Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
Revolyssup merged PR #12405: URL: https://github.com/apache/apisix/pull/12405 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
Revolyssup commented on PR #12405: URL: https://github.com/apache/apisix/pull/12405#issuecomment-3068031936 > Your checklist mentions that it is not compatible? Can you reconfirm this? Oh this is compatible. Missed the last check -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
Revolyssup commented on code in PR #12405: URL: https://github.com/apache/apisix/pull/12405#discussion_r2203851322 ## apisix/plugins/forward-auth.lua: ## @@ -102,6 +119,21 @@ function _M.access(conf, ctx) auth_headers["Content-Encoding"] = core.request.header(ctx, "content-encoding") end +if conf.extra_headers then +for header, value in pairs(conf.extra_headers) do +if type(value) == "number" then +value = tostring(value) +end +local resolve_value, err, n_resolved = core.utils.resolve_var(value, ctx.var) +if not err and n_resolved > 0 then +auth_headers[header] = resolve_value +end Review Comment: I have modified to only skip in case of error. When the value is not of type variable(doesn't contain $), it will still be added to auth headers. Added one more test case to confirm it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
Revolyssup commented on code in PR #12405: URL: https://github.com/apache/apisix/pull/12405#discussion_r2203845542 ## apisix/plugins/forward-auth.lua: ## @@ -102,6 +119,21 @@ function _M.access(conf, ctx) auth_headers["Content-Encoding"] = core.request.header(ctx, "content-encoding") end +if conf.extra_headers then +for header, value in pairs(conf.extra_headers) do +if type(value) == "number" then +value = tostring(value) +end +local resolve_value, err, n_resolved = core.utils.resolve_var(value, ctx.var) +if not err and n_resolved > 0 then +auth_headers[header] = resolve_value +end Review Comment: When the value doesn't have $, the err will be nil and it will still be added to auth_headers. This error and skip happens when value has $(is some variable) but couldn't be resolved. In that case, there is no point in adding it to auth headers as the value is obviously not the intended value to be added. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
Revolyssup commented on code in PR #12405: URL: https://github.com/apache/apisix/pull/12405#discussion_r2203851322 ## apisix/plugins/forward-auth.lua: ## @@ -102,6 +119,21 @@ function _M.access(conf, ctx) auth_headers["Content-Encoding"] = core.request.header(ctx, "content-encoding") end +if conf.extra_headers then +for header, value in pairs(conf.extra_headers) do +if type(value) == "number" then +value = tostring(value) +end +local resolve_value, err, n_resolved = core.utils.resolve_var(value, ctx.var) +if not err and n_resolved > 0 then +auth_headers[header] = resolve_value +end Review Comment: I have modified to only skip in case of error. When the value is not of type variable(doesn't contain $), it will still be added to auth headers. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
Revolyssup commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2203851628
##
apisix/plugins/forward-auth.lua:
##
@@ -102,6 +119,21 @@ function _M.access(conf, ctx)
auth_headers["Content-Encoding"] = core.request.header(ctx,
"content-encoding")
end
+if conf.extra_headers then
+for header, value in pairs(conf.extra_headers) do
+if type(value) == "number" then
+value = tostring(value)
+end
+local resolve_value, err, n_resolved =
core.utils.resolve_var(value, ctx.var)
+if not err and n_resolved > 0 then
+auth_headers[header] = resolve_value
+end
+if err then
+core.log.error("failed to resolve variable in extra header '",
header, "': ", err)
Review Comment:
added
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
Revolyssup commented on code in PR #12405: URL: https://github.com/apache/apisix/pull/12405#discussion_r2203845542 ## apisix/plugins/forward-auth.lua: ## @@ -102,6 +119,21 @@ function _M.access(conf, ctx) auth_headers["Content-Encoding"] = core.request.header(ctx, "content-encoding") end +if conf.extra_headers then +for header, value in pairs(conf.extra_headers) do +if type(value) == "number" then +value = tostring(value) +end +local resolve_value, err, n_resolved = core.utils.resolve_var(value, ctx.var) +if not err and n_resolved > 0 then +auth_headers[header] = resolve_value +end Review Comment: When the value doesn't have $, the err will be nil and it will still be added to auth_headers. This error and skip happens when value has $(is some variable) but couldn't be resolved. In that case, there is no point in adding it to auth headers as the value is obviously not the intended value to be added. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
