help request: Openid-connect - how to diagnose the error page "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."

[MirtoBusico]

Description

Hi all,
I'm trying to setup a route for apisix dashboard usin openid-connect for authentication; but I receive an error after the keycloak login.

I'm trying to follow this article but the screen ad fields are different from the last apisix and keycloak versions.

When I try to access the apisix dashboard with this URL "https://apisix.h.net" (my home lab internal address) without enabling the openid-connect plugin everything works correctly.

If I enable the openid-connect plugin first I'm redirected to the keycloak login page (the login is correct and I can see the session in keycloak) then I receive the error page saying "An error occurred. You can report issue to APISIX Faithfully yours, APISIX."

The page URL is

https://apisix.h.net/*?state=663136eda8578d0c00fff11919cd886f&session_state=938a3031-66ad-4a96-bbc0-7b84c98b7f41&code=cc5e7778-a5ad-45e6-9e19-9489f4af5965.938a3031-66ad-4a96-bbc0-7b84c98b7f41.755e9ac7-b5a6-46d4-9660-fc6aa23d3756

The route definition:

{
  "uri": "/*",
  "name": "apisix-dashboard",
  "desc": "apisix.h.net primary route",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE"
  ],
  "host": "apisix.h.net",
  "plugins": {
    "openid-connect": {
      "access_token_in_authorization_header": true,
      "bearer_only": false,
      "client_id": "apisix",
      "client_secret": "ICLrl8NnZxJg8fj0bGrnC0nJxvhFM9fB",
      "disable": false,
      "discovery": "https://k6k.h.net/realms/apisix_realm/.well-known/openid-configuration",
      "introspection_endpoint_auth_method": "client_secret_post",
      "logout_path": "/logout",
      "realm": "apisix_realm",
      "redirect_uri": "https://apisix.h.net/*",
      "scope": "openid profile"
    },
    "redirect": {
      "http_to_https": true
    }
  },
  "upstream_id": "436822533732303574",
  "status": 1
}

The upstream (apisix gateway is of type loadbalancer) is:

{
  "timeout": {
    "connect": 6,
    "send": 6,
    "read": 6
  },
  "type": "roundrobin",
  "scheme": "http",
  "discovery_type": "dns",
  "pass_host": "pass",
  "name": "apisix-dashboard",
  "service_name": "apisix-dashboard.apisix.svc.cluster.local:80",
  "keepalive_pool": {
    "idle_timeout": 60,
    "requests": 1000,
    "size": 320
  }
}

What I'm doing wrong?

Environment

• APISIX version (run apisix version):

root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# apisix version
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua version
2.15.1
root@apisix-64fffcfb4c-55vhw:/usr/local/apisix#

• Operating system (run uname -a):

root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# uname -a
Linux apisix-64fffcfb4c-55vhw 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022 x86_64 GNU/Linux
root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# 

• OpenResty / Nginx version (run openresty -V or nginx -V):
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant: 2.13.0
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[tzssangglass]

any error logs about this in logs/error.log?

[MirtoBusico]

Not sure which log I have to look at.
Using the Kubernetes dashboard, the last lines of apisix pods are
For apisix-dashboard pod

2022-12-05T08:19:48.453Z filter/logging.go:45 /ping {"status": 200, "host": "10.42.2.191:9000", "query": "", "requestId": "39633564-4ccb-4ded-8709-675ad8ab7277", "latency": 0, "remoteIP": "127.0.0.6", "method": "GET", "errs": []}
2022-12-05T08:19:57.252Z filter/logging.go:45 /ping {"status": 200, "host": "10.42.2.191:9000", "query": "", "requestId": "18464495-fb71-4bb1-89dc-03b6374e92e2", "latency": 0, "remoteIP": "127.0.0.6", "method": "GET", "errs": []}
2022-12-05T08:19:58.452Z filter/logging.go:45 /ping {"status": 200, "host": "10.42.2.191:9000", "query": "", "requestId": "c902793d-c008-494c-a93d-6bb648332bb8", "latency": 0, "remoteIP": "127.0.0.6", "method": "GET", "errs": []}

