OpenID Connect policies #604
Conversation
|
@nmasse-itix : I think that the latest PRs that we merged can help you implement the same functionality, at least partially, without implementing new policies. In #716 we added support for liquid templates in the headers policy, and in #718 , we exposed the decoded jwt in the policies context. This means that in the headers policy config you can have values like |
|
Excellent ! 👍 |
|
@nmasse-itix we can close this as it can be implemented as #716 ? |
|
Hi @mikz ! That's good news ! There was two features in this PR:
I understood that 2. is implemented, that good. 👍 How would you like to implement the remaining part (1.) : "let the request if only if the OIDC token has a proper scope (or realm_access if using RH-SSO)" ? Do you want me to open a new pull request only for this point ? |
|
@nmasse-itix I think the first part is in some other PR. |
|
Yes, indeed. You are right (and I'm tired 😁). We can safely close this PR. 👍 |
Hi team,
Here are two policies for the new APIcast policy system that helps to handle some of the OpenID Connect use cases.
Needs
Some customer would like to use the information provided in the OpenID Connect token to base their decisions or to enrich the HTTP request.
Some use cases could be :
Implementation
There are two policies, one for decoding the OIDC token, one for exploding its values as HTTP headers.
The one that decodes the OIDC token and store the payload as a context value is the most questionable since it would have been better done directly by APIcast during the token validation.
I also added a sample apicast configuration files with the required OIDC configuration fields since it took me quite some time to figure out the proper format.
Remaining work
I ran out of time to make everything nice and clean so there are some missing parts that needs to be completed:
Of course this pull request is not intended to be merged as-is in the product. It would be more a discussion on the subject.
Many thanks for your help !
Nicolas