help request: Parse $request_body and add authorization header when using websockets

[hndoss]

Description

We are adding a Keycloak integration with Apisix. For this we are using authz-keycloak. Our platform makes use of websockets and therefore it is impossible for us to add in the Authorization header causing the request to fail.

Before implementing Apisix, we have been passing this header in the websocket payload, and now we want to use proxy-rewrite to somehow extract the Authorization header that is being sent in the message and add it in the headers.

And now we have two problems:

• Add the header if and only if it is not included in the request, we do not want to overwrite the content if it is present
• How to extract the authorization header from the payload? There is more data in the message that is not headers.
  e.g.

{"type":"connection_init","payload":{"headers":{"authorization":"Bearer ey..."}}}

Environment

• APISIX version (run apisix version):

2.15.0

• Operating system (run uname -a):

# using helm chart
Linux apisix-575b5cdf74-7z9rs 5.10.133+ #1 SMP Fri Jul 29 08:49:27 UTC 2022 x86_64 Linux

• OpenResty / Nginx version (run openresty -V or nginx -V):

nginx version: openresty/1.21.4.1

---

• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[tzssangglass]

• Add the header if and only if it is not included in the request, we do not want to overwrite the content if it is present

has supported by #8336, would release in next version

[tzssangglass]

• How to extract the authorization header from the payload? There is more data in the message that is not headers.
  e.g.

I do not quite understand, you can describe more detailed.

[hndoss]

• How to extract the authorization header from the payload? There is more data in the message that is not headers.
  e.g.

I do not quite understand, you can describe more detailed.

authz-keycloak uses the authorization header in the requests allowing apisix to validate with Keycloak the permissions and thus decide whether to let the request through or return an error saying that it does not have the necessary permissions. This works great, except for websockets because websockets don't have this authorization header that the plugin uses.

So, we are adding the authorization header as part of the request body, and not in the header. So, we need to somehow rewrite the request, taking the token from the request body and putting it in the header before the authz-keycloak plugin does its job.

The problem is that in addition to the header, we are adding more information in the request body so that we need to parse the content of the request body and extract only the JWT. This is what we have thought to do, however, it is a good opportunity to see if there is any other approach.

How to authorize websockets with Keycloak and Apisix if Websockets don't use authorization header?

[tokers]

• How to extract the authorization header from the payload? There is more data in the message that is not headers.

e.g.

I do not quite understand, you can describe more detailed.

authz-keycloak uses the authorization header in the requests allowing apisix to validate with Keycloak the permissions and thus decide whether to let the request through or return an error saying that it does not have the necessary permissions. This works great, except for websockets because websockets don't have this authorization header that the plugin uses.

So, we are adding the authorization header as part of the request body, and not in the header. So, we need to somehow rewrite the request, taking the token from the request body and putting it in the header before the authz-keycloak plugin does its job.

The problem is that in addition to the header, we are adding more information in the request body so that we need to parse the content of the request body and extract only the JWT. This is what we have thought to do, however, it is a good opportunity to see if there is any other approach.

How to authorize websockets with Keycloak and Apisix if Websockets don't use authorization header?

Do you mean extracting credentials from websocket frames, or just the request body in the 101 handshake request?

[hndoss]

• How to extract the authorization header from the payload? There is more data in the message that is not headers.

e.g.

I do not quite understand, you can describe more detailed.

authz-keycloak uses the authorization header in the requests allowing apisix to validate with Keycloak the permissions and thus decide whether to let the request through or return an error saying that it does not have the necessary permissions. This works great, except for websockets because websockets don't have this authorization header that the plugin uses.
So, we are adding the authorization header as part of the request body, and not in the header. So, we need to somehow rewrite the request, taking the token from the request body and putting it in the header before the authz-keycloak plugin does its job.
The problem is that in addition to the header, we are adding more information in the request body so that we need to parse the content of the request body and extract only the JWT. This is what we have thought to do, however, it is a good opportunity to see if there is any other approach.
How to authorize websockets with Keycloak and Apisix if Websockets don't use authorization header?

Do you mean extracting credentials from websocket frames, or just the request body in the 101 handshake request?

From the request body.

[tokers]

We have some options to achieve this.

1. Write a piece of Lua code to implement this feature.
2. Support a special APISIX variable, to fetch field from the request body, e.g., $req_body_json_xxxx.

[hndoss]

Thanks for the help, but apparently our needs are not explained very well here, and therefore I will open a new one.