQ4NjMtZjhlNC00ZDdmLTk4NzctMjdlNmNkODRhMTk3IiwidHlwIjoiSUQiLCJhenAiOiJhcGlzaXgiLCJub25jZSI6ImY3NjJhOTA3MzAyNzkyM2M1OWRkMzU0YzE3ZTY4NzdhIiwic2Vzc2lvbl9zdGF0ZSI6ImEyYjY5ZTA2LTJiN2ItNDBjZi1hODM5LTUwYjUyZDNiNDJkMSIsImF0X2hhc2giOiJPUWlPUGxqWFJJaGs0ZFRkbS1LQlB3IiwiYWNyIjoiMSIsInNpZCI6ImEyYjY5ZTA2LTJiN2ItNDBjZi1hODM5LTUwYjUyZDNiNDJkMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlBldGVyIFpodSIsInByZWZlcnJlZF91c2VybmFtZSI6InBldGVyIiwiZ2l2ZW5fbmFtZSI6IlBldGVyIiwiZmFtaWx5X25hbWUiOiJaaHUiLCJlbWFpbCI6InBldGVyQHRlc3QuY29tIn0.N2iDI-T_dbfRXvAx9y9iyqQD6IWOo2m9ADfUjvVqbhJkRK31054mhQVphzcXa3hnXd8jcKOP5iLtCMP0hGrHZ0_LftH_Czag9zsSqgNPMAoBDMvBYsjb8Yv-xoRBqYx6vmQVPzMEc3CV15sFYrAFHGPrW-rOq0H_sfTYSnrDN6bmaTzV4ZEdgktgGwUKw0pGQObVEN4IZVL4tphOh0o5Rc2icIZAwgbnnToAd_hs7MOgntF-u_vDsPINNjhMIkuG2TW4G3SilAvg1b3xGOa_B4isNZNKiNX4fyCw4TGCOfAmvdd0wpJzq3IsDw1yD-dTSdOg5gPoFqZqpu-EnG7fLg

In the apisix log I see

2022-02-20T19:42:06.215Z | 127.0.0.6 - - [20/Feb/2022:19:42:05 +0000] www.m01.net "GET /headers HTTP/2.0" 200 9355 0.003 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-20T19:42:23.016Z | 127.0.0.6 - - [20/Feb/2022:19:42:20 +0000] www.m01.net "GET /logout HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:30.419Z | 127.0.0.6 - - [20/Feb/2022:19:50:27 +0000] www.m01.net "GET /headers HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:34.133Z | 127.0.0.6 - - [20/Feb/2022:19:50:31 +0000] www.m01.net "GET /*?state=a1bdba4c994e54f5f12f787e3babc849&session_state=4d9e0e6e-d35c-4936-88bf-893cd464b92d&code=97503336-93e4-4793-9a68-0142f9af31ee.4d9e0e6e-d35c-4936-88bf-893cd464b92d.43a0343a-7fb2-471c-b6c8-6f361a8a5bae HTTP/2.0" 302 142 0.014 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"
2022-02-20T19:50:34.133Z | 127.0.0.6 - - [20/Feb/2022:19:50:31 +0000] www.m01.net "GET /headers HTTP/2.0" 200 9320 0.005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" 10.43.225.202:8000 200 0.004 "http://www.m01.net"
2022-02-20T19:50:50.053Z | 127.0.0.6 - - [20/Feb/2022:19:50:47 +0000] www.m01.net "GET /logout HTTP/2.0" 302 142 0.000 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" - - - "http://www.m01.net"

Maybe it is a keycloak installation or version problem?

I'm using keycloak on a virtual machine separated from the kubernetes cluster The keycloak version is 16.1.1 I use an apache2 as reverse proxy for https termination

What is your test configuration?

starsz commented 2 years ago

"https://www.m01.net/logout" executes the logout but is redirected to this url https://k6k.m01.net/auth/realms/apisix_test_realm/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1N

But the user is logout. If you access https://www.m01.net/headers, it will show the keycloak login page.

So do you mean we can config a logout_redirect_url? Then we can redirect the logout_redirect_url. You can refer to this PR: https://github.com/apache/apisix/issues/6362

MirtoBusico commented 2 years ago

Yes @starsz I mean exactly the PR: https://github.com/apache/apisix/issues/6362

So I think that I have to wait that this PR will be implemented

starsz commented 2 years ago

Yes @starsz I mean exactly the PR: #6362

So I think that I have to wait that this PR will be implemented

Yeah. We will support it as soon as possible.

MirtoBusico commented 2 years ago

Thanks