for apisix pod

2022/12/05 08:19:27 [warn] 49#49: *48972 [lua] plugin.lua:934: run_plugin(): openid-connect exits with http status code 500, client: 127.0.0.6, server: _, request: "GET /*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [alert] 49#49: *48972 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt), client: 127.0.0.6, server: _, request: "GET /*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [alert] 47#47: *48973 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt), client: 127.0.0.6, server: _, request: "GET /favicon.ico HTTP/1.0", host: "apisix.h.net", referrer: "https://apisix.h.net/*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756"
2022/12/05 08:19:27 [error] 48#48: *48980 [lua] openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [error] 48#48: *48980 [lua] openid-connect.lua:315: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 127.0.0.6, server: _, request: "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [warn] 48#48: *48980 [lua] plugin.lua:934: run_plugin(): openid-connect exits with http status code 500, client: 127.0.0.6, server: _, request: "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
2022/12/05 08:19:27 [alert] 48#48: *48980 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt), client: 127.0.0.6, server: _, request: "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"
127.0.0.6 - - [05/Dec/2022:08:19:27 +0000] apisix.h.net "GET /*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" - - - "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:08:19:27 +0000] apisix.h.net "GET /favicon.ico HTTP/1.0" 302 217 0.000 "https://apisix.h.net/*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" - - - "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:08:19:27 +0000] apisix.h.net "GET /*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" - - - "http://apisix.h.net"

For apisix-ingress-controller pod

2022-12-05T16:24:27+08:00 �[34minfo�[0m gin@v1.8.1/context.go:173 path: /healthz, status: 200, method: GET, query: , ip: 127.0.0.6, user-agent: kube-probe/1.24, errors: , cost: 26.839µs
2022-12-05T16:24:36+08:00 �[34minfo�[0m gin@v1.8.1/context.go:173 path: /healthz, status: 200, method: GET, query: , ip: 127.0.0.6, user-agent: kube-probe/1.24, errors: , cost: 32.611µs
2022-12-05T16:24:37+08:00 �[34minfo�[0m gin@v1.8.1/context.go:173 path: /healthz, status: 200, method: GET, query: , ip: 127.0.0.6, user-agent: kube-probe/1.24, errors: , cost: 33.589µs
Logs from Dec 5, 2022 to Dec 5, 2022 UTC

BTW is it correct to have the state in the URL instead of in the authorization header?

[tzssangglass]

2022/12/05 08:19:27 [alert] 49#49: 48972 ignoring stale global SSL error (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt), client: 127.0.0.6, server: _, request: "GET /?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756 HTTP/1.0", host: "apisix.h.net"

how did you add SSL object to APISIX which sni is apisix.h.net?

It looks like APISIX found an SSL resource with the sni of apisix.h.net based on the apisix.h.net host of request, but it failed to load the cert or key, perhaps due to a formatting issue, or perhaps a problem with the cert itself.

[MirtoBusico]

Well,
to create the sni I used the Apisix dashboard

and used the upload method
the two files are (added .txt extension to be able to upload)
apisix.crt.txt
apisix.key.txt
These files are signed by a private certification authority whose key and pem are
hservca.pem.txt
hservca.key.txt

I have also another route (without openid-connect) "www.h.net" that works correctly and when I access this route I see in the apisix logs

127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.066 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.065 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET /static/bootstrap/js/bootstrap.min.js HTTP/1.0" 304 0 0.039 "https://www.h.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 304 0.039 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET /static/bootstrap/css/bootstrap.min.css HTTP/1.0" 304 0 0.040 "https://www.h.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 304 0.039 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET /static/jquery.min.js HTTP/1.0" 304 0 0.038 "https://www.h.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 304 0.038 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:23 +0000] www.h.net "GET /static/bootstrap/css/bootstrap-theme.min.css HTTP/1.0" 304 0 0.041 "https://www.h.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 304 0.039 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:26 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.021 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.021 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:27 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.005 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.005 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:27 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.004 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.003 "http://www.h.net"
127.0.0.6 - - [05/Dec/2022:15:24:27 +0000] www.h.net "GET / HTTP/1.0" 200 1683 0.003 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.177.176:9080 200 0.003 "http://www.h.net"

without errors

Also deleting the openid-connect plugin the "apisix.h.net" route works correctly and in apisix pod log I see

