apisix icon indicating copy to clipboard operation
apisix copied to clipboard
verified publisher icon apache

help request: failed to check the configuration of plugin multi-auth err: openid-connect plugin is not supported

Open jonathan-dev opened this issue 1 year ago • 2 comments

Description

The documentation for the multi-auth plugin says:

This plugin provides a flexible authentication mechanism by iterating through the list of authentication plugins specified in the auth_plugins attribute. It allows multiple consumers to share the same route while using different authentication methods. For example, one consumer can authenticate using basic authentication, while another consumer can authenticate using JWT.

However when setting it up with openid-connect (which to my knowledeg is a auth plugin) I get the following message: {"error_msg":"failed to check the configuration of plugin multi-auth err: openid-connect plugin is not supported"}

Is the openid-connect some kind of exception?

Environment

I am using this docker image: apache/apisix:3.9.1-redhat

jonathan-dev avatar Aug 20 '24 13:08 jonathan-dev

Same for the authz-keycloak plugin: {"error_msg":"failed to check the configuration of plugin multi-auth err: authz-keycloak plugin is not supported"}

jonathan-dev avatar Aug 20 '24 14:08 jonathan-dev

I just looked at the source of the plugin and it seems like the problem is just that the open-idconnect plugin doesn't have the type set to "auth" in its _M object. Is that the only problem? Or are there other issues related because the plugin does authentication in a different way to the other plugins? They just seem to return nil on their rewrite method if the request is fine.

jonathan-dev avatar Aug 21 '24 08:08 jonathan-dev

I've stumbled upon this problem and also on the missing "auth" type in the _M object. Did you find any solution @jonathan-dev?

suxxez avatar Jan 28 '25 12:01 suxxez

I ended up adjusting the source code of the plugin to my need and loaded it as a custom plugin which wasn't all that hard to do

jonathan-dev avatar Jan 29 '25 12:01 jonathan-dev

I found a solution for my problem by implementing two basically identical routes /api/my-service/*

The first route has OIDC enabled and this extra vars:

"vars": [
    [
      "arg_apikey",
      "!",
      "~~",
      "."
    ]
]

The second route has key-auth enabled and this extra vars:

"vars": [
    [
      "arg_apikey",
      "~~",
      "."
    ]
]

This approach uses pattern matching to figure out which route the request should take. If there is the request parameter "apikey=ANYSTRING" present, second route is used. If there is no request parameter apikey present, the first route is used.

It's not great and it would be cool to have multi-auth work out of the box, but it works.

suxxez avatar Jan 30 '25 07:01 suxxez

This plugin provides a flexible authentication mechanism by iterating through the list of authentication plugins specified in the auth_plugins attribute.

authentication plugins have type = 'auth' in plugin defined code.

Baoyuantop avatar May 14 '25 06:05 Baoyuantop

If there is still a problem, please open it again.

Baoyuantop avatar May 14 '25 06:05 Baoyuantop

Is this problem solved? I tried to use multi-auth plugin with some key-auth and openid-connect using docker image version 3.12.0-debian. But the problem is still occurring

Fucks avatar Jun 14 '25 23:06 Fucks

openid-connect is not an auth plugin, so it cannot be used in multi-auth.

Baoyuantop avatar Jun 16 '25 02:06 Baoyuantop