bug: keycloak-authz plugin without resource_registration_endpoint when lazy_load_paths is true returns 500 error

[kayx23]

Current Behavior

Issue separated out from this report.

Configure keycloak and configure a route as such (lazy_load_paths :true):

$ curl http://127.0.0.1:9180/apisix/admin/routes/1 -X PUT -d '
{
    "uri": "/*",
    "plugins": {
        "authz-keycloak": {
            "lazy_load_paths": true,
            "discovery": "http://192.168.1.83:8080/realms/quickstart-realm/.well-known/openid-configuration",
            "client_id": "your-client-name",
            "client_secret": "your-client-secret"
        }
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "httpbin.org": 1
        }
    }
}'

Request an access token from keycloak and send a request to the route with the access token:

because resource_registration_endpoint is neither explicitly configured nor presented in the discovery doc:

2023/12/22 00:16:00 [warn] 49#49: *15931 [lua] plugin.lua:1153: run_plugin(): authz-keycloak exits with http status code 503, client: 172.24.0.1, server: _, request: "GET /anything/test HTTP/1.1", host: "127.0.0.1:9080"
2023/12/22 00:16:38 [error] 50#50: *17428 [lua] authz-keycloak.lua:505: authz_keycloak_resolve_resource(): Unable to determine registration endpoint., client: 172.24.0.1, server: _, request: "GET /anything/test HTTP/1.1", host: "127.0.0.1:9080"
2023/12/22 00:16:38 [error] 50#50: *17428 lua entry thread aborted: runtime error: /usr/local/apisix/apisix/plugins/authz-keycloak.lua:580: attempt to get length of local 'permission' (a number value)
stack traceback:
coroutine 0:
172.24.0.1 - - [22/Dec/2023:00:16:38 +0000] 127.0.0.1:9080 "GET /anything/test HTTP/1.1" 500 249 0.129 "-" "curl/7.64.1" - - - "http://127.0.0.1:9080"
/usr/local/apisix/apisix/plugins/authz-keycloak.lua: in function 'evaluate_permissions'
/usr/local/apisix/apisix/plugins/authz-keycloak.lua:778: in function 'phase_func'
/usr/local/apisix/apisix/plugin.lua:1148: in function 'run_plugin'
/usr/local/apisix/apisix/init.lua:725: in function 'http_access_phase'

The 503 is expected:

But the 500?

Expected Behavior

Not 500.

Environment

• APISIX version (run apisix version): 3.7.0

[shreemaan-abhishek]

@luoluoyuyu would you like to take a look when you are free?

[lakshya8066]

@shreemaan-abhishek I can look into this

[luoluoyuyu]

Hi @lakshya8066
Have you tried to reproduce the error?

[lakshya8066]

Yes I am trying to reproduce the issue. Having errors 403 error while sending the request. I think it is because of some issue with the JWT token I fetched.
@kayx23 Is the ACCESS_TOKEN fetched from http://192.168.1.83/realms/quickstart-realm/protocol/openid-connect/token

[kayx23]

@lakshya8066 Hi, yes.

[kayx23]

But not sure if 403 is due to invalid JWT. I thought it'd be 401 unauthorized? Could the 403 come from APISIX?

[lakshya8066]

@kayx23 Yes the error might be coming from APISIX.

This is the route config I used for apisix and I have a keycloack instance running on port 8080

curl http://127.0.0.1:9180/apisix/admin/routes/1 -X PUT -d '
{
    "uri": "/*",
    "plugins": {
        "authz-keycloak": {
            "token_endpoint": "http://localhost:8080/realms/lak-realm/protocol/openid-connect/token",
            "client_id": "lak-client"
        }
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "httpbin.org": 1
        }
    }
}'

I used this command get the access token:
curl --location 'http://localhost:8080/realms/lak-realm/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id=lak-client' \ --data-urlencode 'client_secret=Tqq0WmryhDxUMDSGo7KFx3bSt8c13jQ5' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'username=lak' \ --data-urlencode 'password=pass123'

but while making a curl request like: curl --location 'http://127.0.0.1:9080/ip' --header 'Authorization: Bearer <ACCESS_TOKEN>' I get this error: {"error":"access_denied","error_description":"not_authorized"}

This looks like it is coming from this section

But I have not set policy_enforcement_mode="ENFORCING" in the config so it should not matter if I give permissions parameter as an input or not.

[luoluoyuyu]

@lakshya8066
The default value is ENFORCING

[kayx23]

My guess: lazy_load_paths is false by default and requires permission to be set. Mentioned here: https://apisix.apache.org/docs/apisix/plugins/authz-keycloak/#permissions

Why not just configure the options I configured in the PR description?

[lakshya8066]

You are right @luoluoyuyu @kayx23
I got it to work and get past through apisix but now the kyecloack instance running in docker is unable to reach the discovery URL and it is giving 503 error. I'll debug that and get back
Error: Accessing discovery URL (http://127.0.0.1:8080/realms/lak-realm/.well-known/openid-configuration) failed: connection refused

[kayx23]

If you by chance started APISIX using the quickstart script from getting started, the IP address needs to be your 192.x.x.x inet address and not loopback.

[lakshya8066]

If you by chance started APISIX using the quickstart script from getting started, the IP address needs to be your 192.x.x.x inet address and not loopback.

@kayx23 Yes, you were correct. It worked after running apisix after building from source.

[lakshya8066]

I found the issue here, In the function authz_keycloak_resolve_resource function, we return a 503 error code when a resource_registration_endpoint is not found. But this error code is not being caught anywhere in the function evaluate_permissions. Instead in the evaluate_permissions function we are check if permission is nil or not and if it is, then only we are passing a 503 error code.

So I think returning nil here instead of 503 is the solution. I have tested it as well.