help request: How to use the access_denied_redirect_uri in authz-keycloak plugin?

[MirtoBusico]

Description

Hi all,
I'm trying to use two new features in apisix 2.13:

• access_denied_redirect_uri in authz-keycloak plugin
• post_logout_redirect_uri in openid-connect plugin

The post_logout_redirect_uri works perfectly as expected.
But the access_denied_redirect_uri leaves me on the uri that I tried to access with this body

{
"error": "access_denied",
"error_description": "not_authorized"
}

instead of redirect to the uri specified in the plugin

{
  "access_denied_redirect_uri": "https://www.m01.net/pres/?notauthorized",
  "client_id": "m01client",
  "disable": false,
  "permissions": [
    "user-resource"
  ],
  "token_endpoint": "https://k6k.m01.net/auth/realms/m01project/protocol/openid-connect/token"
}

Mybe I'm misinterpreting instruction at authz-keycloak manual

How can I use the "access_denied_redirect_uri" parameter?

The route definition is:

{
  "uri": "/user/*",
  "name": "m01-www-user",
  "desc": "services for users - authenticated and role=user",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE"
  ],
  "host": "www.m01.net",
  "plugins": {
    "authz-keycloak": {
      "access_denied_redirect_uri": "https://www.m01.net/pres/?notauthorized",
      "client_id": "m01client",
      "disable": false,
      "permissions": [
        "user-resource"
      ],
      "token_endpoint": "https://k6k.m01.net/auth/realms/m01project/protocol/openid-connect/token"
    },
    "cors": {
      "allow_credential": false,
      "allow_headers": "*",
      "allow_methods": "*",
      "allow_origins": "*",
      "disable": true,
      "expose_headers": "*",
      "max_age": 5
    },
    "openid-connect": {
      "access_token_in_authorization_header": true,
      "bearer_only": false,
      "client_id": "m01client",
      "client_secret": "NtAdqj1ZtsAOHzKzHFjrkBatwHvpDw1U",
      "disable": false,
      "discovery": "https://k6k.m01.net/auth/realms/m01project/.well-known/openid-configuration",
      "introspection_endpoint_auth_method": "client_secret_post",
      "logout_path": "/user/logout",
      "post_logout_redirect_uri": "https://www.m01.net/pres/?loggedout",
      "realm": "m01project",
      "redirect_uri": "https://www.m01.net/user/*",
      "scope": "openid profile"
    },
    "redirect": {
      "http_to_https": true
    }
  },
  "upstream_id": "396140811927945844",
  "status": 1
}

Environment

• APISIX version (run apisix version):

bash-5.1# apisix version
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua version
2.13.0
bash-5.1#

• Operating system (run uname -a)of the POD hosting apisix:

bash-5.1# uname -a
Linux apisix-5b569f7674-hzmnk 5.4.0-107-generic #121-Ubuntu SMP Thu Mar 24 16:04:27 UTC 2022 x86_64 Linux
bash-5.1# 

• OpenResty / Nginx version (run openresty -V or nginx -V):

bash-5.1# openresty -V
nginx version: openresty/1.19.9.1
built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424) 
built with OpenSSL 1.1.1g  21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.19.9.1.4 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../mod_dubbo --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../ngx_multi_upstream_module --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../apisix-nginx-module --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../apisix-nginx-module/src/stream --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../wasm-nginx-module --add-module=/tmp/tmp.XsRuR1iJTB/openresty-1.19.9.1/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
bash-5.1# 

• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
  Don't know if it can work inside a POD
  Kubernetes dashboard gives "docker.io/bitnami/etcd:3.4.16-debian-10-r14" for image version

bash-5.1# curl http://127.0.0.1:9090/v1/server_info
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>openresty</center>
</body>
</html>
bash-5.1# 

• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[spacewander]

Could you confirm if #6794 solves the problem?

You can build the APISIX with the fix included.
You can refer to https://github.com/apache/apisix-docker/blob/master/alpine-dev/Dockerfile for how to build APISIX, and need to change the source (apply the patch or with other methods).

[MirtoBusico]

Well @spacewander my problem is not solved.

Maybe I was not clear:
Apisix 2.13 shoud contain the features #6794 and #6455
#6455 works as expected
#6794 gives the new json response but seems don't use the new access_denied_redirect_uri parameter

My question is: the authz-keycloak access_denied_redirect_uri parameter is integrated in Apisix 2.13?

[spacewander]

Well @spacewander my problem is not solved.

Maybe I was not clear: Apisix 2.13 shoud contain the features #6794 and #6455 #6455 works as expected #6794 gives the new json response but seems don't use the new access_denied_redirect_uri parameter

My question is: the authz-keycloak access_denied_redirect_uri parameter is integrated in Apisix 2.13?

I can't get your point. The #6794 uses the new access_denied_redirect_uri parameter.

[spacewander]

APISIX 2.13 contains the access_denied_redirect_uri parameter, but it doesn't cover every path of the code. Therefore #6794 is submitted to fix it.

[MirtoBusico]

@spacewander Ok. Thanks
I'll wait for the #6794 merge