This is an automated email from the ASF dual-hosted git repository.
monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new a0fe93035 feat(openid-connect): add more attributes (#10591)
a0fe93035 is described below
commit a0fe930358ac30b5c7fe81bacbf3712ba8682435
Author: Traky Deng <[email protected]>
AuthorDate: Tue Dec 5 08:36:07 2023 -0800
feat(openid-connect): add more attributes (#10591)
---
apisix/plugins/openid-connect.lua | 85 ++++++++++++++++++++++++++++++++
docs/en/latest/plugins/openid-connect.md | 18 +++++++
docs/zh/latest/plugins/openid-connect.md | 20 +++++++-
t/plugin/openid-connect.t | 2 +-
4 files changed, 123 insertions(+), 2 deletions(-)
diff --git a/apisix/plugins/openid-connect.lua
b/apisix/plugins/openid-connect.lua
index 2bca4cb9d..08f768673 100644
--- a/apisix/plugins/openid-connect.lua
+++ b/apisix/plugins/openid-connect.lua
@@ -167,6 +167,91 @@ local schema = {
description = "Extra authorization params to the authorize
endpoint",
type = "object"
},
+ client_rsa_private_key = {
+ description = "Client RSA private key used to sign JWT.",
+ type = "string"
+ },
+ client_rsa_private_key_id = {
+ description = "Client RSA private key ID used to compute a signed
JWT.",
+ type = "string"
+ },
+ client_jwt_assertion_expires_in = {
+ description = "Life duration of the signed JWT in seconds.",
+ type = "integer",
+ default = 60
+ },
+ renew_access_token_on_expiry = {
+ description = "Whether to attempt silently renewing the access
token.",
+ type = "boolean",
+ default = true
+ },
+ access_token_expires_in = {
+ description = "Lifetime of the access token in seconds if
expires_in is not present.",
+ type = "integer"
+ },
+ refresh_session_interval = {
+ description = "Time interval to refresh user ID token without
re-authentication.",
+ type = "integer",
+ default = 900
+ },
+ iat_slack = {
+ description = "Tolerance of clock skew in seconds with the iat
claim in an ID token.",
+ type = "integer",
+ default = 120
+ },
+ accept_none_alg = {
+ description = "Set to true if the OpenID provider does not sign
its ID token.",
+ type = "boolean",
+ default = false
+ },
+ accept_unsupported_alg = {
+ description = "Ignore ID token signature to accept unsupported
signature algorithm.",
+ type = "boolean",
+ default = true
+ },
+ access_token_expires_leeway = {
+ description = "Expiration leeway in seconds for access token
renewal.",
+ type = "integer",
+ default = 0
+ },
+ force_reauthorize = {
+ description = "Whether to execute the authorization flow when a
token has been cached.",
+ type = "boolean",
+ default = false
+ },
+ use_nonce = {
+ description = "Whether to include nonce parameter in authorization
request.",
+ type = "boolean",
+ default = false
+ },
+ revoke_tokens_on_logout = {
+ description = "Notify authorization server a previous token is no
longer needed.",
+ type = "boolean",
+ default = false
+ },
+ jwk_expires_in = {
+ description = "Expiration time for JWK cache in seconds.",
+ type = "integer",
+ default = 86400
+ },
+ jwt_verification_cache_ignore = {
+ description = "Whether to ignore cached verification and
re-verify.",
+ type = "boolean",
+ default = false
+ },
+ cache_segment = {
+ description = "Name of a cache segment to differentiate caches.",
+ type = "string"
+ },
+ introspection_interval = {
+ description = "TTL of the cached and introspected access token in
seconds.",
+ type = "integer",
+ default = 0
+ },
+ introspection_expiry_claim = {
+ description = "Name of the expiry claim that controls the cached
access token TTL.",
+ type = "string"
+ },
required_scopes = {
description = "List of scopes that are required to be granted to
the access token",
type = "array",
diff --git a/docs/en/latest/plugins/openid-connect.md
b/docs/en/latest/plugins/openid-connect.md
index 3ea4bd644..ed3dbafd6 100644
--- a/docs/en/latest/plugins/openid-connect.md
+++ b/docs/en/latest/plugins/openid-connect.md
@@ -69,6 +69,24 @@ description: OpenID Connect allows the client to obtain user
information from th
| proxy_opts.https_proxy_authorization | string | False |
| Basic [base64 username:password] | Default `Proxy-Authorization` header
value to be used with `https_proxy`. Cannot be overridden with custom
`Proxy-Authorization` request header since with with HTTPS the authorization is
completed when connecting. |
| proxy_opts.no_proxy | string | False |
| | Comma separated list of hosts that
should not be proxied.
