s4ntos opened a new issue, #12648:
URL: https://github.com/apache/apisix/issues/12648
### Current Behavior
Version: 3.13.0
While trying to integrate with the openid-connect with Microsoft EntraID the
authorization doesn't seem to be woring as expected.
We added the configuration for the upstream configuration and its deployed
correctly.
```
{
"id": "qual.bogus.com",
"uri": "/*",
"hosts": ["qual.bogus.com"],
"plugins": {
"openid-connect": {
"client_id": "xxxx-xxxx-xxxxxxxx",
"client_secret": "xxxxxxxxxx",
"discovery":
"https://login.microsoftonline.com/xxxxxxxxxxxxx/v2.0/.well-known/openid-configuration";,
"redirect_uri": "https://qual.bogus.com";,
"ssl_verify": true,
"bearer_only":false,
"scope": "xxxx-xxxx-xxxxxxxx/.default"
}
},
"upstream":{
"scheme": "https",
"type":"roundrobin",
"nodes":{
"backend-qual.private.com:443":1
}
}
}
```
When we go to qual.bogus.com we are correctly redirect to the
login.microsofonline.com page and then redirected back with the code after
authentication.
```
10.71.252.24 - - [02/Oct/2025:13:58:09 +0000] qual.bogus.com "GET
/?code=verylarge..........code........thatisrturned&state=c128a1b6e12632e1ea76cde5340984c8&session_state=87d0158a-efd4-4534-81f8-0641a0d828a6
HTTP/1.1" 302 217 0.000 "https://login.microsoftonline.com/"; "Mozilla/5.0
(Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0" - - -
"http://qual.bogus.com";
````
But the result of this request is a new redirect to the login page and we
are kept like this in a loop.
To test everything we have actually used this code
'verylarge.........code.......thatisreturned' to manually get the token using
the microsoft
[API](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret)
and we are able to get an ACCESS_TOKEN that is usable to use in further
requests to qual.bogus.com using APIX without any issues, but the final set of
the "Authorization: Bearer $ACCESS_TOKEN" on the redirect after the
authentication on the Microsofr Entra ID doesn't seem to be happening.
### Expected Behavior
_No response_
### Error Logs
_No response_
### Steps to Reproduce
1. This will require a function EntraID service in Azure
2. Create a new Application registration
3. Create a new route using the plugin: openid-connect and a generic upstream
### Environment
- APISIX version (run `apisix version`): 3.13.0
- Operating system (run `uname -a`): Linux
ip-10-71-252-109.eu-central-1.compute.internal 6.12.40-63.114.amzn2023.aarch64
#1 SMP Thu Aug 7 19:29:27 UTC 2025 aarch64 aarch64 aarch64 GNU/Linux
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`): nginx
version: openresty/1.27.1.2
- etcd version, if relevant (run `curl
http://127.0.0.1:9090/v1/server_info`): v3.6.0 (but also tested in a dedicated
deployment)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
