apache · spacewander · Jan 5, 2021 · Nov 30, 2020 · Nov 30, 2020 · Nov 30, 2020
diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
@@ -14,6 +14,7 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
+local string = string
 local core = require("apisix.core")
 local ngx_re = require("ngx.re")
 local openidc = require("resty.openidc")
@@ -40,7 +41,31 @@ local schema = {
         logout_path = {type = "string"}, -- default is /logout
         redirect_uri = {type = "string"}, -- default is ngx.var.request_uri
         public_key = {type = "string"},
-        token_signing_alg_values_expected = {type = "string"}
+        token_signing_alg_values_expected = {type = "string"},
+        set_access_token_header = {
+            description = "Whether the access token should be added as a header to the request " ..
+                "for downstream",
+            type = "boolean",
+            default = true
+        },
+        set_userinfo_token_header = {
+            description = "Whether the user info token should be added in the X-Userinfo " ..
+                "header to the request for downstream.",
+            type = "boolean",
+            default = true
+        },
+        set_id_token_header = {
+            description = "Whether the ID token should be added in the X-ID-Token header to " ..
+                "the request for downstream.",
+            type = "boolean",
+            default = true
+        },
+        access_token_in_authorization_header = {
+            description = "Whether the access token should be added in the Authorization " ..
+                "header as opposed to the X-Access-Token header.",
+            type = "boolean",
+            default = false
+        }
     },
     required = {"client_id", "client_secret", "discovery"}
 }
@@ -93,59 +118,124 @@ function _M.check_schema(conf)
 end
 
 
-local function has_bearer_access_token(ctx)
+local function check_bearer_access_token(ctx)
+    -- Get Authorization header, maybe.
     local auth_header = core.request.header(ctx, "Authorization")
     if not auth_header then
-        return false
+        -- No Authorization header, get X-Access-Token header, maybe.
+        local access_token_header = core.request.header(ctx, "X-Access-Token")
+        if not access_token_header then
+            -- No X-Access-Token header neither.
+            return false, nil, nil
+        end
+
+        -- Return extracted header value.
+        return true, access_token_header, nil
     end
 
+    -- Check format of Authorization header.
     local res, err = ngx_re.split(auth_header, " ", nil, nil, 2)
     if not res then
-        return false, err
+        return false, nil, err
     end
 
-    if res[1] == "bearer" then
-        return true
+    if string.lower(res[1]) == "bearer" then
+        -- Return extracted token.
+        return true, res[2], nil
     end
 
     return false
 end
 
 
+local function set_header(ctx, name, value)
+    -- Set a request header to the given value and update the cached headers in the context as well.
+
+    -- Set header in request.
+    ngx.req.set_header(name, value)
+
+    -- Set header in cache, maybe.
+    if ctx and ctx.headers then
+        ctx.headers[name] = value
+    end
+end
+
+
+local function add_user_header(ctx, user)
+    local userinfo = core.json.encode(user)
+    set_header(ctx, "X-Userinfo", ngx_encode_base64(userinfo))
+end
+
+
+local function add_access_token_header(ctx, conf, token)
+    -- Add Authorization or X-Access-Token header, respectively, if not already set.
+    if conf.set_access_token_header then
+        if conf.access_token_in_authorization_header then
+            if not core.request.header(ctx, "Authorization") then
+                -- Add Authorization header.
+                set_header(ctx, "Authorization", "Bearer " .. token)
+            end
+        else
+            if not core.request.header(ctx, "X-Access-Token") then
+                -- Add X-Access-Token header.
+                set_header(ctx, "X-Access-Token", token)
+            end
+        end
+    end
+end
+
+
 local function introspect(ctx, conf)
-    if has_bearer_access_token(ctx) or conf.bearer_only then
+    -- Extract token, maybe. Ignore errors.
+    local has_token, token, _ = check_bearer_access_token(ctx)
+
+    -- Check if token was extracted or if we always require a token in the request.
+    if has_token or conf.bearer_only then
         local res, err
 
         if conf.public_key then
+            -- Validate token against public key.
             res, err = openidc.bearer_jwt_verify(conf)
             if res then
+                -- Token is valid.
+
+                -- Add configured access token header, maybe.
+                add_access_token_header(ctx, conf, token)
                 return res
             end
         else
+            -- Validate token against introspection endpoint.
             res, err = openidc.introspect(conf)
             if err then
                 return ngx.HTTP_UNAUTHORIZED, err
             else
+                -- Token is valid and res contains the response from the introspection endpoint.
+
+                if conf.set_userinfo_token_header then
+                    -- Set X-Userinfo header to introspection endpoint response.
+                    add_user_header(ctx, res)
+                end
+
+                -- Add configured access token header, maybe.
+                add_access_token_header(ctx, conf, token)
                 return res
             end
         end
         if conf.bearer_only then
+            -- If we get here, the token could not be validated, but we always require a valid
+            -- token in the request.
             ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. conf.realm
                                              .. '",error="' .. err .. '"'
             return ngx.HTTP_UNAUTHORIZED, err
         end
     end
 