|
| authorization_params | object | False |
| | Additional parameters to send in the
in the request to the authorization endpoint.
|
+| client_rsa_private_key | string | False | | | Client RSA private key used
to sign JWT. |
+| client_rsa_private_key_id | string | False | | | Client RSA private key ID
used to compute a signed JWT. |
+| client_jwt_assertion_expires_in | integer | False | 60 | | Life duration of
the signed JWT in seconds. |
+| renew_access_token_on_expiry | boolean | False | true | | If true, attempt
to silently renew the access token when it expires or if a refresh token is
available. If the token fails to renew, redirect user for re-authentication. |
+| access_token_expires_in | integer | False | | | Lifetime of the access
token in seconds if no `expires_in` attribute is present in the token endpoint
response. |
+| refresh_session_interval | integer | False | 900 | | Time interval to
refresh user ID token without requiring re-authentication. |
+| iat_slack | integer | False | 120 | | Tolerance of clock skew in seconds
with the `iat` claim in an ID token. |
+| accept_none_alg | boolean | False | false | | Set to true if the OpenID
provider does not sign its ID token, such as when the signature algorithm is
set to `none`. |
+| accept_unsupported_alg | boolean | False | true | | If true, ignore ID
token signature to accept unsupported signature algorithm. |
+| access_token_expires_leeway | integer | False | 0 | | Expiration leeway in
seconds for access token renewal. When set to a value greater than 0, token
renewal will take place the set amount of time before token expiration. This
avoids errors in case the access token just expires when arriving to the
resource server. |
+| force_reauthorize | boolean | False | false | | If true, execute the
authorization flow even when a token has been cached. |
+| use_nonce | boolean | False | false | | If true, enable nonce parameter in
authorization request. |
+| revoke_tokens_on_logout | boolean | False | false | | If true, notify the
authorization server a previously obtained refresh or access token is no longer
needed at the revocation endpoint. |
+| jwk_expires_in | integer | False | 86400 | | Expiration time for JWK cache
in seconds. |
+| jwt_verification_cache_ignore | boolean | False | false | | If true, force
re-verification for a bearer token and ignore any existing cached verification
results. |
+| cache_segment | string | False | | | Optional name of a cache segment,
used to separate and differentiate caches used by token introspection or JWT
verification. |
+| introspection_interval | integer | False | 0 | | TTL of the cached and
introspected access token in seconds. |
+| introspection_expiry_claim | string | False | | | Name of the expiry
claim, which controls the TTL of the cached and introspected access token. The
default value is 0, which means this option is not used and the plugin defaults
to use the TTL passed by expiry claim defined in `introspection_expiry_claim`.
If `introspection_interval` is larger than 0 and less than the TTL passed by
expiry claim defined in `introspection_expiry_claim`, use
`introspection_interval`. |
NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema,
which means that the field will be stored encrypted in etcd. See [encrypted
storage fields](../plugin-develop.md#encrypted-storage-fields).