membphis commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2203702006
##
apisix/plugins/forward-auth.lua:
##
@@ -102,6 +119,21 @@ function _M.access(conf, ctx)
auth_headers["Content-Encoding"] = core.request.header(ctx,
"content-encoding")
end
+if conf.extra_headers then
+for header, value in pairs(conf.extra_headers) do
+if type(value) == "number" then
+value = tostring(value)
+end
+local resolve_value, err, n_resolved =
core.utils.resolve_var(value, ctx.var)
+if not err and n_resolved > 0 then
+auth_headers[header] = resolve_value
+end
+if err then
+core.log.error("failed to resolve variable in extra header '",
header, "': ", err)
Review Comment:
another question: I think we should print the `value`, it is important
information for user
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
bzp2010 commented on code in PR #12405: URL: https://github.com/apache/apisix/pull/12405#discussion_r2199932470 ## apisix/plugins/forward-auth.lua: ## @@ -102,6 +119,21 @@ function _M.access(conf, ctx) auth_headers["Content-Encoding"] = core.request.header(ctx, "content-encoding") end +if conf.extra_headers then +for header, value in pairs(conf.extra_headers) do +if type(value) == "number" then +value = tostring(value) +end +local resolve_value, err, n_resolved = core.utils.resolve_var(value, ctx.var) +if not err and n_resolved > 0 then +auth_headers[header] = resolve_value +end Review Comment: This basically says that the value itself is only rewritten when the variable substitution succeeds, which may not be necessary? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
kayx23 commented on PR #12405: URL: https://github.com/apache/apisix/pull/12405#issuecomment-3060737633 No additional comments for docs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
nic-6443 commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2196676670
##
apisix/plugins/forward-auth.lua:
##
@@ -102,6 +119,21 @@ function _M.access(conf, ctx)
auth_headers["Content-Encoding"] = core.request.header(ctx,
"content-encoding")
end
+if conf.extra_headers then
+for header, value in pairs(conf.extra_headers) do
+if type(value) == "number" then
+value = tostring(value)
+end
+local resolve_value, err, n_resolved =
core.utils.resolve_var(value, ctx.var)
+if not err and n_resolved > 0 then
+auth_headers[header] = resolve_value
+end
+if err then
+core.log.error("failed to resolve variable in extra header '",
header, "': ", err)
Review Comment:
I think the risk is relatively high. What if the header to be passed has a
default value in the auth server? I think we should let the auth server itself
decide how to handle missing headers, rather than rejecting client request
outright.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
membphis commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2196341500
##
apisix/plugins/forward-auth.lua:
##
@@ -102,6 +119,21 @@ function _M.access(conf, ctx)
auth_headers["Content-Encoding"] = core.request.header(ctx,
"content-encoding")
end
+if conf.extra_headers then
+for header, value in pairs(conf.extra_headers) do
+if type(value) == "number" then
+value = tostring(value)
+end
+local resolve_value, err, n_resolved =
core.utils.resolve_var(value, ctx.var)
+if not err and n_resolved > 0 then
+auth_headers[header] = resolve_value
+end
+if err then
+core.log.error("failed to resolve variable in extra header '",
header, "': ", err)
Review Comment:
I think here should return `401`: failed to auth
what do you think? @bzp2010 @nic-6443
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
kayx23 commented on code in PR #12405: URL: https://github.com/apache/apisix/pull/12405#discussion_r2193817055 ## docs/en/latest/plugins/forward-auth.md: ## @@ -166,6 +167,110 @@ HTTP/1.1 403 Forbidden Location: http://example.com/auth ``` +### Using data from POST body to make decision on Authorization service + +::: note +When the decision is to be made on the basis of POST body, then it is recommended to use `$post_arg.xyz` with `extra_headers` field and make the decision on Authorization service on basis of headers rather than using POST `request_method` to pass the entire request body to Authorization service. Review Comment: ```suggestion When the decision is to be made on the basis of POST body, then it is recommended to use `$post_arg.