+    -- Return nil to indicate that a token could not be extracted or validated, but that we don't
+    -- want to fail quickly.
     return nil
 end
 
 
-local function add_user_header(user)
-    local userinfo = core.json.encode(user)
-    ngx.req.set_header("X-Userinfo", ngx_encode_base64(userinfo))
-end
-
-
 function _M.rewrite(plugin_conf, ctx)
     local conf = core.table.clone(plugin_conf)
     if not conf.redirect_uri then
@@ -163,28 +253,32 @@ function _M.rewrite(plugin_conf, ctx)
             core.log.error("failed to introspect in openidc: ", err)
             return response
         end
-        if response then
-            add_user_header(response)
-        end
     end
 
     if not response then
+        -- A valid token was not in the request. Try to obtain one by authenticatin against the
+        -- configured identity provider.
         local response, err = openidc.authenticate(conf)
         if err then
             core.log.error("failed to authenticate in openidc: ", err)
             return 500
         end
 
         if response then
-            if response.user then
-                add_user_header(response.user)
+            -- Add X-Userinfo header, maybe.
+            if response.user and conf.set_userinfo_token_header then
+                add_user_header(ctx, response.user)
             end
+
+            -- Add configured access token header, maybe.
             if response.access_token then
-                ngx.req.set_header("X-Access-Token", response.access_token)
+                add_access_token_header(ctx, conf, response.access_token)
             end
-            if response.id_token then
+
+            -- Add X-ID-Token header, maybe.
+            if response.id_token and conf.set_id_token_header then
                 local token = core.json.encode(response.id_token)
-                ngx.req.set_header("X-ID-Token", ngx.encode_base64(token))
+                set_header(ctx, "X-ID-Token", ngx.encode_base64(token))
             end
         end
     end

diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
@@ -91,7 +91,7 @@ done
 
 
 
-=== TEST 4: add plugin
+=== TEST 4: add plugin to route
 --- config
     location /t {
         content_by_lua_block {
@@ -112,7 +112,7 @@ done
                         },
                         "upstream": {
                             "nodes": {
-                                "127.0.0.1:1980": 1
+                                "127.0.0.1:8888": 1
                             },
                             "type": "roundrobin"
                         },
@@ -134,7 +134,7 @@ done
                             },
                             "upstream": {
                                 "nodes": {
-                                    "127.0.0.1:1980": 1
+                                    "127.0.0.1:88": 1
                                 },
                                 "type": "roundrobin"
                             },
@@ -161,7 +161,7 @@ passed
 
 
 
-=== TEST 5: access
+=== TEST 5: access route w/o bearer token
 --- config
     location /t {
         content_by_lua_block {
@@ -213,7 +213,7 @@ true
                         },
                         "upstream": {
                             "nodes": {
-                                "127.0.0.1:1980": 1
+                                "127.0.0.1:8888": 1
                             },
                             "type": "roundrobin"
                         },
@@ -236,7 +236,7 @@ true
                             },
                             "upstream": {
                                 "nodes": {
-                                    "127.0.0.1:1980": 1
+                                    "127.0.0.1:8888": 1
                                 },
                                 "type": "roundrobin"
                             },
@@ -263,7 +263,7 @@ passed
 
 
 
-=== TEST 7: access
+=== TEST 7: access route w/o bearer token
 --- timeout: 10s
 --- request
 GET /hello
@@ -302,7 +302,7 @@ WWW-Authenticate: Bearer realm=apisix
                         },
                         "upstream": {
                             "nodes": {
-                                "127.0.0.1:1980": 1
+                                "127.0.0.1:8888": 1
                             },
                             "type": "roundrobin"
                         },
@@ -329,7 +329,7 @@ WWW-Authenticate: Bearer realm=apisix
                             },
                             "upstream": {
                                 "nodes": {
-                                    "127.0.0.1:1980": 1
+                                    "127.0.0.1:8888": 1
                                 },
                                 "type": "roundrobin"
                             },
@@ -443,7 +443,7 @@ jwt signature verification failed
                         },
                         "upstream": {
                             "nodes": {
-                                "127.0.0.1:1980": 1
+                                "127.0.0.1:8888": 1
                             },
                             "type": "roundrobin"
                         },
@@ -468,7 +468,7 @@ jwt signature verification failed
                             },
                             "upstream": {
                                 "nodes": {
-                                    "127.0.0.1:1980": 1
+                                    "127.0.0.1:8888": 1
                                 },
                                 "type": "roundrobin"
                             },