fix: authz-keycloak plugin should not be marked as auth-type and should run in access phase, basic-auth plugin should run in rewrite phase.

[jenskeiner]

What this PR does / why we need it:

See #2857.

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• Have you added corresponding test cases?
• Have you modified the corresponding document?
• Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

[membphis]

Authentication type plug-ins should run in the rewrite phase

[jenskeiner]

Authentication type plug-ins should run in the rewrite phase

How do you suggest this get's fixed then when openid-connect and other authentication plugins currently run in the access phase?

The plugin development guidelines are currently not in line with the actual code base.

Also, what's the rationale for running authentication/authorization in the rewrite phase when the access phase is the one that specifically caters for that purpose? It's not obvious why you would run in a different phase.

[membphis]

reply you later

need more time to read your issue and pr first

[spacewander]

@membphis @jenskeiner
authz-keycloak is for authorization but not authentication. It doesn't interact with consumers, so I think this change is fine.

[spacewander]

We don't need to change it as authz-keycloak is for authorization.

[jenskeiner]

Ok, I can revert this one. However, note that some authentication plugins currently run in the access phase, not the rewrite one. So the document doesn’t reflect the current state correctly, I believe.

[spacewander]

@jenskeiner
We can fix it later, but in those plugins, not the documentation.

[spacewander]

@jenskeiner
Thank you for the problem you point out. I just search for all plugins which has type = 'auth' (excluding the authz-keycloak) and find out basic-auth doesn't run the phase correctly.

[spacewander]

The reason why we need to run authentication plugins in the rewrite phases:

apisix/apisix/init.lua

Lines 508 to 520 in f4161d3

	run_plugin("rewrite", plugins, api_ctx)
	if api_ctx.consumer then
	local changed
	route, changed = plugin.merge_consumer_route(
	route,
	api_ctx.consumer,
	api_ctx
	)
	if changed then
	core.table.clear(api_ctx.plugins)
	api_ctx.plugins = plugin.filter(route, api_ctx.plugins)
	end
	end

And:

apisix/apisix/admin/consumers.lua

Line 50 in f4161d3

if plugin_obj.type == 'auth' then

Plugins has type = 'auth' should run in rewrite phase and set up the consumer for current api_ctx.

[jenskeiner]

Ok, understood why you need to run in the rewrite phase. Then I would propose to change the phase for all authentication-type plugins to rewrite, instead of adjusting the phase for authz-keycloak from rewrite to access. Also, I think it would make the plugin development guidelines clearer if the reason they need to run in the rewrite phase was pointed out more clearly.

If you're fine with this, I can update this PR accordingly. Just let me know what you think.

[jenskeiner]

We don't need to change it as authz-keycloak is for authorization.

Reverted.

[membphis]

@membphis @jenskeiner
authz-keycloak is for authorization but not authentication. It doesn't interact with consumers, so I think this change is fine.

many thx for your explain. @spacewander
we can continue this PR

[spacewander]

Need a test case to check if the ctx.consumer set by this plugin can be used by other plugin runs in access phase.

[jenskeiner]

Happy to add a test case. I don't have much experience writing them yet, so if you could point to a similar example, that would be helpful.

[spacewander]

You can add a stub:

diff --git apisix/init.lua apisix/init.lua
index 7333dd1..411cdd4 100644
--- apisix/init.lua
+++ apisix/init.lua
@@ -514,6 +514,10 @@ function _M.http_access_phase()
                 api_ctx.consumer,
                 api_ctx
             )
+
+            core.log.info("find consumer ", api_ctx.consumer.username,
+                          ", config changed: ", changed)
+
             if changed then
                 core.table.clear(api_ctx.plugins)
                 api_ctx.plugins = plugin.filter(route, api_ctx.plugins)

And then check it in:

apisix/t/plugin/basic-auth.t

Line 192 in e66dd9a

=== TEST 8: verify

Add something like:

--- error_log
find consumer foo

[jenskeiner]

Ok, I think I've seen an example in the test cases for key-auth. I'll try to add test cases acceding for basic-auth.

[spacewander]

Remember to revert this change.

[jenskeiner]

Done.

[membphis]

why do we need to change another plugin?

one PR for one thing, we should only update something about plugin authz-keycloak

please revert this code

[membphis]

ditto

you can create a new PR to fix this

[jenskeiner]

I'm sorry but I currently can't afford the time to split this into separate PRs. I think the change set is reasonably small to be considered in one PR. If you prefer more fine-grained PRs, then please consider creating these yourself, e.g. based on the changes in this branch.

[membphis]

I found you have submitted new PR: https://github.com/apache/apisix/pull/2905/files

Many thanks for your nice job.

Small PR is important, it easy to find problems and we can merge it asap when it is small.

By the way, it is a clearer way to show what we are doing.

Many thx for nice contribution again @jenskeiner

[jenskeiner]

Sure, you're very welcome. Thanks for the info. I'll try to put the remaining outstanding changes from this one into a separate new PR and then we take it from there.

[jenskeiner]

Have created #2910 which should contain the outstanding changes from this PR.

[jenskeiner]

Closing this one as it has since been superseded by other PRs addressing the same issues.