feat: Make headers to add to request in openid-connect plugin configurable. #2903
Conversation
jenskeiner
changed the title
| @@ -152,26 +225,28 @@ function _M.access(plugin_conf, ctx) | |||
| core.log.error("failed to introspect in openidc: ", err) | |||
| return response | |||
| end | |||
| if response then | |||
There was a problem hiding this comment.
The reason is that adding the user info header is now handled in the introspect method. The header will still be added, if so configured, and introspection is done via the actual endpoint as opposed to just checking against the public key. Let me know if you see any problem with this approach.
apisix/plugins/openid-connect.lua
Outdated
| @@ -40,7 +41,11 @@ local schema = { | |||
| logout_path = {type = "string"}, -- default is /logout | |||
| redirect_uri = {type = "string"}, -- default is ngx.var.request_uri | |||
| public_key = {type = "string"}, | |||
| token_signing_alg_values_expected = {type = "string"} | |||
| token_signing_alg_values_expected = {type = "string"}, | |||
| set_access_token_header = {type = "boolean"}, -- default is true | |||
There was a problem hiding this comment.
Let's use the new way to set the default value:
apisix/apisix/plugins/cors.lua
Line 37 in 9dfe697
There was a problem hiding this comment.
Sure, hadn't seen it before. Will change.
There was a problem hiding this comment.
I've changed the scheme for the options that I've added. But have left the existing options untouched to not make this PR any larger.
|
Please write new tests to cover your change, and make sure they are passed. |
I'm on it. I had a look at the existing structure and I'm relatively confident I can add more test cases to verify the setting of the respective headers. However, one thing is still unclear to me: There are cases already where token introspection is performed against a configured identity provider endpoint. The cases were added by @sshniro here: 14f979e Can anyone point me to the place where this introspection endpoint is set up for the tests? I can't find the corresponding code inside the project. I may need to add more dummy endpoints to verify the authorization flow in case a bearer token is not present in the incoming request and I want to make that consistent with the existing dummy introspection endpoint. |
apisix/plugins/openid-connect.lua
Outdated
| -- Token is valid. | ||
|
|
||
| -- Add configured access token header, maybe. | ||
| add_access_token_header(ctx, conf, token) |
There was a problem hiding this comment.
Token is invalid if has_token is false but conf.bearer_only is true
apisix/plugins/openid-connect.lua
Outdated
| end | ||
|
|
||
| -- Add configured access token header, maybe. | ||
| add_access_token_header(ctx, conf, token) |
|
Hi @jenskeiner for your question on the introspection endpoint test case, I have used the Keycloak to test this scenario. The code link to setup Keycloak: apisix/.travis/linux_openresty_runner.sh Line 27 in f84a44e Test cases written for the introspection with Keyclaok: apisix/t/plugin/openid-connect.t Line 424 in f84a44e @membphis the docker image is using my personal docker repo, if needed I can migrate it to an official APISIX docker repository. |
we can add |
…ttp-https-echo container which returns all headers in request.
t/plugin/openid-connect.t
Outdated
| @@ -112,7 +112,7 @@ done | |||
| }, | |||
| "upstream": { | |||
| "nodes": { | |||
| "127.0.0.1:1980": 1 | |||
| "127.0.0.1:8888": 1 | |||
There was a problem hiding this comment.
8888, Is it a valid "openid" port?
There was a problem hiding this comment.
Hey, I'm trying to add tests to check if the plugin sets the headers correctly as configured. I don't have a local development setup yet, so have to run the checks on this PR on GitHub to see if it's working.
I switched the upstream port to 8888 since that's where a mendhak/http-https-echo container is running. This one returns in the response body the full content of the incoming request as a JSON string. So I think I can check if the plugin has set the headers correctly by checking the response body. If the tests still work with the new port, I will try to add a case to do some actual verification of the headers.
There was a problem hiding this comment.
@jenskeiner
You can setup the test environment via https://github.com/apache/apisix/blob/master/.travis/linux_openresty_runner.sh
There was a problem hiding this comment.
Yes, thanks for the link. It's more that I have to set up a fresh Linux VM or similar since I want that separate from the rest.
There was a problem hiding this comment.
And you can write your echo-back here: https://github.com/apache/apisix/blob/master/t/lib/server.lua
There was a problem hiding this comment.
Understood, seems to be the better option. Will adjust the code.
…der gets also sent to downstream in X-Access-Token header (default), or not, if so configured.
|
@spacewander @membphis @moonming Sorry for the noise, but took a while to set up test cases that go through the full OIDC Relying Party flow which can be used when the incoming request doesn't contain a bearer token yet. Please give this another good review and let me know any issues. Thanks. I know, I still need to update the documentation, but will wait on feedback regarding code changes first. |
|
The code changes in this PR are basically just to solve some issues I was seeing when combining this plugin with the Generally, I think the interplay between this plugin and I'm just wondering what anyone's thoughts on this are. The current solution with the headers works for me and I'll look at @sshniro Maybe you have thoughts on this as well... |
|
Fantasy! Before we can merge it, @jenskeiner please write some English docs. |
Yep, will do, may take until next Monday though. In the meantime, let me know any worries. |
Bitte geben Sie eine Commit-Beschreibung für Ihre Änderungen ein. Zeilen,
|
@spacewander Updated the documentation now as well. Can you give it another good review to ensure it's consistent and clear enough? |
|
@jenskeiner |
What this PR does / why we need it:
See #2880. The current implementation may lead to very large headers, thus bloating the request size to downstream substantially. This can be an issue by itself but is also not desired if the different tokens (access, ID, user info) largely contain the same information. Also, instead of using the
X-Access-Tokenheader it may be more appropriate to use theAuthorizationheader for the access token, so that downstream plugins or services can extract it correctly; see e.g.authz-keycloakplugin. Finally, the plugin was so far only expecting an incoming access token in theAuthorizationheader, but not theX-Access-Tokenheader, which seemed somewhat inconsistent.I've added options that can be configured for the
openid-connectplugin that allow to control which headers get added and which header specifically shall be used for the access token. The defaults reproduce the current behavior. The plugin will also look in theX-Access-Tokenheader, in addition to theAuthorizationheader, for an access token in an incoming request.Pre-submission checklist:
Haven't added any new cases for now. The headers set by the plugin were not tested, as far as I can tell. It may be a good idea to think about some new tests around here. That would likely require a bit of legwork to set up a dummy OIDC Identity Provider with all needed endpoints to go through all possible code paths though.
I understand that the plugin documentation should be updated, but I want to get some feedback on the code changes first. Happy to adjust the documentation if the code changes get signed off.