*` with `extra_headers` field and make the decision on Authorization service on basis of headers rather than using POST `request_method` to pass the entire request body to Authorization service. ``` ## docs/zh/latest/plugins/forward-auth.md: ## @@ -168,6 +169,110 @@ HTTP/1.1 403 Forbidden Location: http://example.com/auth ``` +### Using data from POST body to make decision on Authorization service + +::: note +当要根据 POST 正文做出决定时,建议使用带有 extra_headers 字段的 $post_arg.xyz 并根据标头对授权服务做出决定,而不是使用 POST `request_method` 将整个请求正文传递给授权服务。 +::: + +在“/auth”路由上创建一个无服务器函数,用于检查“tenant_id”标头是否存在。如果存在,路由会使用 HTTP 200 进行响应,并将“X-User-ID”标头设置为固定值“i-am-an-user”。如果缺少“tenant_id”,则会返回 HTTP 400 和错误消息。 Review Comment: ```suggestion 在 `/auth` 路由上创建一个无服务器函数,用于检查 `tenant_id` 标头是否存在。如果存在,路由会使用 HTTP 200 进行响应,并将 `X-User-ID` 标头设置为固定值 `i-am-an-user`。如果缺少 `tenant_id`,则会返回 HTTP 400 和错误消息。 ``` ## docs/zh/latest/plugins/forward-auth.md: ## @@ -168,6 +169,110 @@ HTTP/1.1 403 Forbidden Location: http://example.com/auth ``` +### Using data from POST body to make decision on Authorization service + +::: note +当要根据 POST 正文做出决定时,建议使用带有 extra_headers 字段的 $post_arg.xyz 并根据标头对授权服务做出决定,而不是使用 POST `request_method` 将整个请求正文传递给授权服务。 Review Comment: ```suggestion 当要根据 POST 正文做出决定时,建议使用带有 `extra_headers` 字段的 `$post_arg.*` 并根据标头对授权服务做出决定,而不是使用 POST `request_method` 将整个请求正文传递给授权服务。 ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
nic-6443 commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2193696095
##
apisix/plugins/forward-auth.lua:
##
@@ -41,6 +44,21 @@ local schema = {
items = {type = "string"},
description = "client request header that will be sent to the
authorization service"
},
+extra_headers = {
+type = "object",
+minProperties = 1,
+patternProperties = {
+["^[^:]+$"] = {
+oneOf = {
+{ type = "string" },
+{ type = "number" },
Review Comment:
we can configure it as `"extra_headers": {"id": "10"}`, I don't think number
is necessary to support, and in strongly-typed programming languages' HTTP
implementations, the value of headers is defined based on the string type.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
nic-6443 commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2193696095
##
apisix/plugins/forward-auth.lua:
##
@@ -41,6 +44,21 @@ local schema = {
items = {type = "string"},
description = "client request header that will be sent to the
authorization service"
},
+extra_headers = {
+type = "object",
+minProperties = 1,
+patternProperties = {
+["^[^:]+$"] = {
+oneOf = {
+{ type = "string" },
+{ type = "number" },
Review Comment:
we can configure it as `"extra_headers": {"id": "10"}`, I don't think number
is necessary to support.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
kayx23 commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2191763573
##
docs/zh/latest/plugins/forward-auth.md:
##
@@ -168,6 +169,110 @@ HTTP/1.1 403 Forbidden
Location: http://example.com/auth
```
+### Using data from POST body to make decision on Authorization service
+
+::: note
+When the decision is to be made on the basis of POST body, then it is
recommended to use `$post_arg.xyz` with `extra_headers` field and make the
decision on Authorization service on basis of headers rather than using POST
`request_method` to pass the entire request body to Authorization service.
+:::
+
+Create a serverless function on the `/auth` route that checks for the presence
of the `tenant_id` header. If present, the route responds with HTTP 200 and
sets the `X-User-ID` header to a fixed value `i-am-an-user`. If `tenant_id` is
missing, it returns HTTP 400 with an error message.
Review Comment:
Untranslated English content in chinese doc
##
docs/zh/latest/plugins/forward-auth.md:
##
@@ -168,6 +169,110 @@ HTTP/1.1 403 Forbidden
Location: http://example.com/auth
```
+### Using data from POST body to make decision on Authorization service
+
+::: note
+When the decision is to be made on the basis of POST body, then it is
recommended to use `$post_arg.xyz` with `extra_headers` field and make the
decision on Authorization service on basis of headers rather than using POST
`request_method` to pass the entire request body to Authorization service.
+:::
+
+Create a serverless function on the `/auth` route that checks for the presence
of the `tenant_id` header. If present, the route responds with HTTP 200 and
sets the `X-User-ID` header to a fixed value `i-am-an-user`. If `tenant_id` is
missing, it returns HTTP 400 with an error message.
