Integrate APISIX with Keycloak: Overlapping routes introduce issue in Discovery

138 views Asked by At

I am using keycloak as an oidc provider. I have added two routes in apisix config.

  1. uri : "/auth" related apis to keycloak
  2. uri:"/*", other than keycloak APIs to my mock app(traefik whoami) While accessing my application(foo.example.com),I am getting 500 in discovery.

My route configs:


### Keycloak service
curl -XPUT localhost:xxxx/apisix/admin/routes/1 -H "X-API-KEY: xxxx" -d '{
    "uri":"/*",
    "service_id": "2",
    "hosts": ["foo.example.com"],
    "methods": ["GET","POST","PUT","DELETE"],
    "priority": 10,
    "plugins":{
        "openid-connect":{
            "client_id": "foo",
            "client_secret": "ATfWp96az8uTStNSr7qYKSrlXpFqm35b",
            "discovery": "http://foo.example.com/auth/realms/foo/.well-known/openid-configuration",
            "scope": "openid profile",
            "bearer_only": false,
            "realm": "foo",
            "introspection_endpoint_auth_method": "client_secret_post",
            "redirect_uri": "http://foo.example.com/",
            "logout_path": "/logout",
            "set_refresh_token_header":true,
            "post_logout_redirect_uri":"http://foo.example.com/"
        }
    }
}'

### Whoami service
curl -XPUT localhost:xxxx/apisix/admin/routes/2 -H "X-API-KEY: xxx" -d '{
    "uris": ["/auth/*", "/auth/"],
    "service_id": "1",
    "hosts": ["*.example.com"],
    "methods": ["GET","POST","PUT","DELETE"],
    "priority": 999
}'

While accessing foo.example.com, I am expecting keycloak login page. But i am getting 500, I can see some error in apisix logs.

Here is my error:

[lua] openidc.lua:573: openidc_discover(): accessing discovery url (http://foo.example.com/auth/realms/foo/.well-known/openid-configuration) failed: timeout, client: 172.19.0.7, server: _, request: "GET /auth/realms/foo/.well-known/openid-configuration HTTP/1.1", host: "foo.example.com"

Any help or suggestions would be greatly appreciated. Thank you!

1

There are 1 answers

0
Rajan Gupta On

Seems APISIX is not able to resolve the domain foo.example.com and connect to Keycloak. Double check the DNS configurations to ensure APISIX is able to configure the Keycloak hostname