diff --git a/docs/zh/latest/plugins/openid-connect.md
b/docs/zh/latest/plugins/openid-connect.md
index 24dd41de6..0e38e0bdb 100644
--- a/docs/zh/latest/plugins/openid-connect.md
+++ b/docs/zh/latest/plugins/openid-connect.md
@@ -68,7 +68,25 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议
| proxy_opts.http_proxy_authorization | string | 否 |
| Basic [base64 username:password] | 与 `http_proxy` 一起使用的默认
`Proxy-Authorization` 标头值。可以使用自定义 `Proxy-Authorization` 请求标头覆盖。
|
| proxy_opts.https_proxy_authorization | string | 否 |
| Basic [base64 username:password] | 与 `https_proxy` 一起使用的默认
`Proxy-Authorization` 标头值。无法使用自定义 `Proxy-Authorization` 请求标头覆盖,因为使用 HTTPS
时,授权在连接时完成。 |
| proxy_opts.no_proxy | string | 否 |
| | 不应被代理的主机的逗号分隔列表。
|
-| authorization_params | object | false |
| | 在请求中发送到授权端点的附加参数 |
+| authorization_params | object | 否 |
| | 在请求中发送到授权端点的附加参数 |
+| client_rsa_private_key | string | 否 | |
| 用于签署 JWT 的客户端 RSA 私钥。 |
+| client_rsa_private_key_id | string | 否 | |
| 用于计算签名 JWT 的客户端 RSA 私钥 ID。 |
+| client_jwt_assertion_expires_in | integer | 否 | 60 |
| 签名 JWT 的生存期,以秒为单位。 |
+| renew_access_token_on_expiry | boolean | 否 | true |
| 如果为 true,在访问令牌过期或存在刷新令牌时,尝试静默更新访问令牌。如果令牌无法更新,则重定向用户进行重新认证。 |
+| access_token_expires_in | integer | 否 | |
| 访问令牌的生命周期,以秒为单位,如果令牌终端响应中不存在 `expires_in` 属性。 |
+| refresh_session_interval | integer | 否 | 900 |
| 刷新用户 ID 令牌而无需重新进行身份验证的时间间隔,以秒为单位。 |
+| iat_slack | integer | 否 | 120 |
| 与 ID 令牌中的 `iat` 声明的时钟偏差容忍度,以秒为单位。 |
+| accept_none_alg | boolean | 否 | false |
| 如果 OpenID 提供程序不对其 ID 令牌进行签名将其设置为 true。 |
+| accept_unsupported_alg | boolean | 否 | true |
| 如果为 true,忽略 ID 令牌签名以接受不支持的签名算法。 |
+| access_token_expires_leeway | integer | 否 | 0 |
| 访问令牌续订的过期宽限期,以秒为单位。当设置为大于 0
的值时,令牌续订将在令牌到期之前的一段时间内进行。这样可以避免在到达资源服务器时令牌刚好过期时出现错误。 |
+| force_reauthorize | boolean | 否 | false |
| 如果为 true,即使已缓存令牌,也执行授权流程。 |
+| use_nonce | boolean | 否 | false |
| 如果为 true,启用授权请求中的 nonce 参数。|
+| revoke_tokens_on_logout | boolean | 否 | false |
| 如果为 true,通知授权服务器不再需要先前获取的刷新令牌或访问令牌,发送到吊销端点。|
+| jwk_expires_in | integer | 否 | 86400 |
| JWK 缓存的过期时间,以秒为单位。|
+| jwt_verification_cache_ignore | boolean | 否 | false |
| 如果为 true,请强制对持有者令牌进行重新验证,并忽略任何现有的缓存验证结果。 |
+| cache_segment | string | 否 | |
| 可选的缓存段的名称,用于区分和区分用于令牌内省或 JWT 验证的缓存。 |
+| introspection_interval | integer | 否 | 0 |
| 以秒为单位的缓存和内省访问令牌的 TTL。 |
+| introspection_expiry_claim | string | 否 | |
| 过期声明的名称,用于控制缓存和内省访问令牌的 TTL。 |
注意:schema 中还定义了 `encrypt_fields = {"client_secret"}`,这意味着该字段将会被加密存储在 etcd
中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。
diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
index d78d38067..23b201e9e 100644
--- a/t/plugin/openid-connect.t
+++ b/t/plugin/openid-connect.t
@@ -876,7 +876,7 @@ OIDC introspection failed: invalid token
}
}
--- response_body
-{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_heade
[...]
+{"accept_none_alg":false,"accept_unsupported_alg":true,"access_token_expires_leeway":0,"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_jwt_assertion_expires_in":60,"client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","force_reauthorize":false,"iat_slack":120,"introspection_endpoint_auth_method":"client_secret_basic","in
[...]
