apisix icon indicating copy to clipboard operation
apisix copied to clipboard
verified publisher icon apache

help request: How to correctly create a consumer with openid-connect?

Open Bishnup1995 opened this issue 1 year ago • 13 comments

Current Behavior

I am able to create a consumer with openid-connect. I have added consumer-restriction plugin to my route. When I am trying to access the route I am getting an error message as "The request is rejected, please check the consumer_name for this request". I am running apisix in an Kubernetes environment

Expected Behavior

The routing should happen without any error

Error Logs

No response

Steps to Reproduce

  1. Create a consumer with openid-connect
  2. Create a route for the same with consumer-restriction
  3. Try to access the API

Environment

  • APISIX version - 3.8.0
  • Operating system - Linux debian(Docker)
  • OpenResty / Nginx version - 1.21.4.2

Bishnup1995 avatar Mar 08 '24 03:03 Bishnup1995

Can you provide some your apisix consumer & route config ?

hanqingwu avatar Mar 11 '24 02:03 hanqingwu

Hi @hanqingwu Please find the consumer and route config below: Consumer:

curl http: //localhost:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{
"plugins": {
    "openid-connect": {
        "_meta": {
            "disable": false
        },
        "access_token_in_authorization_header": true,
        "bearer_only": true,
        "client_id": "Admin",
        "client_secret": "Admin",
        "discovery": "http://localhost:8111/authentication/validate",
        "introspection_endpoint": "http://localhost:8111/authentication/validate/"
    }
},
"username": "Admin"
}'

Route:

curl http://localhost:9180/apisix/admin/routes/497215749975180242 -H ' X - API - KEY: edd1c9f034335f136f87ad84b625c8f1 ' -X PUT -d '{
    "plugins": {
        "openid-connect": {
            "_meta": {
                "disable": false
            },
            "access_token_in_authorization_header": true,
            "bearer_only": true,
            "client_id": "Admin",
            "client_secret": "Admin",
            "discovery": "http://localhost:8111/authentication/validate",
            "introspection_endpoint": "http://localhost:8111/authentication/validate/"
        },
        "proxy-rewrite": {
            "regex_uri": ["^/api/(.*)", "/$1"]
        },
        "response-rewrite": {
            "_meta": {
                "disable": false
            },
            "filters": [{
                    "replace": "localhost:30075/api",
                    "regex": "localhost:9080",
                    "scope": "global"
                }
            ]
        },
        "consumer-restriction": {
            "rejected_msg": "Access Dinied",
            "_meta": {
                "disable": false
            },
            "type": "consumer_name",
            "whitelist": ["Admin"]
        }
    },
    "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE", "PURGE"],
    "name": "Test api",
    "uri": "/api/*",
    "upstream_id": "497215591497597906"
}

Upstream is a simple Rest API

Bishnup1995 avatar Mar 11 '24 03:03 Bishnup1995

It seems OK . What is you access API ? And can you check apisix logs ?

hanqingwu avatar Mar 11 '24 03:03 hanqingwu

I am getting "The request is rejected, please check the consumer_name for this request" error.

Bishnup1995 avatar Mar 11 '24 04:03 Bishnup1995

please provide correct example route/consumers etc to be created in order to repro this issue. The ones you have shared are incorrect.

shreemaan-abhishek avatar Mar 11 '24 04:03 shreemaan-abhishek

the error msg "The request is rejected, please check the consumer_name for this request", which mean can't get consume_name value in consumer-restriction access phase , so maybe openid-connect is not correct , maybe openid-connect does not works

hanqingwu avatar Mar 11 '24 06:03 hanqingwu

@shreemaan-abhishek , can you point out where is incorrect ?

hanqingwu avatar Mar 11 '24 06:03 hanqingwu

If you are using OIDC, you would create client in your openid provider. It is not used with consumers the way shown above.

kayx23 avatar Mar 12 '24 06:03 kayx23

@kayx23 Thank you for the response. Could you tell me how we will implement authorization to the route with OIDC?

Bishnup1995 avatar Mar 12 '24 06:03 Bishnup1995

@kayx23 , Thanks , I get it , the plugin openid-connect can not support consumer username yet

hanqingwu avatar Mar 12 '24 06:03 hanqingwu

@Bishnup1995 are you looking to implement a specific authentication grant of OIDC? with RBAC authorization?

kayx23 avatar Mar 12 '24 22:03 kayx23

@kayx23 I am trying to integrate a 3rd party JWT token auth setup

Bishnup1995 avatar Mar 13 '24 07:03 Bishnup1995

@kayx23 i'm trying to achieve (i think) the same goal and failing.

My scenario is to have Apisix validate the Bearer token using information provided in the openid-connect plugin AND simultaneously set the consumer right after the successful validation/introspection to be able to apply consumer-based restrictions afterwards (consumer-restriction os.).

I also had exactly the issue when using the original nokia/kong-oidc plugin for Kong - X-Consumer-Id/X-Consumer-Username header used by Kong to identify the consumer simply was not set (i think the Kong Enterprise plugin - see https://docs.konghq.com/hub/kong-inc/openid-connect/how-to/authorization/consumer/ - has the option to set the consumer based on a given claim, e.g. preferred_username).

If there is a way to achieve the scenario above with a combination of existing plugins, please advice.

coiouhkc avatar Aug 06 '24 20:08 coiouhkc

Any news about this? I'm trying to do the same. I need to authenticate the user using an Identity Provider server, but I need to allow specific users to access specific routes. There is a way to do that?

Fucks avatar Jun 20 '25 14:06 Fucks

The current openid-connect plugin is designed to be incompatible with consumer-based authentication.

The openid-connect plugin performs authentication based on an external identity provider and does not rely on the consumer mechanism within APISIX. After OIDC authentication is successful, no APISIX consumer will be created or associated

If you want to use OIDC for authentication and implement user-based access control, you should:

  1. Use the openid-connect plugin only at the route level, not in the consumer.
  2. Use OIDC's built-in access control mechanisms, such as:
  • required_scopes parameter for permission control
  • Authorization based on JWT claims
  • Use a custom plugin to parse user information in the OIDC response

Suppose you need to use both OIDC and consumer mechanisms. In that case, you can consider developing a custom plugin to create a temporary consumer based on user information after OIDC authentication succeeds.

Baoyuantop avatar Jun 23 '25 02:06 Baoyuantop

@Bishnup1995 Hi, has your question been resolved? I believe that the current design of openid-connect is not intended for use with the consumer.

If you want to change the current behavior, please consider creating a new issue to propose it as a new requirement.

SkyeYoung avatar Aug 15 '25 02:08 SkyeYoung