help request: how to config proxy server for apisix to process oauth2 via openid-connect

[darkSheep404]

Description

how to config proxy server for apisix to access oauth2 provider in different network

request background

hi apisix team:
因为有区分内外网隔离环境
访问外部认证服务器需要走代理从内网服务器从内网出外网
在Springboot中需要配置代理服务器 like

private WebClient buildByProxyClientConnector(WebClient.Builder webClientBuilder) {
    return webClientBuilder.clientConnector(getProxyReactorClientHttpConnector()).build();
  }
 HttpClient.create(proxyClientProvider())
            .proxy(
                proxy ->
                    proxy
                        .type(ProxyProvider.Proxy.HTTP)
                        .address(
                            new InetSocketAddress(
                                webServiceProperties.getProxyHost(),
                                Integer.parseInt(webServiceProperties.getProxyPort())))));

这样 使用这个Webclient的请求可以走代理服务器到外网

请问apisix是否支持通过配置来实现这一功能

Environment

• APISIX version : apisix:2.12.1-alpine

[darkSheep404]

hi @Sn0rt
can you take a look at this when you are free,many thank~

[Sn0rt]

hi @Sn0rt can you take a look at this when you are free,many thank~

NP. I am take a look now.

This text looks very difficult to understand. Can you draw a picture? I can't understand this code at all. I can only guess.

[darkSheep404]

hi @Sn0rt can you take a look at this when you are free,many thank~

NP. I am take a look now.

This text looks very difficult to understand. Can you draw a picture? I can't understand this code at all. I can only guess.

hi @Sn0rt
emmm,
it maybe a forward proxy issue?

below is the way we use proxy to access other app in 外网 with proxy in java springboot way **
and now we need use apsix and openid-connect to access oauth2 sever in 外网,
so we need let apisix call oauth2 with proxy too.

public WebClient proxyWebClient(
            ReactorClientHttpConnector connector,
            RncProperties rncProperties,
            WebClient.Builder webClientBuilder) {
       
            HttpClient httpClient =
                    HttpClient.create(myproxyProvider())
                            .proxy(proxy -> proxy.type(ProxyProvider.Proxy.HTTP)
                                    .host(myProxyProperties.getProxyHost())
                                    .port(Integer.parseInt(myProxyProperties.getProxyPort())));
            connector = new ReactorClientHttpConnector(httpClient);
        
        return webClientBuilder
                .clientConnector(connector)
                .baseUrl(rncProperties.getBaseUrl())
                .build();
    }

use webclient with proxy config to call other app which in 外网

return proxyWebClient
        .post()
        .uri("/xxx")
        .bodyValue(userTrade)
        .retrieve()
        .bodyToMono(List.class)
        .block();

[Sn0rt]

How can you see in this picture that APISIX takes over the user's authentication request?

[darkSheep404]

How can you see in this picture that APISIX takes over the user's authentication request?

well, it is my error.
we just use apisix plugin openid-connect to process authentication with oauth2 server

  - uri: /api/sso/*
    service_id: my-admin
    plugins:
      openid-connect:
        client_id: apisix
        client_secret: xxx
        discovery: https://xxx.com/auth/realms/xxx-xxx/.well-known/openid-configuration
        scope: openid
        bearer_only: false
        realm: xxx-xxx
        redirect_uri: /api/sso/callback
        logout_path: /api/sso/logout
        introspection_endpoint_auth_method: client_secret_post
        post_logout_redirect_uri: xxx.com
        set_access_token_header: false
        set_id_token_header: false
 

and i did't put this flow in picture
here is the flow pictue in openid-connect docs
https://apisix.apache.org/docs/apisix/plugins/openid-connect/

[Sn0rt]

How can you see in this picture that APISIX takes over the user's authentication request?

well, it is my error. we just use apisix plugin openid-connect to process authentication with oauth2 server

  - uri: /api/sso/*
    service_id: my-admin
    plugins:
      openid-connect:
        client_id: apisix
        client_secret: xxx
        discovery: https://xxx.com/auth/realms/xxx-xxx/.well-known/openid-configuration
        scope: openid
        bearer_only: false
        realm: xxx-xxx
        redirect_uri: /api/sso/callback
        logout_path: /api/sso/logout
        introspection_endpoint_auth_method: client_secret_post
        post_logout_redirect_uri: xxx.com
        set_access_token_header: false
        set_id_token_header: false
 

and i did't put this flow in picture here is the flow pictue in openid-connect docs https://apisix.apache.org/docs/apisix/plugins/openid-connect/

in short.