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/auth' \
+-H "X-API-KEY: $admin_key" \
+-H 'Content-Type: application/json' \
+-d '{
+"uri": "/auth",
+"plugins": {
+"serverless-pre-function": {
+"phase": "rewrite",
+"functions": [
+"return function(conf, ctx)
+ local core = require(\"apisix.core\")
+ if core.request.header(ctx, \"tenant_id\") then
+ core.response.set_header(\"X-User-ID\", \"i-am-an-user\");
+ core.response.exit(200);
+else
+core.response.exit(400, \"tenant_id is required\")
+end
+end"
+]
+}
+}
+}'
+```
+
+创建一个接受 POST 请求的路由,并使用 `forward-auth` 插件通过请求中的 `tenant_id` 调用身份验证端点。只有当身份验证检查返回
200 时,请求才会转发到上游服务。
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/1' \
+-H "X-API-KEY: $admin_key" \
+-d '{
+"uri": "/post",
+"methods": ["POST"],
+"plugins": {
+"forward-auth": {
+"uri": "http://127.0.0.1:9080/auth";,
+"request_method": "GET",
+"extra_headers": {"tenant_id": "$post_arg.tenant_id"}
+}
+},
+"upstream": {
+"nodes": {
+"httpbin.org:80": 1
+},
+"type": "roundrobin"
+}
+}'
+```
+
+发送带有 `tenant_id` 标头的 POST 请求:
+
+```shell
+curl -i http://127.0.0.1:9080/post -X POST -d '{
+ "tenant_id": 123
+}'
+```
+
+您应该收到类似以下内容的“HTTP/1.1 200 OK”响应:
+
+```json
+{
+ "args": {},
+ "data": "",
+ "files": {},
+ "form": {
+"{\n \"tenant_id\": 123\n}": ""
+ },
+ "headers": {
+"Accept": "*/*",
+"Content-Length": "23",
+"Content-Type": "application/x-www-form-urlencoded",
+"Host": "127.0.0.1",
+"User-Agent": "curl/8.13.0",
+"X-Amzn-Trace-Id": "Root=1-686b6e3f-2fdeff70183e71551f5c5729",
+"X-Forwarded-Host": "127.0.0.1"
+ },
+ "json": null,
+ "origin": "127.0.0.1, 106.215.83.33",
+ "url": "http://127.0.0.1/post";
+}
+```
+
+发送不带“tenant_id”标头的 POST 请求:
Review Comment:
```suggestion
发送不带 `tenant_id` 标头的 POST 请求:
```
##
docs/zh/latest/plugins/forward-auth.md:
##
@@ -168,6 +169,110 @@ HTTP/1.1 403 Forbidden
Location: http://example.com/auth
```
+### Using data from POST body to make decision on Authorization service
+
+::: note
+When the decision is to be made on the basis of POST body, then it is
recommended to use `$post_arg.xyz` with `extra_headers` field and make the
decision on Authorization service on basis of headers rather than using POST
`request_method` to pass the entire request body to Authorization service.
+:::
+
+Create a serverless function on the `/auth` route that checks for the presence
of the `tenant_id` header. If present, the route responds with HTTP 200 and
sets the `X-User-ID` header to a fixed value `i-am-an-user`. If `tenant_id` is
missing, it returns HTTP 400 with an error message.
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/auth' \
+-H "X-API-KEY: $admin_key" \
+-H 'Content-Type: application/jso
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
kayx23 commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2191503048
##
docs/en/latest/plugins/forward-auth.md:
##
@@ -166,6 +167,128 @@ HTTP/1.1 403 Forbidden
Location: http://example.com/auth
```
+### Using data from POST body to make decision on Authorization service
+
+::: note
+When the decision is to be made on the basis of POST body, then it is
recommended to use `$post_arg.xyz` with `extra_headers` field and make the
decision on Authorization service on basis of headers rather than using POST
`request_method` to pass the entire request body to Authorization service.
+:::
+
+Create a serverless function on the `/auth` route that checks for the presence
of the `tenant_id` header. If present, the route responds with HTTP 200 and
sets the `X-User-ID` header to a fixed value `i-am-an-user`. If `tenant_id` is
missing, it returns HTTP 400 with an error message.
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/auth' \
+-H "X-API-KEY: $admin_key" \
+-H 'Content-Type: application/json' \
+-d '{
+"uri": "/auth",
+"plugins": {
+"serverless-pre-function": {
+"phase": "rewrite",
+"functions": [
+"return function(conf, ctx)
+ local core = require(\"apisix.core\")
+ if core.request.header(ctx, \"tenant_id\") then
+ core.response.set_header(\"X-User-ID\", \"i-am-an-user\");
+ core.response.exit(200);
+else
+core.response.exit(400, \"tenant_id is required\")
+end
+end"
+]
+}
+}
+}'
+```
+
+Create a route that accepts POST requests and uses the `forward-auth` plugin
to call the auth endpoint with the `tenant_id` from the request. The request is
forwarded to the upstream service only if the auth check returns 200.
