apisix
apisix copied to clipboard
apache
authz-casdoor redirect :503 Service Temporarily Unavailable
Description
Use the authz-casdoor to auth, when redirect to 9080 port err . The err msg is "503 Service Temporarily Unavailable"
1. casdoor application:
2. set router:
curl "http://127.0.0.1:9080/apisix/admin/routes/1" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PUT -d '
{
"methods": ["GET"],
"uri": "/anything/*",
"plugins": {
"authz-casdoor": {
"endpoint_addr":"http://10.78.44.46:8000",
"callback_url":"http://10.78.44.46:9080/anything/callback",
"client_id":"00ecb282bc314667fc11",
"client_secret":"e3923ad0025b4bb39bf3825ee9e5aa8fa5f1a62d"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'
3. request url: http://127.0.0.1:9080/anything/test
3.1 login:
3.2 response err:
3.3 apisix err log:
4. change the request ip,request url: http://10.78.44.46:9080/anything/get
4.1 response err:
4.2 apisix err log:
4.3 curl in docker container success:
Environment
- APISIX version (run
apisix version): 2.15.0-alpine - Operating system (run
uname -a): Darwin xwc1125 21.6.0 Darwin Kernel Version 21.6.0: Sat Jun 18 17:07:25 PDT 2022; root:xnu-8020.140.41~1/RELEASE_X86_64 x86_64 - OpenResty / Nginx version (run
openresty -Vornginx -V): openresty/1.21.4.1 - etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info): bitnami/etcd:3.4.15 - APISIX Dashboard version, if relevant: apache/apisix-dashboard:2.13-alpine
I think they are different。 #7539 is need ssl. But this issue is not. And I follow the example.
This means that the callback request from the casdoor server does not carry the session.
We should investigate why there is no session in the callback request in response to the authentication result of the casdoor server.
@tzssangglass The session is not tranfered to casdoor server. It's restored from cookie sent by the browser.
-- session here either comes from cookie or new generated
local session_obj_read, session_present = session.open()
...
if current_uri == real_callback_url then
-- if session_present is false, then means browser doesn't send any cookie
if not session_present then
err = "no session found"
core.log.error(err)
return 503
end
@xwc1125 Let me explain why you failed with 503 and 504.
You callback_url uses the domain name 10.78.44.46 which is different from the one you access apisix from the browser. Before apisix redirects the browser to casdoor server, it generates a cookie for 127.0.0.1, but then, after you success to get authenticated by casdoor server and redirects the browser to the callback addr 10.78.44.46, the browser doesn't send any cookie to it, because the domains are different.
But when you turns to access apisix via 10.78.44.46, the whole authentication flow works (and no need to re-enter username and password in casdoor in this case, because you already login casdoor), and the upstream is accessed, but timed out. The timeout reason is pending to be found. Maybe it's network issue, you could retry.
So ensure the domain in callback_url is the same one you access apisix in your browser.
@kingluo Thanks very much. Your answer is exactly right. When i turn to access apisix via 10.78.44.46, it works well. So the callback_url and apisix url must be the same domain. Thank you very much again!