[GitHub] [james-project] Arsnael commented on a diff in pull request #1565: JAMES-3907 OIDC example with Apache APISIX

Thu, 18 May 2023 19:55:38 -0700 


Arsnael commented on code in PR #1565:
URL: https://github.com/apache/james-project/pull/1565#discussion_r1198494023


##########
examples/oidc/apisix-lemonldap-ldap/apisix/conf/apisix.yaml:
##########
@@ -0,0 +1,236 @@
+routes:
+  #  OIDC authentication endpoints
+  -
+    id: jmap
+    uri: /oidc/jmap
+    service_id: jmap_service_oidc
+    methods:
+      - POST
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /jmap
+  -
+    id: jmap_websocket
+    uri: /oidc/jmap/ws
+    service_id: jmap_service_oidc
+    enable_websocket: true
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /jmap/ws
+  -
+    id: jmap_session_oidc
+    uri: /oidc/jmap/session
+    service_id: jmap_service_oidc
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /jmap/session
+  -
+    id: download
+    uri: /oidc/download/*
+    service_id: jmap_service_oidc
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        regex_uri:
+          - "^/oidc/download/(.*)/(.*)"
+          - "/download/$1/$2"
+  -
+    id: upload
+    uri: /oidc/upload/*
+    service_id: jmap_service_oidc
+    methods:
+      - POST
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        regex_uri:
+          - "^/oidc/upload/(.*)"
+          - "/upload/$1"
+  -
+    id: web_known_finger
+    uris:
+      - /oidc/.well-known/webfinger
+      - /.well-known/webfinger
+    service_id: jmap_service_basic_auth
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /.well-known/webfinger
+  -
+    id: web_known_linagora_ecosystem
+    uri: /oidc/.well-known/linagora-ecosystem
+    service_id: jmap_service_oidc
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /.well-known/linagora-ecosystem
+  -
+    id: web_known_jmap
+    uri: /oidc/.well-known/jmap
+    service_id: jmap_service_oidc
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /.well-known/jmap
+      response-rewrite:
+        _meta:
+          filter:
+            - - request_method
+              - "~="
+              - OPTIONS
+        headers:
+          set:
+            Location: "/oidc/jmap/session"
+
+  #  Basic authentication endpoints
+  - id: jmap_session_basic_auth

Review Comment:
   I disagree with this though... I think it's good to have oidc and basic auth 
endpoints in the demo, so that people have an example with both. Basic auth 
might be enough for a lot of cases actually



##########
examples/oidc/apisix-lemonldap-ldap/docker-compose.yml:
##########
@@ -0,0 +1,103 @@
+version: "3"
+
+services:
+  apisix:
+    container_name: apisix.example.com
+    image: linagora/apisix:3.2.0-debian-javaplugin
+    volumes:
+      - ./apisix/conf/apisix.yaml:/usr/local/apisix/conf/apisix.yaml
+      - ./apisix/conf/config.yaml:/usr/local/apisix/conf/config.yaml
+    networks:
+      - james
+    ports:
+      - "9080:9080/tcp"
+
+  james:
+    depends_on:
+      - ldap
+    networks:
+      - james
+    image: apache/james:memory-latest
+    container_name: james
+    hostname: james.local
+    command:
+      - --generate-keystore
+    volumes:
+      - ./james/usersrepository.xml:/root/conf/usersrepository.xml
+      - ./james/jmap.properties:/root/conf/jmap.properties
+    ports:
+      - "8000:8000"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://james:8000/domains";]
+
+  llngdb:
+    image: yadd/lemonldap-ng-pg-database
+    container_name: llngdb
+    environment:
+      - POSTGRES_PASSWORD=zz
+    healthcheck:
+      test: "exit 0"
+    volumes:
+      - "./lemonldap/lmConf-1.json:/llng-conf/conf.json"
+    networks:
+      - james
+
+  sso.example.com:
+    image: yadd/lemonldap-ng-full

Review Comment:
   The RPC handler plugin was a krakend limitation... The bloom filter where 
the tokens were stored on krakend was only accessible with gRPC, thus why we 
needed to write a sidecar container taking in the http request and doing the 
gRPC call to krakend. 
   
   With Apisix no need of that



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org

Reply via email to