From 91469741bfde043132681b9d9e18813de8b76a0d Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Fri, 22 Mar 2024 11:36:19 +0800 Subject: [PATCH 01/10] d --- apisix/plugins/openid-connect.lua | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 435cf63631e9..ba3c90268790 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -260,6 +260,18 @@ local schema = { description = "Name of the expiry claim that controls the cached access token TTL.", type = "string" }, + introspection_addon_headers = { + description = "", + type = "object", + patternProperties = { + ["^[^:]+$"] = { + oneOf = { + { type = "string" }, + { type = "number" } + } + } + } + }, required_scopes = { description = "List of scopes that are required to be granted to the access token", type = "array", @@ -386,6 +398,19 @@ local function introspect(ctx, conf) else -- Validate token against introspection endpoint. -- TODO: Same as above for public key validation. + if #conf.introspection_addon_headers > 0 then + conf["http_request_decorator"] = function(req) + local h = req.headers or {} + for i,v in ipairs(conf.introspection_addon_headers) do + if not h[i] then + h[i] = v + end + end + req.headers = h + return req + end + end + local res, err = openidc.introspect(conf) if err then From c71fc9ff438166784818dcc9619632dd83888238 Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Fri, 22 Mar 2024 14:55:26 +0800 Subject: [PATCH 02/10] fix --- apisix/plugins/openid-connect.lua | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index ba3c90268790..ecbf7660cf6c 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -263,6 +263,7 @@ local schema = { introspection_addon_headers = { description = "", type = "object", + minProperties = 1, patternProperties = { ["^[^:]+$"] = { oneOf = { @@ -398,7 +399,7 @@ local function introspect(ctx, conf) else -- Validate token against introspection endpoint. -- TODO: Same as above for public key validation. - if #conf.introspection_addon_headers > 0 then + if conf.introspection_addon_headers then conf["http_request_decorator"] = function(req) local h = req.headers or {} for i,v in ipairs(conf.introspection_addon_headers) do From 2d9f606785d27eda4902a3effe2ed4060735631f Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Fri, 22 Mar 2024 17:19:39 +0800 Subject: [PATCH 03/10] fix error --- apisix/plugins/openid-connect.lua | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index ecbf7660cf6c..094c5c9d8592 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -400,11 +400,13 @@ local function introspect(ctx, conf) -- Validate token against introspection endpoint. -- TODO: Same as above for public key validation. if conf.introspection_addon_headers then - conf["http_request_decorator"] = function(req) + -- http_request_decorator option provides by lua-resty-openidc + conf.http_request_decorator = function(req) local h = req.headers or {} - for i,v in ipairs(conf.introspection_addon_headers) do - if not h[i] then - h[i] = v + for name, value in pairs(conf.introspection_addon_headers) do + -- never overwrite exist header + if h[name] == nil then + h[name] = value end end req.headers = h From 674096e20865d853f678bc7c4bf394c8de23640c Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Fri, 22 Mar 2024 19:06:32 +0800 Subject: [PATCH 04/10] todo unset var and t file --- apisix/plugins/openid-connect.lua | 9 ++-- t/plugin/openid-connect6.t | 74 +++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 6 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 094c5c9d8592..9e881bb64a8d 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -261,7 +261,7 @@ local schema = { type = "string" }, introspection_addon_headers = { - description = "", + description = "Extra http headers in introspection", type = "object", minProperties = 1, patternProperties = { @@ -404,16 +404,13 @@ local function introspect(ctx, conf) conf.http_request_decorator = function(req) local h = req.headers or {} for name, value in pairs(conf.introspection_addon_headers) do - -- never overwrite exist header - if h[name] == nil then - h[name] = value - end + h[name] = value end req.headers = h return req end end - + ---- conf.http_request_decorator unset local res, err = openidc.introspect(conf) if err then diff --git a/t/plugin/openid-connect6.t b/t/plugin/openid-connect6.t index 6497f3baa67f..b76dde0bf91c 100644 --- a/t/plugin/openid-connect6.t +++ b/t/plugin/openid-connect6.t @@ -155,3 +155,77 @@ passed } --- response_body passed + + + +=== TEST 4: Update route with fake Keycloak introspection endpoint and introspection addon headers +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "openid-connect": { + "client_id": "course_management", + "client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5", + "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration", + "redirect_uri": "http://localhost:3000", + "ssl_verify": false, + "timeout": 10, + "bearer_only": true, + "realm": "University", + "introspection_endpoint_auth_method": "client_secret_post", + "introspection_endpoint": "http://127.0.0.1:1980/log_request", + "introspection_addon_headers": { + "X-Addon-Header-A": "VALUE", + "X-Addon-Header-B": "value" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 5: Check http headers from fake introspection endpoint. +--- config + location /t { + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello" + local res, err = httpc:request_uri(uri, { + method = "GET", + headers = { + ["Authorization"] = [[Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.Vq_sBN7nH67vMDbiJE01EP4hvJYE_5ju6izjkOX8pF5OS4g2RWKWpL6h6-b0tTkCzG4JD5BEl13LWW-Gxxw0i9vEK0FLg_kC_kZLYB8WuQ6B9B9YwzmZ3OLbgnYzt_VD7D-7psEbwapJl5hbFsIjDgOAEx-UCmjUcl2frZxZavG2LUiEGs9Ri7KqOZmTLgNDMWfeWh1t1LyD0_b-eTInbasVtKQxMlb5kR0Ln_Qg5092L-irJ7dqaZma7HItCnzXJROdqJEsMIBAYRwDGa_w5kIACeMOdU85QKtMHzOenYFkm6zh_s59ndziTctKMz196Y8AL08xuTi6d1gEWpM92A]] + } + }) + ngx.status = res.status + } + } +--- error_code: 401 +--- error_log +OIDC introspection failed: JSON decoding failed +--- grep_error_log eval +qr/x-addon-header.{9}/ +--- grep_error_log_out +x-addon-header-a: VALUE +x-addon-header-b: value From 98dd8ab91fbb238b68cc9ea5d5f352d306ae3396 Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Mon, 25 Mar 2024 17:10:12 +0800 Subject: [PATCH 05/10] done --- apisix/plugins/openid-connect.lua | 3 +- t/plugin/openid-connect6.t | 142 +++++++++++++++++++++++++++++- 2 files changed, 141 insertions(+), 4 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 9e881bb64a8d..8dacde72c128 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -410,8 +410,9 @@ local function introspect(ctx, conf) return req end end - ---- conf.http_request_decorator unset + local res, err = openidc.introspect(conf) + conf.http_request_decorator = nil if err then ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. conf.realm .. diff --git a/t/plugin/openid-connect6.t b/t/plugin/openid-connect6.t index b76dde0bf91c..872b7ff5f532 100644 --- a/t/plugin/openid-connect6.t +++ b/t/plugin/openid-connect6.t @@ -158,7 +158,143 @@ passed -=== TEST 4: Update route with fake Keycloak introspection endpoint and introspection addon headers +=== TEST 4: Update route with Keycloak introspection endpoint and introspection addon headers. +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "openid-connect": { + "client_id": "course_management", + "client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5", + "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration", + "redirect_uri": "http://localhost:3000", + "ssl_verify": false, + "timeout": 10, + "bearer_only": true, + "realm": "University", + "introspection_endpoint_auth_method": "client_secret_post", + "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect", + "introspection_addon_headers": { + "X-Addon-Header-A": "VALUE", + "X-Addon-Header-B": "value" + } + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 5: Obtain valid token and access route with it, introspection work as expected when configured extras headers. +--- config + location /t { + content_by_lua_block { + -- Obtain valid access token from Keycloak using known username and password. + local json_decode = require("toolkit.json").decode + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token" + local res, err = httpc:request_uri(uri, { + method = "POST", + body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456", + headers = { + ["Content-Type"] = "application/x-www-form-urlencoded" + } + }) + + -- Check response from keycloak and fail quickly if there's no response. + if not res then + ngx.say(err) + return + end + + -- Check if response code was ok. + if res.status == 200 then + -- Get access token from JSON response body. + local body = json_decode(res.body) + local accessToken = body["access_token"] + + -- Access route using access token. Should work. + uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello" + local