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/1' \
+-H "X-API-KEY: $admin_key" \
+-d '{
+"uri": "/post",
+"methods": ["POST"],
+"plugins": {
+"forward-auth": {
+"uri": "http://127.0.0.1:9080/auth";,
+"request_method": "GET",
+"extra_headers": {"tenant_id": "$post_arg.tenant_id"}
+}
+},
+"upstream": {
+"nodes": {
+"httpbin.org:80": 1
+},
+"type": "roundrobin"
+}
+}'
+```
+
+Send a POST request with the `tenant_id` header:
+
+```shell
+curl -i http://127.0.0.1:9080/post -X POST -d '{
+ "tenant_id": 123
+}'
+```
+
+You should receive an `HTTP/1.1 200 OK` response similar to the following:
+
+```shell
+HTTP/1.1 200 OK
+Content-Type: application/json
+Content-Length: 491
+Connection: keep-alive
+Date: Mon, 07 Jul 2025 06:50:39 GMT
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Credentials: true
+Server: APISIX/3.13.0
+```
+
+```json
+{
+ "args": {},
+ "data": "",
+ "files": {},
+ "form": {
+"{\n \"tenant_id\": 123\n}": ""
+ },
+ "headers": {
+"Accept": "*/*",
+"Content-Length": "23",
+"Content-Type": "application/x-www-form-urlencoded",
+"Host": "127.0.0.1",
+"User-Agent": "curl/8.13.0",
+"X-Amzn-Trace-Id": "Root=1-686b6e3f-2fdeff70183e71551f5c5729",
+"X-Forwarded-Host": "127.0.0.1"
+ },
+ "json": null,
+ "origin": "127.0.0.1, 106.215.83.33",
+ "url": "http://127.0.0.1/post";
+}
+```
+
+Send a POST request without the `tenant_id` header:
+
+```shell
+ curl -i http://127.0.0.1:9080/post -X POST -d '{
+ "abc": 123
+}'
+```
+
+You should receive an HTTP/1.1 400 Bad Request response with the following
message:
Review Comment:
```suggestion
You should receive an `HTTP/1.1 400 Bad Request` response with the following
message:
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
kayx23 commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2191502434
##
docs/en/latest/plugins/forward-auth.md:
##
@@ -166,6 +167,122 @@ HTTP/1.1 403 Forbidden
Location: http://example.com/auth
```
+### Using data from POST body to make decision on Authorization service
+
+::: note
+When the decision is to be made on the basis of POST body, then it is
recommended to use `$post_arg.xyz` with `extra_headers` field and make the
decision on Authorization service on basis of headers rather than using POST
`request_method` to pass the entire request body to Authorization service.
+:::
+
+Setup Auth service to extract `tenant_id` from header.
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/auth' \
+-H "X-API-KEY: $admin_key" \
+-H 'Content-Type: application/json' \
+-d '{
+"uri": "/auth",
+"plugins": {
+"serverless-pre-function": {
+"phase": "rewrite",
+"functions": [
+"return function(conf, ctx)
+ local core = require(\"apisix.core\")
+ if core.request.header(ctx, \"tenant_id\") then
+ core.response.set_header(\"X-User-ID\", \"i-am-an-user\");
+ core.response.exit(200);
+else
+core.response.exit(400, \"tenant_id is required\")
+end
+end"
+]
+}
+}
+}'
+```
+
+Setup route to extract `tenant_id` from body and pass in the header.
