kevinlzw commented on code in PR #13649:
URL: https://github.com/apache/apisix/pull/13649#discussion_r3520719404
##########
apisix/plugins/openid-connect.lua:
##########
@@ -298,6 +317,60 @@ local schema = {
type = "boolean",
default = false
},
+ par = {
+ description = "Pushed Authorization Requests (PAR) configuration.",
+ type = "object",
+ properties = {
+ enabled = {
+ description = "When true, use Pushed Authorization
Requests (PAR).",
+ type = "boolean",
+ default = false,
+ },
+ endpoint = {
+ description = "URL of the Pushed Authorization Requests
endpoint.",
+ type = "string",
+ },
+ endpoint_auth_method = {
+ description = "Authentication method for the PAR
endpoint.",
+ type = "string",
+ },
+ },
+ additionalProperties = false,
+ },
+ dpop = {
+ description = "Demonstrating Proof-of-Possession (DPoP)
configuration.",
+ type = "object",
+ properties = {
+ enabled = {
+ description = "When true, use DPoP proof JWTs.",
+ type = "boolean",
+ default = false,
+ },
+ signing_alg = {
+ description = "DPoP proof JWT signing algorithm.",
+ type = "string",
+ enum = {"ES256", "RS256", "PS256"},
+ default = "ES256",
+ },
+ private_key = {
+ description = "Private key used to sign DPoP proof JWTs.",
+ type = "string",
+ },
+ public_jwk = {
+ description = "Public JWK matching dpop.private_key.",
+ type = "object",
Review Comment:
Thanks for the detailed catch. I added the schema-side rejection for private
JWK members (`d`, `p`, `q`, `dp`, `dq`, `qi`, `oth`, and `k`) under
`dpop.public_jwk`, so complete/private JWKs now fail `check_schema` before
anything can be persisted in etcd. I also added a regression case that verifies
a JWK containing `d` is rejected.
##########
apisix/plugins/openid-connect.lua:
##########
@@ -52,6 +52,25 @@ local function build_session_opts(session_conf)
end
+local function flatten_openidc_options(conf)
Review Comment:
Thanks, that makes sense. I added a Test::Nginx runtime block with a fake
discovery document and a fake PAR endpoint, then configured the plugin through
the Admin API and hit the route to exercise the actual flattening path. The
test now parses the final authorize redirect and asserts the query shape
exactly: only `client_id` and `request_uri` are present, while `scope`,
`state`, `response_type`, and `redirect_uri` are absent.
##########
t/plugin/openid-connect.t:
##########
@@ -152,23 +155,22 @@ passed
-=== TEST 5: verify encrypted field
+=== TEST 5: verify encrypted fields
--- config
location /t {
content_by_lua_block {
- local json = require("toolkit.json")
- local t = require("lib.test_admin").test
-
-
- -- get plugin conf from etcd, client_rsa_private_key is encrypted
+ -- get plugin conf from etcd, private key fields are encrypted
local etcd = require("apisix.core.etcd")
local res = assert(etcd.get('/routes/1'))
-
ngx.say(res.body.node.value.plugins["openid-connect"].client_rsa_private_key)
+ local conf = res.body.node.value.plugins["openid-connect"]
+ ngx.say(conf.client_rsa_private_key ~=
"89ae4c8edadf1cd1c9f034335f136f87ad84b625c8f1")
+ ngx.say(conf.dpop.private_key ~= "dpop-private-key")
Review Comment:
Good point. I updated the assertions to require the stored values to be
strings before comparing them with the plaintext values, so a missing/nil value
no longer passes as encrypted. I kept it value-agnostic rather than pinning the
deterministic ciphertext, to avoid making the test depend on the exact
encrypted blob.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]