res, err = httpc:request_uri(uri, { + method = "GET", + headers = { + ["Authorization"] = "Bearer " .. body["access_token"] + } + }) + + if res.status == 200 then + -- Route accessed successfully. + ngx.say(true) + else + -- Couldn't access route. + ngx.say(false) + end + else + -- Response from Keycloak not ok. + ngx.say(false) + end + } + } +--- response_body +true +--- grep_error_log eval +qr/token validate successfully by \w+/ +--- grep_error_log_out +token validate successfully by introspection + + + +=== TEST 6: Access route with an invalid token, should work as expected too. +--- config + location /t { + content_by_lua_block { + -- Access route using a fake access token. + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello" + local res, err = httpc:request_uri(uri, { + method = "GET", + headers = { + ["Authorization"] = "Bearer " .. "fake access token", + } + }) + + if res.status == 200 then + ngx.say(true) + else + ngx.say(false) + end + } + } +--- response_body +false +--- error_log +OIDC introspection failed: invalid token + + + +=== TEST 7: Update route with fake Keycloak introspection endpoint and introspection addon headers --- config location /t { content_by_lua_block { @@ -205,7 +341,7 @@ passed -=== TEST 5: Check http headers from fake introspection endpoint. +=== TEST 8: Check http headers from fake introspection endpoint. --- config location /t { content_by_lua_block { @@ -215,7 +351,7 @@ passed local res, err = httpc:request_uri(uri, { method = "GET", headers = { - ["Authorization"] = [[Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.Vq_sBN7nH67vMDbiJE01EP4hvJYE_5ju6izjkOX8pF5OS4g2RWKWpL6h6-b0tTkCzG4JD5BEl13LWW-Gxxw0i9vEK0FLg_kC_kZLYB8WuQ6B9B9YwzmZ3OLbgnYzt_VD7D-7psEbwapJl5hbFsIjDgOAEx-UCmjUcl2frZxZavG2LUiEGs9Ri7KqOZmTLgNDMWfeWh1t1LyD0_b-eTInbasVtKQxMlb5kR0Ln_Qg5092L-irJ7dqaZma7HItCnzXJROdqJEsMIBAYRwDGa_w5kIACeMOdU85QKtMHzOenYFkm6zh_s59ndziTctKMz196Y8AL08xuTi6d1gEWpM92A]] + ["Authorization"] = "Bearer " .. "fake access token" } }) ngx.status = res.status From 6045556ca45fad37d96ced1d7015ac17dd2cf597 Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Mon, 25 Mar 2024 17:34:29 +0800 Subject: [PATCH 06/10] doc --- docs/en/latest/plugins/openid-connect.md | 1 + docs/zh/latest/plugins/openid-connect.md | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index 231ca6eaf9dd..dae1ea4be27a 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -89,6 +89,7 @@ description: OpenID Connect allows the client to obtain user information from th | cache_segment | string | False | | | Optional name of a cache segment, used to separate and differentiate caches used by token introspection or JWT verification. | | introspection_interval | integer | False | 0 | | TTL of the cached and introspected access token in seconds. | | introspection_expiry_claim | string | False | | | Name of the expiry claim, which controls the TTL of the cached and introspected access token. The default value is 0, which means this option is not used and the plugin defaults to use the TTL passed by expiry claim defined in `introspection_expiry_claim`. If `introspection_interval` is larger than 0 and less than the TTL passed by expiry claim defined in `introspection_expiry_claim`, use `introspection_interval`. | +| introspection_addon_headers | object | False | | | Append extras headers to the introspection http request. | NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md index 2a6c21b5dfa7..d2c3341cbcc3 100644 --- a/docs/zh/latest/plugins/openid-connect.md +++ b/docs/zh/latest/plugins/openid-connect.md @@ -89,6 +89,7 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议 | cache_segment | string | 否 | | | 可选的缓存段的名称,用于区分和区分用于令牌内省或 JWT 验证的缓存。 | | introspection_interval | integer | 否 | 0 | | 以秒为单位的缓存和内省访问令牌的 TTL。 | | introspection_expiry_claim | string | 否 | | | 过期声明的名称,用于控制缓存和内省访问令牌的 TTL。 | +| introspection_addon_headers | object | 否 | | | 添加额外的请求头到内省 HTTP 请求中。| 注意:schema 中还定义了 `encrypt_fields = {"client_secret"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。 