Do you want APISIX to pass a proxy when using the openid-connect plugin to access the auth service?

[darkSheep404]

in short.

Do you want APISIX to pass a proxy when using the openid-connect plugin to access the auth service?

yes, i would like to know how can i use forward proxy in apisix for this plugin of a specified url

[Sn0rt]

in short.
Do you want APISIX to pass a proxy when using the openid-connect plugin to access the auth service?

yes, i would like to know how can i use forward proxy in apisix for this plugin of a specified url

Currently it is not supported to use proxy when using openid-connect.

That is the fourth stage in the picture

If you want to do it, we are also very welcome, and I can provide necessary help.

[darkSheep404]

in short.
Do you want APISIX to pass a proxy when using the openid-connect plugin to access the auth service?

yes, i would like to know how can i use forward proxy in apisix for this plugin of a specified url

Currently it is not supported to use proxy when using openid-connect.

That is the fourth stage in the picture

If you want to do it, we are also very welcome, and I can provide necessary help.

i wish i could find solutions to deal it
thanks for your help again 😀

[Sn0rt]

ok. can you close this issues ?

[darkSheep404]

ok，and may i confirm that is there has a forward proxy apisix plugin now?

[Sn0rt]

ok，and may i confirm that is there has a forward proxy apisix plugin now?

I don't quite understand your question.

[darkSheep404]

ok，and may i confirm that is there has a forward proxy apisix plugin now?

I don't quite understand your question.

Because our goal is ==> access oauth2 server in another network (外网) during openid-connect work flow
So, if there is a forward proxy apisix plugin which cann let apisix access specified url using http proxy sever
I think it will do helps to this goal too.

So I want to know if there is already a plugin that allows apisix to access a url via the forward proxy server

[darkSheep404]

Finally, for bros who may encounter this problem in the future too

I tried another solution

Configure discovery url in openid-connect a new url instead of oauth2 server

Let your app like springboot handle the url to forward the request and response using webclient/restTemplate with forward http proxy
it will works too

[darkSheep404]

ok，and may i confirm that is there has a forward proxy apisix plugin now?

I don't quite understand your question.

Because our goal is ==> access oauth2 server in another network (外网) during openid-connect work flow So, if there is a forward proxy apisix plugin which cann let apisix access specified url using http proxy sever I think it will do helps to this goal too.

So I want to know if there is already a plugin that allows apisix to access a url via the forward proxy server

hi @Sn0rt
So there isn't such a apisx forwad proxy plugin yet?

[Sn0rt]

你可以讲中文, 我没有非常理解你最后一个问题是什么.

[darkSheep404]

你可以讲中文, 我没有非常理解你最后一个问题是什么.

emmm 想确认一下apisix现在还没有做正向代理
的插件是吧😂

[Sn0rt]

你可以讲中文, 我没有非常理解你最后一个问题是什么.

emmm 想确认一下apisix现在还没有做正向代理 的插件是吧😂

APISIX 就不是做这个用的. 包括 nginx .

[darkSheep404]

是的
我在之前的issue讨论里也有看到过这样的结论
NGINX最常见使用的代理是反向代理

不过作为网关来说
有的时候也会有像这种
需要走代理服务器出外网访问其他服务的需求

不过 插件化的优势 就是能在主业外添加各种各样
的能力

那看来现在应该还没有这样的插件😃
再次感谢您的帮助～