diff --git a/apisix/plugins/authz-keycloak.lua b/apisix/plugins/authz-keycloak.lua index 338eeea66204..88203b98b355 100644 --- a/apisix/plugins/authz-keycloak.lua +++ b/apisix/plugins/authz-keycloak.lua @@ -380,7 +380,7 @@ local function authz_keycloak_ensure_sa_access_token(conf) local params = { method = "POST", - body = ngx.encode_args({ + body = ngx.encode_args({ grant_type = "refresh_token", client_id = client_id, client_secret = conf.client_secret, @@ -456,7 +456,7 @@ local function authz_keycloak_ensure_sa_access_token(conf) local params = { method = "POST", - body = ngx.encode_args({ + body = ngx.encode_args({ grant_type = "client_credentials", client_id = client_id, client_secret = conf.client_secret, @@ -644,7 +644,7 @@ local function evaluate_permissions(conf, ctx, token) local params = { method = "POST", - body = ngx.encode_args({ + body = ngx.encode_args({ grant_type = conf.grant_type, audience = authz_keycloak_get_client_id(conf), response_mode = "decision", @@ -732,13 +732,13 @@ local function generate_token_using_password_grant(conf,ctx) if not token_endpoint then local err = "Unable to determine token endpoint." log.error(err) - return 500, err + return 503, err end local httpc = authz_keycloak_get_http_client(conf) local params = { method = "POST", - body = ngx.encode_args({ + body = ngx.encode_args({ grant_type = "password", client_id = client_id, client_secret = conf.client_secret, @@ -775,9 +775,11 @@ local function generate_token_using_password_grant(conf,ctx) end function _M.access(conf, ctx) + local headers = core.request.headers(ctx) if conf.password_grant_token_generation_incoming_uri and - ngx.var.request_uri:upper() == - conf.password_grant_token_generation_incoming_uri:upper() and + ngx.var.request_uri == + conf.password_grant_token_generation_incoming_uri and + headers["content-type"] == "application/x-www-form-urlencoded" and core.request.get_method() == "POST" then return generate_token_using_password_grant(conf,ctx) end diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t index 5c4a8298bc64..c98c830598e9 100644 --- a/t/plugin/authz-keycloak.t +++ b/t/plugin/authz-keycloak.t @@ -652,35 +652,8 @@ Location: http://127.0.0.1/test "type": "roundrobin" }, "uri": "/api/token" - }]], - [[{ - "node": { - "value": { - "plugins": { - "authz-keycloak": { - "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token", - "permissions": ["course_resource#view"], - "client_id": "course_management", - "client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5", - "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", - "timeout": 3000, - "ssl_verify": false, - "password_grant_token_generation_incoming_uri": "/api/token" - } - }, - "upstream": { - "nodes": { - "127.0.0.1:1982": 1 - }, - "type": "roundrobin" - }, - "uri": "/api/token" - }, - "key": "/apisix/routes/1" - }, - "action": "set" }]] - ) + ) if code >= 300 then ngx.status = code