Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
moonming merged PR #11090: URL: https://github.com/apache/apisix/pull/11090 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
yuweizzz commented on PR #11090: URL: https://github.com/apache/apisix/pull/11090#issuecomment-2053525809 any update? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
yuweizzz commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1557118320
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"redirect_uri": "http://localhost:3000";,
+"ssl_verify": false,
+"timeout": 10,
+"bearer_only": true,
+"realm": "University",
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"introspection_addon_headers":
["X-Addon-Header-A", "X-Addon-Header-B"]
+}
+},
+"upstream": {
+"nodes": {
+"127.0.0.1:1980": 1
+},
+"type": "roundrobin"
+},
+"uri": "/hello"
+}]]
+)
+
+if code >= 300 then
+ngx.status = code
+end
+ngx.say(body)
+}
+}
+--- response_body
+passed
+
+
+
+=== TEST 5: Obtain valid token and access route with it, introspection work as
expected when configured extras headers.
+--- config
+location /t {
+content_by_lua_block {
+-- Obtain valid access token from Keycloak using known username
and password.
+local json_decode = require("toolkit.json").decode
+local http = require "resty.http"
+local httpc = http.new()
+local uri =
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token";
+local res, err = httpc:request_uri(uri, {
+method = "POST",
+body =
"grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teac...@gmail.com&password=123456",
+headers = {
+["Content-Type"] = "application/x-www-form-urlencoded"
+}
+})
+
+-- Check response from keycloak and fail quickly if there's no
response.
+if not res then
+ngx.say(err)
+return
+end
+
+-- Check if response code was ok.
+if res.status == 200 then
+-- Get access token from JSON response body.
+local body = json_decode(res.body)
+local accessToken = body["access_token"]
+
+-- Access route using access token. Should work.
+uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello"
+local res, err = httpc:request_uri(uri, {
+method = "GET",
+headers = {
+["Authorization"] = "Bearer " .. body["access_token"],
+["X-Addon-Header-A"] = "Value-A",
+["X-Addon-Header-B"] = "Value-b"
+}
+ })
+
+if res.status == 200 then
+-- Route accessed successfully.
+ngx.say(true)
+else
+-- Couldn't access route.
+ngx.say(false)
+end
+else
+-- Response from Keycloak not ok.
+ngx.say(false)
+end
+}
+}
+--- response_body
+true
+--- grep_error_log eval
+qr/token validate successfully by \w+/
+--- grep_error_log_out
+token validate successfully by introspection
+
+
+
+=== TEST 6: Access route with an invalid token, should work as expected too.
+--- config
+location /t {
+content_by_lua_block {
+-- Access route using a fake access token.
+local http = require "resty.http"
+local httpc = http.new()
+local uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello"
+local res, err = httpc:request_uri(u
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
yuweizzz commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1557117202
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"redirect_uri": "http://localhost:3000";,
+"ssl_verify": false,
+"timeout": 10,
+"bearer_only": true,
+"realm": "University",
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"introspection_addon_headers":
["X-Addon-Header-A", "X-Addon-Header-B"]
+}
+},
+"upstream": {
+"nodes": {
+"127.0.0.1:1980": 1
+},
+"type": "roundrobin"
+},
+"uri": "/hello"
+}]]
+)
+
+if code >= 300 then
+ngx.status = code
+end
+ngx.say(body)
+}
+}
+--- response_body
+passed
+
+
+
+=== TEST 5: Obtain valid token and access route with it, introspection work as
expected when configured extras headers.
+--- config
+location /t {
+content_by_lua_block {
+-- Obtain valid access token from Keycloak using known username
and password.
+local json_decode = require("toolkit.json").decode
+local http = require "resty.http"
+local httpc = http.new()
+local uri =
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token";
+local res, err = httpc:request_uri(uri, {
+method = "POST",
+body =
"grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teac...@gmail.com&password=123456",
+headers = {
+["Content-Type"] = "application/x-www-form-urlencoded"
+}
+})
+
+-- Check response from keycloak and fail quickly if there's no
response.
+if not res then
+ngx.say(err)
+return
+end
+
+-- Check if response code was ok.
+if res.status == 200 then
+-- Get access token from JSON response body.
+local body = json_decode(res.body)
+local accessToken = body["access_token"]
+
+-- Access route using access token. Should work.
+uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello"
+local res, err = httpc:request_uri(uri, {
+method = "GET",
+headers = {
+["Authorization"] = "Bearer " .. body["access_token"],
+["X-Addon-Header-A"] = "Value-A",
Review Comment:
the test just for compare with test 6 and test 8. It should work normally if
we don't pass these headers.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
kayx23 commented on code in PR #11090: URL: https://github.com/apache/apisix/pull/11090#discussion_r1556993469 ## docs/en/latest/plugins/openid-connect.md: ## @@ -89,6 +89,7 @@ description: OpenID Connect allows the client to obtain user information from th | cache_segment | string | False | | | Optional name of a cache segment, used to separate and differentiate caches used by token introspection or JWT verification. | | introspection_interval | integer | False | 0 | | TTL of the cached and introspected access token in seconds. | | introspection_expiry_claim | string | False | | | Name of the expiry claim, which controls the TTL of the cached and introspected access token. The default value is 0, which means this option is not used and the plugin defaults to use the TTL passed by expiry claim defined in `introspection_expiry_claim`. If `introspection_interval` is larger than 0 and less than the TTL passed by expiry claim defined in `introspection_expiry_claim`, use `introspection_interval`. | +| introspection_addon_headers | string[] | False | | | Array of strings. Used in Append extras headers to the introspection http request, If configured header not exist in origin request, it will be ignore. | Review Comment: ```suggestion | introspection_addon_headers | string[] | False | | | Array of strings. Used to append additional header values to the introspection HTTP request. If the specified header does not exist in origin request, value will not be appended. | ``` This is for appending header value right? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
kayx23 commented on code in PR #11090: URL: https://github.com/apache/apisix/pull/11090#discussion_r1556993469 ## docs/en/latest/plugins/openid-connect.md: ## @@ -89,6 +89,7 @@ description: OpenID Connect allows the client to obtain user information from th | cache_segment | string | False | | | Optional name of a cache segment, used to separate and differentiate caches used by token introspection or JWT verification. | | introspection_interval | integer | False | 0 | | TTL of the cached and introspected access token in seconds. | | introspection_expiry_claim | string | False | | | Name of the expiry claim, which controls the TTL of the cached and introspected access token. The default value is 0, which means this option is not used and the plugin defaults to use the TTL passed by expiry claim defined in `introspection_expiry_claim`. If `introspection_interval` is larger than 0 and less than the TTL passed by expiry claim defined in `introspection_expiry_claim`, use `introspection_interval`. | +| introspection_addon_headers | string[] | False | | | Array of strings. Used in Append extras headers to the introspection http request, If configured header not exist in origin request, it will be ignore. | Review Comment: ```suggestion | introspection_addon_headers | string[] | False | | | Array of strings. Used to append additional header values to the introspection HTTP request. If the specified header does not exist in origin request, value will not be appended. | ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
shreemaan-abhishek commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1556901813
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"redirect_uri": "http://localhost:3000";,
+"ssl_verify": false,
+"timeout": 10,
+"bearer_only": true,
+"realm": "University",
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"introspection_addon_headers":
["X-Addon-Header-A", "X-Addon-Header-B"]
+}
+},
+"upstream": {
+"nodes": {
+"127.0.0.1:1980": 1
+},
+"type": "roundrobin"
+},
+"uri": "/hello"
+}]]
+)
+
+if code >= 300 then
+ngx.status = code
+end
+ngx.say(body)
+}
+}
+--- response_body
+passed
+
+
+
+=== TEST 5: Obtain valid token and access route with it, introspection work as
expected when configured extras headers.
+--- config
+location /t {
+content_by_lua_block {
+-- Obtain valid access token from Keycloak using known username
and password.
+local json_decode = require("toolkit.json").decode
+local http = require "resty.http"
+local httpc = http.new()
+local uri =
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token";
+local res, err = httpc:request_uri(uri, {
+method = "POST",
+body =
"grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teac...@gmail.com&password=123456",
+headers = {
+["Content-Type"] = "application/x-www-form-urlencoded"
+}
+})
+
+-- Check response from keycloak and fail quickly if there's no
response.
+if not res then
+ngx.say(err)
+return
+end
+
+-- Check if response code was ok.
+if res.status == 200 then
+-- Get access token from JSON response body.
+local body = json_decode(res.body)
+local accessToken = body["access_token"]
+
+-- Access route using access token. Should work.
+uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello"
+local res, err = httpc:request_uri(uri, {
+method = "GET",
+headers = {
+["Authorization"] = "Bearer " .. body["access_token"],
+["X-Addon-Header-A"] = "Value-A",
+["X-Addon-Header-B"] = "Value-b"
+}
+ })
+
+if res.status == 200 then
+-- Route accessed successfully.
+ngx.say(true)
+else
+-- Couldn't access route.
+ngx.say(false)
+end
+else
+-- Response from Keycloak not ok.
+ngx.say(false)
+end
+}
+}
+--- response_body
+true
+--- grep_error_log eval
+qr/token validate successfully by \w+/
+--- grep_error_log_out
+token validate successfully by introspection
Review Comment:
I think we can check this just like so:
```perl
--- error_log
token validate successfully by introspection
```
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+co
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
shreemaan-abhishek commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1556900781
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"redirect_uri": "http://localhost:3000";,
+"ssl_verify": false,
+"timeout": 10,
+"bearer_only": true,
+"realm": "University",
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"introspection_addon_headers":
["X-Addon-Header-A", "X-Addon-Header-B"]
+}
+},
+"upstream": {
+"nodes": {
+"127.0.0.1:1980": 1
+},
+"type": "roundrobin"
+},
+"uri": "/hello"
+}]]
+)
+
+if code >= 300 then
+ngx.status = code
+end
+ngx.say(body)
+}
+}
+--- response_body
+passed
+
+
+
+=== TEST 5: Obtain valid token and access route with it, introspection work as
expected when configured extras headers.