127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /apisix/admin/labels/route HTTP/1.0" 401 70 0.036 "https://apisix.h.net/routes/list" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 401 0.034 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /p__User__Logout.0055155e.async.js HTTP/1.0" 200 2985 0.031 "https://apisix.h.net/user/logout?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.031 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /user/login?redirect=%2Froutes%2Flist HTTP/1.0" 200 2100 0.011 "https://apisix.h.net/user/logout?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.010 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:43 +0000] apisix.h.net "POST /apisix/admin/user/login HTTP/1.0" 200 237 0.003 "https://apisix.h.net/user/login?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.002 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /p__User__Login.b2bf8b62.async.js HTTP/1.0" 200 4425 0.005 "https://apisix.h.net/user/login?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.004 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:41 +0000] apisix.h.net "GET /p__User__Login.93c6ad4d.chunk.css HTTP/1.0" 200 685 0.013 "https://apisix.h.net/user/login?redirect=%2Froutes%2Flist" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.012 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:44 +0000] apisix.h.net "GET /apisix/admin/labels/route HTTP/1.0" 200 122 0.006 "https://apisix.h.net/routes/list" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.004 "http://apisix.h.net"
127.0.0.6 - - [05/Dec/2022:15:48:44 +0000] apisix.h.net "GET /apisix/admin/routes?label=&page=1&page_size=10 HTTP/1.0" 200 410 0.002 "https://apisix.h.net/routes/list" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 10.43.132.106:80 200 0.001 "http://apisix.h.net"

What can I try?

[tzssangglass]

maybe fix by: #8068

[tzssangglass]

help this: #6792 (comment) would works for you

[MirtoBusico]

Thanks.
I subscribed #8068 and wait for release.
For now I don't use authentication

[alekskar]

We have the similar issue when tried to configure login for kubernetes-dashboard. I've also tested it for simple nginx deployment.
Configuration pretty similar like it has a topicstarter, what I've tried is to change "redirect_uri" from / to /* and to /callback and so on. Not sure how to make it work in a real environment.

{
  "uris": [
    "/*",
    "/"
  ],
  "name": "nginx_k8s-nginx_nginx",
  "desc": "Created by apisix-ingress-controller, DO NOT modify it manually",
  "hosts": [
    "nginx.test.mydomain.com"
  ],
  "plugins": {
    "openid-connect": {
      "access_token_in_authorization_header": true,
      "bearer_only": false,
      "client_id": "kubernetes-test",
      "client_secret": "someSecret",
      "discovery": "https://keycloak.test.mydomain.com/auth/realms/main/.well-known/openid-configuration",
      "introspection_endpoint_auth_method": "client_secret_post",
      "logout_path": "/logout",
      "realm": "main",
      "redirect_uri": "https://nginx.test.mydomain.com/callback/",
      "scope": "openid profile",
      "set_access_token_header": true,
      "set_id_token_header": true,
      "set_refresh_token_header": false,
      "set_userinfo_header": true,
      "ssl_verify": false,
      "timeout": 3,
      "use_pkce": false
    },
    "redirect": {
      "encode_uri": false,
      "http_to_https": true,
      "ret_code": 302
    }
  },
  "upstream_id": "60f5e5f1",
  "labels": {
    "managed-by": "apisix-ingress-controller"
  },
  "status": 1
}

logs:

#10.0.4.87 - - [05/Dec/2022:18:53:06 +0000] nginx.test.mydomain "GET / HTTP/1.1" 302 142 0.000 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" - - - "http://nginx.test.mydomain"
#10.0.28.134 - - [05/Dec/2022:18:53:07 +0000] nginx.test.mydomain.com "GET / HTTP/1.1" 302 142 0.000 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" - - - "http://nginx.test.mydomain.com"
#2022/12/05 18:53:09 [error] 47#47: *325224574 [lua] openidc.lua:1475: authenticate(): request to the redirect_uri path but there's no session state found, client: 10.0.17.247, server: _, request: "GET /*?state=74e36fe6dfe033cd861104023284c7de&session_state=a67459e3-a96b-4e28-b297-91f7333fcbae&code=7724236d-1d4f-4ff5-be93-6e8072061c22.a67459e3-a96b-4e28-b297-91f7333fcbae.2175bf1b-3d62-47a4-a8ed-70e77af1da8f HTTP/1.1", host: "nginx.test.mydomain.com"
#2022/12/05 18:53:09 [error] 47#47: *325224574 [lua] openid-connect.lua:315: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found, client: 10.0.17.247, server: _, request: "GET /*?state=74e36fe6dfe033cd861104023284c7de&session_state=a67459e3-a96b-4e28-b297-91f7333fcbae&code=7724236d-1d4f-4ff5-be93-6e8072061c22.a67459e3-a96b-4e28-b297-91f7333fcbae.2175bf1b-3d62-47a4-a8ed-70e77af1da8f HTTP/1.1", host: "nginx.test.mydomain.com"

[MirtoBusico]

I'll try asap
Thanks

[tzssangglass]

Configuration pretty similar like it has a topicstarter, what I've tried is to change "redirect_uri" from / to /* and to /callback and so on. Not sure how to make it work in a real environment.

same as: #6345?

[MirtoBusico]

Hi @tzssangglass at the times of #6345 I was able to use openid-connect; but I had problems with the "/logout" url.
Now the openid-connect don't work and I never see the application page.

Differences in the two cases:

• apisix version 2.12.0 instead of 2.15.1
• keycloak version 16.1.1 instead of 20.0.1
• the application was httpbin now is apisix-dashboard
• the URL pointed directly to the first cluster node; now the URL points to a nginx load balancer that points to all the worker cluster nodes
• apisix was installed adding the private certification authority certificate

    existingCASecret: "m01cacert"
    certCAFilename: "cert"

Have I to try to reproduce the same configuration?

[alekskar]

@tzssangglass Hi! #7334 this actually fixed the issue.
Basically I had the error when tried to access resource. Could we add this note to plugin documentation? (when there is LB in front of Apisix)

after successful sso I saw 500 error ["An error occurred. You can report issue to APISIX Faithfully yours, APISIX."]
where in logs there are 2 messages regarding session and state.

openid-connect.lua:315: phase_func(): OIDC authentication failed: request to the redirect_uri path but there's no session state found
plugin.lua:901: run_plugin(): openid-connect exits with http status code 500

[tzssangglass]

Have I to try to reproduce the same configuration?

My mistake. same as: https://github.com/apache/apisix/issues/6345? is the reply for @alekskar 's question.

@MirtoBusico It looks like the issue you raised at the beginning of this issue will be resolved by #8068, and if you can verify #8068 works for you, then you can close the issue.
If #8068 does not work, we continue tracing under this issue.

@alekskar Please open a new issue to describe your problem. From your error logs, what you describe is not related to this issue.

[MirtoBusico]

Thanks @tzssangglass
If I understand correctly #8068 ins merged in master branch
How can I say in which release it will be included?
Can I modify the apisix helm chart to use a particular version/branch of Apisix setting in the "image" section a different tag?

image:
    repository: apache/apisix
    pullPolicy: IfNotPresent
    # Overrides the image tag whose default is the chart appVersion.
    tag: 2.15.1-debian

Again thanks for your time

[tzssangglass]

Can I modify the apisix helm chart to use a particular version/branch of Apisix setting in the "image" section a different tag?

you can try apisix:dev :https://hub.docker.com/r/apache/apisix/tags?page=1&name=dev

Or you can wait for the next version to be released and then verify it.

[MirtoBusico]

Thanks. I'll wait for the next version.

[MirtoBusico]

Hi @tzssangglass I discovered that the apisix pod cannot communicate with the keycloak server because I'm using a private CA.

root@apisix-54cdc68f89-wtl8w:/usr/local/apisix# wget https://k6k.h.net
--2022-12-25 10:07:55--  https://k6k.h.net/
Resolving k6k.h.net (k6k.h.net)... 192.168.100.20
Connecting to k6k.h.net (k6k.h.net)|192.168.100.20|:443... connected.
ERROR: The certificate of 'k6k.h.net' is not trusted.
ERROR: The certificate of 'k6k.h.net' doesn't have a known issuer.
root@apisix-54cdc68f89-wtl8w:/usr/local/apisix# 

In the past i solved this issue adding the CA certificate in the helm chart.

