Skip to content
This repository has been archived by the owner on Apr 18, 2024. It is now read-only.

Bearer JWT verify, auth/acl chaining, group/credential handling fixes #2

Merged
merged 9 commits into from
Jan 13, 2021
Merged

Bearer JWT verify, auth/acl chaining, group/credential handling fixes #2

merged 9 commits into from
Jan 13, 2021

Conversation

hanlaur
Copy link

@hanlaur hanlaur commented Jan 13, 2021
edited
Loading

Hello @cristichiru and all and thanks for your work with the OIDC plugin! This pull request has some patch proposals if you want to check and consider them:

  • Fix test environment set-up to work with current kong
  • Fix use of groups_claim config parameter
  • Add option skip_already_auth_requests for partial plugin chaining support
  • Use kong.client.authenticate and set_consumer to inject user
  • Inject groups and set credentials regardless of disable_userinfo_header value
  • Add feature to auth based on JWT Bearer (ID) token in Authorization header
  • Honor disable_userinfo_header on bearer token auth
  • Add feature to inject custom headers based on claims
  • Upgrade lua-resty-openidc to 1.7.4-1

For now for visibility these are all bundled in this single PR but as separate commits. If needed I could open them separately (but then some sequentially due to dependencies), but wanted to first hear your thoughts.

These are mostly backward compatible but there are some behavior changes due to the fixes/changes. Some notes could be compiled to docker-kong-oidc changelog if applying these. There is some info in individual commit messages.

Please have look and let know :)

@hanlaur
Fix test environment set-up to work with current kong
79ccc4f
@hanlaur
Fix use of groups_claim config parameter
ec27c62
@hanlaur
Add option skip_already_auth_requests for partial plugin chaining sup…
63a0725 
…port

Partial support for plugin chaining: allow skipping requests, where higher priority
plugin has already set the credentials. The 'config.anomyous' approach to define
"and/or" relationship between auth plugins is not utilized.
@hanlaur
Use kong.client.authenticate and set_consumer to inject user
c4e41f1 
This way possible anonymous consumer identity set by higher
priority plugin is cleared in case of OIDC authentiation.
Makes it easier to use simultaneously for example basic-auth
plugin, oidc plugin and acl plugin.

This behavior is more in line with Kong-bundled auth plugins.
There could be some upgrade impact, since previously
the consumer identity was not touched and headers were not
managed.
@hanlaur
Inject groups and set credentials regardless of disable_userinfo_head…
0d70268 
…er value

Previously disable_userinfo_header impacted also setting of credential/group.

This commit has some upgrade impact, if the previous behavior was relied upon.
@hanlaur
Add feature to auth based on JWT Bearer (ID) token in Authorization h…
3739291 
…eader
@hanlaur
Honor disable_userinfo_header on bearer token auth
78bcd9e 
Previously the parameter was not honored for token introspection case.

This commit has some upgrade impact, if the previous behavior was
relied upon.
@hanlaur
Add feature to inject custom headers based on claims
140c90d
@hanlaur
Upgrade lua-resty-openidc to 1.7.4-1
0f32935
@cristichiru cristichiru merged commit e4e2b2f into revomatico:master Jan 13, 2021
@hanlaur hanlaur mentioned this pull request Jan 13, 2021
Closed
@hanlaur hanlaur deleted the to-upstream branch January 14, 2021 06:18
@hanlaur
Copy link
Author

hanlaur commented Jan 14, 2021

👍 @cristichiru. I have a related proposal to the docker-kong-oidc Dockerfile to add lua_shared_dict for jwks, discovery & introspection, to increase performance. The changes can be seen in an ”in-repo" Dockerfile https://github.com/hanlaur/kong-oidc/blob/gh-patches/Dockerfile. I was thinking to create PR about those settings to docker-kong-oidc repo in near future.

@hanlaur hanlaur mentioned this pull request Jan 14, 2021
Merged
@hanlaur hanlaur mentioned this pull request Mar 4, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hanlaur @cristichiru