From 729c045f9edabfd30a16095821956c7c24076e16 Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Mon, 1 Apr 2024 10:09:05 +0800 Subject: [PATCH 07/10] fix lint --- apisix/plugins/openid-connect.lua | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 8dacde72c128..ac5cea3bb4f2 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -21,8 +21,9 @@ local openidc = require("resty.openidc") local random = require("resty.random") local string = string local ngx = ngx -local ipairs = ipairs -local concat = table.concat +local ipairs = ipairs +local pairs = pairs +local concat = table.concat local ngx_encode_base64 = ngx.encode_base64 From f336c9ac4037f2dbfb38bad1f22180efe71db4f3 Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Mon, 8 Apr 2024 11:35:55 +0800 Subject: [PATCH 08/10] refactor --- apisix/plugins/openid-connect.lua | 23 ++++++++++----------- docs/en/latest/plugins/openid-connect.md | 2 +- docs/zh/latest/plugins/openid-connect.md | 2 +- t/plugin/openid-connect6.t | 26 ++++++++++++------------ 4 files changed, 26 insertions(+), 27 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index ac5cea3bb4f2..e01f20901623 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -263,15 +263,11 @@ local schema = { }, introspection_addon_headers = { description = "Extra http headers in introspection", - type = "object", - minProperties = 1, - patternProperties = { - ["^[^:]+$"] = { - oneOf = { - { type = "string" }, - { type = "number" } - } - } + type = "array", + minItems = 1, + items = { + type = "string", + pattern = "^[^:]+$" } }, required_scopes = { @@ -401,11 +397,14 @@ local function introspect(ctx, conf) -- Validate token against introspection endpoint. -- TODO: Same as above for public key validation. if conf.introspection_addon_headers then - -- http_request_decorator option provides by lua-resty-openidc + -- http_request_decorator option provided by lua-resty-openidc conf.http_request_decorator = function(req) local h = req.headers or {} - for name, value in pairs(conf.introspection_addon_headers) do - h[name] = value + for _, name in ipairs(conf.introspection_addon_headers) do + local value = core.request.header(ctx, name) + if value then + h[name] = value + end end req.headers = h return req diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index dae1ea4be27a..43021c92c75b 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -89,7 +89,7 @@ description: OpenID Connect allows the client to obtain user information from th | cache_segment | string | False | | | Optional name of a cache segment, used to separate and differentiate caches used by token introspection or JWT verification. | | introspection_interval | integer | False | 0 | | TTL of the cached and introspected access token in seconds. | | introspection_expiry_claim | string | False | | | Name of the expiry claim, which controls the TTL of the cached and introspected access token. The default value is 0, which means this option is not used and the plugin defaults to use the TTL passed by expiry claim defined in `introspection_expiry_claim`. If `introspection_interval` is larger than 0 and less than the TTL passed by expiry claim defined in `introspection_expiry_claim`, use `introspection_interval`. | -| introspection_addon_headers | object | False | | | Append extras headers to the introspection http request. | +| introspection_addon_headers | string[] | False | | | Array of strings. Used in Append extras headers to the introspection http request, If configured header not exist in origin request, it will be ignore. | NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md index d2c3341cbcc3..e8f99257340b 100644 --- a/docs/zh/latest/plugins/openid-connect.md +++ b/docs/zh/latest/plugins/openid-connect.md @@ -89,7 +89,7 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议 | cache_segment | string | 否 | | | 可选的缓存段的名称,用于区分和区分用于令牌内省或 JWT 验证的缓存。 | | introspection_interval | integer | 否 | 0 | | 以秒为单位的缓存和内省访问令牌的 TTL。 | | introspection_expiry_claim | string | 否 | | | 过期声明的名称,用于控制缓存和内省访问令牌的 TTL。 | -| introspection_addon_headers | object | 否 | | | 添加额外的请求头到内省 HTTP 请求中。| +| introspection_addon_headers | string[] | 否 | | | `introspection_addon_headers` 是字符串列表,用于配置额外添加到内省 HTTP 请求中的请求头,如果配置的请求头不存在于源请求中,它将被忽略。| 注意:schema 中还定义了 `encrypt_fields = {"client_secret"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。 