+--- config
+location /t {
+content_by_lua_block {
+-- Obtain valid access token from Keycloak using known username
and password.
+local json_decode = require("toolkit.json").decode
+local http = require "resty.http"
+local httpc = http.new()
+local uri =
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token";
+local res, err = httpc:request_uri(uri, {
+method = "POST",
+body =
"grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teac...@gmail.com&password=123456",
+headers = {
+["Content-Type"] = "application/x-www-form-urlencoded"
+}
+})
+
+-- Check response from keycloak and fail quickly if there's no
response.
+if not res then
+ngx.say(err)
+return
+end
+
+-- Check if response code was ok.
+if res.status == 200 then
+-- Get access token from JSON response body.
+local body = json_decode(res.body)
+local accessToken = body["access_token"]
+
+-- Access route using access token. Should work.
+uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello"
+local res, err = httpc:request_uri(uri, {
+method = "GET",
+headers = {
+["Authorization"] = "Bearer " .. body["access_token"],
+["X-Addon-Header-A"] = "Value-A",
Review Comment:
what happens if we don't pass these headers?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
shreemaan-abhishek commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1552065094
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"redirect_uri": "http://localhost:3000";,
+"ssl_verify": false,
+"timeout": 10,
+"bearer_only": true,
+"realm": "University",
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"introspection_addon_headers": {
+"X-Addon-Header-A": "VALUE",
Review Comment:
I think we have a misunderstanding here. I think the feature should be like:
```lua
introspection_addon_headers = { header_a, header_b}
```
header_a and header_b will be picked from the client request.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
yuweizzz commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1547192259
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"redirect_uri": "http://localhost:3000";,
+"ssl_verify": false,
+"timeout": 10,
+"bearer_only": true,
+"realm": "University",
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"introspection_addon_headers": {
+"X-Addon-Header-A": "VALUE",
Review Comment:
I thinking it's hard to decide which headers should be sent, maybe we should
just keep it open here and leave it to user customization?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
shreemaan-abhishek commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1547162637
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"redirect_uri": "http://localhost:3000";,
+"ssl_verify": false,
+"timeout": 10,
+"bearer_only": true,
+"realm": "University",
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"introspection_addon_headers": {
+"X-Addon-Header-A": "VALUE",
Review Comment:
no, the plugin configuration should only specify which headers should be
sent. APISIX should extract those headers from the request and then add them to
the introspection request.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
yuweizzz commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1547062299
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"redirect_uri": "http://localhost:3000";,
+"ssl_verify": false,
+"timeout": 10,
+"bearer_only": true,
+"realm": "University",
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"introspection_addon_headers": {
+"X-Addon-Header-A": "VALUE",
Review Comment:
do you mean change the headers from the original request?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
shreemaan-abhishek commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1546345257
##
apisix/plugins/openid-connect.lua:
##
@@ -386,7 +400,20 @@ local function introspect(ctx, conf)
else
-- Validate token against introspection endpoint.
-- TODO: Same as above for public key validation.
+if conf.introspection_addon_headers then
+-- http_request_decorator option provides by lua-resty-openidc
Review Comment:
```suggestion
-- http_request_decorator option provided by lua-resty-openidc
```
##
t/plugin/openid-connect6.t:
##
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"redirect_uri": "http://localhost:3000";,
+"ssl_verify": false,
+"timeout": 10,
+"bearer_only": true,
+"realm": "University",
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"introspection_addon_headers": {
+"X-Addon-Header-A": "VALUE",
Review Comment:
hardcoding values in configuration doesn't make sense, I think the
configuration should just specify header fields which would be extracted from
the original request.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
yuweizzz commented on PR #11090: URL: https://github.com/apache/apisix/pull/11090#issuecomment-2029037053 done. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
shreemaan-abhishek commented on PR #11090: URL: https://github.com/apache/apisix/pull/11090#issuecomment-2027096080 @yuweizzz please fix the linter -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
yuweizzz commented on PR #11090: URL: https://github.com/apache/apisix/pull/11090#issuecomment-2024344528 this pr allows provide extra HTTP headers when talks to the OpenID Connect introspection endpoint, In other API gateway has this feature alrealy, like traefik. and some oauth libs has this feature too, like oauthlib. this may helpful when introspection endpoint is proxied. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat(openid-connect): allow set headers in introspection request [apisix]
shreemaan-abhishek commented on PR #11090: URL: https://github.com/apache/apisix/pull/11090#issuecomment-2024248000 could you please explain about the use cases where this feature would be helpful in the linked issue thread? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] feat(openid-connect): allow set headers in introspection request [apisix]
yuweizzz opened a new pull request, #11090: URL: https://github.com/apache/apisix/pull/11090 ### Description Fixes #10601 allow set headers in introspection request. ### Checklist - [ ] I have explained the need for this PR and the problem it solves - [ ] I have explained the changes or the new features added to this PR - [ ] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [ ] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
