seanleblanc edited a comment on issue #6260: URL: https://github.com/apache/apisix/issues/6260#issuecomment-1033063150
> > it fails with a 401 for caller, and the apisix pod log shows openid-connect.lua:268: phase_func(): OIDC introspection failed: response indicates failure, status=401 > > It seems APISIX requested to the `introspection_endpoint` but got 401 from the `introspection_endpoint`. > > Can you check the log of the introspection_endpoint? Thanks. I had not even defined one. After I added one, it is giving me a 405 now - no resource method found for POST. We are using Keycloak, I've tried setting https://{keycloakhost}/auth/realms/{realm}/.well-known/openid-configuration as well as the /certs path (https://{keycloakhost}/auth/realms/{realm}/protocol/openid-connect/certs), and neither work. Is there an example config with Keycloak that would work for this? Is it trying to authenticate to Keycloak at some point? As mentioned above, I am trying to get equivalent functionality to what Istio's RequestAuthentication and AuthorizationPolicy objects do - they use similar endpoints to retrieve cert(s) to validate JWT (and I have this working with Istio, so I know the Keycloak/JWTs it emits should work). Am I using the right plugin for this? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