I'll redo the test after adding the CA certificate and will post the results in this thread

[MirtoBusico]

Hi @tzssangglass I discovered that the apisix pod cannot communicate with the keycloak server because I'm using a private CA.

root@apisix-54cdc68f89-wtl8w:/usr/local/apisix# wget https://k6k.h.net
--2022-12-25 10:07:55--  https://k6k.h.net/
Resolving k6k.h.net (k6k.h.net)... 192.168.100.20
Connecting to k6k.h.net (k6k.h.net)|192.168.100.20|:443... connected.
ERROR: The certificate of 'k6k.h.net' is not trusted.
ERROR: The certificate of 'k6k.h.net' doesn't have a known issuer.
root@apisix-54cdc68f89-wtl8w:/usr/local/apisix# 

In the past i solved this issue adding the CA certificate in the helm chart.

I'll redo the test after adding the CA certificate and will post the results in this thread

Hi @tzssangglass seems that my problem is not related to the CA so I'm trying to use the workaroud in #8068 (comment)

If unsuccessful I'll wait for the new release

[MirtoBusico]

Hi @tzssangglass the workaroud in #8068 (comment) worked for me

After modifying the values.yaml file as in the workaround I'm able to work with apisix dashboard using these openid-connect plugin settings

{
    "client_id":"hcadmins",
    "client_secret":"MoqLUhwgsEDi36II0KuJldKq4YGLHxl3",
    "discovery":"https://k6k.h.net/realms/hcluster_admins/.well-known/openid-configuration",
    "scope":"openid profile",
    "bearer_only":false,
    "realm":"hcluster_admins",
    "introspection_endpoint_auth_method":"client_secret_post",
    "redirect_uri":"https://apisix.h.net/*",
    "access_token_in_authorization_header":true
}

I think this issue can be closed

[juzhiyuan]

Hi @MirtoBusico, glad to know that your question has been resolved!

If possible,

1. You can summarize the process of configuring keycloak with APISIX in this scenario as a blog.
2. Publish the blog on APISIX's website.

The community needs such practice content to help user onboarding with APISIX.

If you have interest, please cc me to let me know :)

[juzhiyuan]

Hi @MirtoBusico, for your records, there also have a form about our Guest Blogger Program: https://apisix.apache.org/guest-blog-post. You can also have a look for a better understanding of this program. 😉

@EmilyKeer is in charge of this program, she will be glad to help you as well.

[MirtoBusico]

Hi @MirtoBusico, for your records, there also have a form about our Guest Blogger Program: https://apisix.apache.org/guest-blog-post. You can also have a look for a better understanding of this program. wink

@EmilyKeer is in charge of this program, she will be glad to help you as well.

Hi @juzhiyuan and @EmilyKeer thanks for your time. Any help will be greatly appreciated.

I started the blog post at https://github.com/MirtoBusico/apisix-website/blob/master/blog/en/blog/2023/01/02/accessing_apisix-dashboard_from_everywhere_with_keycloak_authentication.md

And I'm using as model this post https://github.com/MirtoBusico/apisix-website/blob/master/blog/en/blog/2022/07/06/use-keycloak-with-api-gateway-to-secure-apis.md

The first help I need is how to manage tables: seems that the markup syntax is not accepted; but the article header is rendered as a table.

Any hint on managing tables?

Is it preferred to use mail on requesting help on this article?

[juzhiyuan]

The first help I need is how to manage tables: seems that the markup syntax is not accepted; but the article header is rendered as a table.

Hi @MirtoBusico, do you mean the markdown meta is rendered as a table?

It's expected behavior in GitHub :)

If you mean tables like this, then you can use this tool to generate table: https://www.tablesgenerator.com/markdown_tables

Is it preferred to use mail on requesting help on this article?

Sure, no problem :) Just mail me.