help request: how to enable authz-keycloak for accessing apisix-dashboard?

[MirtoBusico]

Description

Hi all,
I've setup a working environment to access apisix-dashboard from everywere.

The access path is user -> nginx load balancer -> apisix (authenticated with openid-connect plugin) -> apisix dashboard

The framework is the one described in #8452

Now that openid-connect works correctly, I'm trying to add authorization to the route.

What happen is:

• try to access the apisix-dashboard at "https://apisix.h.net"
• I'm redirected to the keycloak login page
• I login with an authorized user
• the apisix-dashboard login pgage is showed; but the login is not accepted and I always remain in the login page

The route definition is

{
  "uri": "/*",
  "name": "apisix-dashboard",
  "desc": "apisix.h.net route",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE"
  ],
  "host": "apisix.h.net",
  "plugins": {
    "authz-keycloak": {
      "client_id": "hcadmins",
      "disable": false,
      "permissions": [
        "adm-apisix-resource"
      ],
      "token_endpoint": "https://k6k.h.net/realms/hcluster_admins/protocol/openid-connect/token"
    },
    "openid-connect": {
      "access_token_in_authorization_header": true,
      "bearer_only": false,
      "client_id": "hcadmins",
      "client_secret": "MoqLUhwgsEDi36II0KuJldKq4YGLHxl3",
      "disable": false,
      "discovery": "https://k6k.h.net/realms/hcluster_admins/.well-known/openid-configuration",
      "introspection_endpoint_auth_method": "client_secret_post",
      "realm": "hcluster_admins",
      "redirect_uri": "https://apisix.h.net/*",
      "scope": "openid profile"
    },
    "redirect": {
      "http_to_https": true
    }
  },
  "upstream_id": "440140633500287791",
  "status": 1
}

What works:

• testing authorization in keycloak or the resource gives permit to the authorized user
• testing authorization in keycloak or the resource gives deny to the unauthorized user
• accessing another dashboard (in my case the Kiali dashboard) work as expected
• accessing the apisix-dashboard with an unauthorized user gives correctly the {"error":"access_denied","error_description":"not_authorized"} page

What don't work:

• accessing the apisix-dashboard with an authorized user gives the apisix-dashboard login page; but the login is not accepted and the page don't change

I don't see anything interesting in the apisix pod logs and in the apisix-dashboard pod log

What can I do?

Environment

• APISIX version (run apisix version):

root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# apisix version
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua version
2.15.1
root@apisix-64fffcfb4c-55vhw:/usr/local/apisix#

• Operating system (run uname -a):

root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# uname -a
Linux apisix-64fffcfb4c-55vhw 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022 x86_64 GNU/Linux
root@apisix-64fffcfb4c-55vhw:/usr/local/apisix# 

• OpenResty / Nginx version (run openresty -V or nginx -V):
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant: 2.13.0
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[github-actions]

This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.

[github-actions]

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.