diff --git a/t/plugin/openid-connect6.t b/t/plugin/openid-connect6.t index 872b7ff5f532..7c15cf454d60 100644 --- a/t/plugin/openid-connect6.t +++ b/t/plugin/openid-connect6.t @@ -178,10 +178,7 @@ passed "realm": "University", "introspection_endpoint_auth_method": "client_secret_post", "introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect", - "introspection_addon_headers": { - "X-Addon-Header-A": "VALUE", - "X-Addon-Header-B": "value" - } + "introspection_addon_headers": ["X-Addon-Header-A", "X-Addon-Header-B"] } }, "upstream": { @@ -239,7 +236,9 @@ passed local res, err = httpc:request_uri(uri, { method = "GET", headers = { - ["Authorization"] = "Bearer " .. body["access_token"] + ["Authorization"] = "Bearer " .. body["access_token"], + ["X-Addon-Header-A"] = "Value-A", + ["X-Addon-Header-B"] = "Value-b" } }) @@ -277,6 +276,8 @@ token validate successfully by introspection method = "GET", headers = { ["Authorization"] = "Bearer " .. "fake access token", + ["X-Addon-Header-A"] = "Value-A", + ["X-Addon-Header-B"] = "Value-b" } }) @@ -314,10 +315,7 @@ OIDC introspection failed: invalid token "realm": "University", "introspection_endpoint_auth_method": "client_secret_post", "introspection_endpoint": "http://127.0.0.1:1980/log_request", - "introspection_addon_headers": { - "X-Addon-Header-A": "VALUE", - "X-Addon-Header-B": "value" - } + "introspection_addon_headers": ["X-Addon-Header-A", "X-Addon-Header-B"] } }, "upstream": { @@ -351,7 +349,9 @@ passed local res, err = httpc:request_uri(uri, { method = "GET", headers = { - ["Authorization"] = "Bearer " .. "fake access token" + ["Authorization"] = "Bearer " .. "fake access token", + ["X-Addon-Header-A"] = "Value-A", + ["X-Addon-Header-B"] = "Value-b" } }) ngx.status = res.status @@ -361,7 +361,7 @@ passed --- error_log OIDC introspection failed: JSON decoding failed --- grep_error_log eval -qr/x-addon-header.{9}/ +qr/x-addon-header-.{10}/ --- grep_error_log_out -x-addon-header-a: VALUE -x-addon-header-b: value +x-addon-header-a: Value-A +x-addon-header-b: Value-b From 7354bb95b25147bea79d8cc966eb90bf03b9fa8c Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Mon, 8 Apr 2024 15:20:38 +0800 Subject: [PATCH 09/10] lint --- apisix/plugins/openid-connect.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index e01f20901623..8af111b348f2 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -22,7 +22,6 @@ local random = require("resty.random") local string = string local ngx = ngx local ipairs = ipairs -local pairs = pairs local concat = table.concat local ngx_encode_base64 = ngx.encode_base64 From 7e46e3240eff5ad0e72b75a634661cfd243c3ecf Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Tue, 9 Apr 2024 15:42:16 +0800 Subject: [PATCH 10/10] doc and t --- docs/en/latest/plugins/openid-connect.md | 2 +- t/plugin/openid-connect6.t | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index 43021c92c75b..7ec910444cb8 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -89,7 +89,7 @@ description: OpenID Connect allows the client to obtain user information from th | cache_segment | string | False | | | Optional name of a cache segment, used to separate and differentiate caches used by token introspection or JWT verification. | | introspection_interval | integer | False | 0 | | TTL of the cached and introspected access token in seconds. | | introspection_expiry_claim | string | False | | | Name of the expiry claim, which controls the TTL of the cached and introspected access token. The default value is 0, which means this option is not used and the plugin defaults to use the TTL passed by expiry claim defined in `introspection_expiry_claim`. If `introspection_interval` is larger than 0 and less than the TTL passed by expiry claim defined in `introspection_expiry_claim`, use `introspection_interval`. | -| introspection_addon_headers | string[] | False | | | Array of strings. Used in Append extras headers to the introspection http request, If configured header not exist in origin request, it will be ignore. | +| introspection_addon_headers | string[] | False | | | Array of strings. Used to append additional header values to the introspection HTTP request. If the specified header does not exist in origin request, value will not be appended. | NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). diff --git a/t/plugin/openid-connect6.t b/t/plugin/openid-connect6.t index 7c15cf454d60..2406c135312a 100644 --- a/t/plugin/openid-connect6.t +++ b/t/plugin/openid-connect6.t @@ -257,14 +257,12 @@ passed } --- response_body true ---- grep_error_log eval -qr/token validate successfully by \w+/ ---- grep_error_log_out +--- error_log token validate successfully by introspection -=== TEST 6: Access route with an invalid token, should work as expected too. +=== TEST 6: Access route with an invalid token, should fail. --- config location /t { content_by_lua_block {