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/1' \
+-H "X-API-KEY: $admin_key" \
+-d '{
+"uri": "/post",
+"methods": ["POST"],
+"plugins": {
+"forward-auth": {
+"uri": "http://127.0.0.1:9080/auth";,
+"request_method": "GET",
+"extra_headers": {"tenant_id": "$post_arg.tenant_id"}
+}
+},
+"upstream": {
+"nodes": {
+"httpbin.org:80": 1
+},
+"type": "roundrobin"
+}
+}'
+```
+
+Now if we send the request:
+
+```shell
+curl -i http://127.0.0.1:9080/post -X POST -d '{
+ "tenant_id": 123
+}'
+```
+
+```shell
+HTTP/1.1 200 OK
+Content-Type: application/json
+Content-Length: 491
+Connection: keep-alive
+Date: Mon, 07 Jul 2025 06:50:39 GMT
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Credentials: true
+Server: APISIX/3.13.0
Review Comment:
Here I mean remove the response headers entirely... any use to keep them?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
Revolyssup commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2191447922
##
apisix/plugins/forward-auth.lua:
##
@@ -41,6 +44,21 @@ local schema = {
items = {type = "string"},
description = "client request header that will be sent to the
authorization service"
},
+extra_headers = {
+type = "object",
+minProperties = 1,
+patternProperties = {
+["^[^:]+$"] = {
+oneOf = {
+{ type = "string" },
+{ type = "number" },
Review Comment:
proxy-rewrite plugin headers field also uses this schema. `"extra_headers":
{"id": 10}` can also be supported
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
nic-6443 commented on code in PR #12405: URL: https://github.com/apache/apisix/pull/12405#discussion_r2191396099 ## apisix/plugins/forward-auth.lua: ## @@ -102,6 +120,18 @@ function _M.access(conf, ctx) auth_headers["Content-Encoding"] = core.request.header(ctx, "content-encoding") end +if conf.extra_headers then +for header, value in pairs(conf.extra_headers) do +if type(value) == "number" then +value = tostring(value) +end +local resolve_value, err, n_resolved = core.utils.resolve_var(value, ctx.var) +if not err and n_resolved > 0 then +auth_headers[header] = resolve_value +end Review Comment: print a error log for `err` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
nic-6443 commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2191395506
##
apisix/plugins/forward-auth.lua:
##
@@ -41,6 +44,21 @@ local schema = {
items = {type = "string"},
description = "client request header that will be sent to the
authorization service"
},
+extra_headers = {
+type = "object",
+minProperties = 1,
+patternProperties = {
+["^[^:]+$"] = {
+oneOf = {
+{ type = "string" },
+{ type = "number" },
Review Comment:
In what scenarios do we need to use the number type as a value?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: add support for extra_headers in forward-auth plugin [apisix]
kayx23 commented on code in PR #12405:
URL: https://github.com/apache/apisix/pull/12405#discussion_r2189432742
##
docs/en/latest/plugins/forward-auth.md:
##
@@ -166,6 +167,122 @@ HTTP/1.1 403 Forbidden
Location: http://example.com/auth
```
+### Using data from POST body to make decision on Authorization service
+
+::: note
+When the decision is to be made on the basis of POST body, then it is
recommended to use `$post_arg.xyz` with `extra_headers` field and make the
decision on Authorization service on basis of headers rather than using POST
`request_method` to pass the entire request body to Authorization service.
+:::
+
+Setup Auth service to extract `tenant_id` from header.
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/auth' \
+-H "X-API-KEY: $admin_key" \
+-H 'Content-Type: application/json' \
+-d '{
+"uri": "/auth",
+"plugins": {
+"serverless-pre-function": {
+"phase": "rewrite",
+"functions": [
+"return function(conf, ctx)
+ local core = require(\"apisix.core\")
+ if core.request.header(ctx, \"tenant_id\") then
+ core.response.set_header(\"X-User-ID\", \"i-am-an-user\");
+ core.response.exit(200);
+else
+core.response.exit(400, \"tenant_id is required\")
+end
+end"
+]
+}
+}
+}'
+```
+
+Setup route to extract `tenant_id` from body and pass in the header.
Review Comment:
```suggestion
Create a route that accepts POST requests and uses the `forward-auth` plugin
to call the auth endpoint with the `tenant_id` from the request. The request is
forwarded to the upstream service only if the auth check returns 200.
```
##
docs/en/latest/plugins/forward-auth.md:
##
@@ -166,6 +167,122 @@ HTTP/1.1 403 Forbidden
Location: http://example.com/auth
```
+### Using data from POST body to make decision on Authorization service
+
+::: note
+When the decision is to be made on the basis of POST body, then it is
recommended to use `$post_arg.xyz` with `extra_headers` field and make the
decision on Authorization service on basis of headers rather than using POST
`request_method` to pass the entire request body to Authorization service.
+:::
+
+Setup Auth service to extract `tenant_id` from header.
Review Comment:
```suggestion
Create a serverless function on the `/auth` route that checks for the
presence of the `tenant_id` header. If present, the route responds with HTTP
200 and sets the `X-User-ID` header to a fixed value `i-am-an-user`. If
`tenant_id` is missing, it returns HTTP 400 with an error message.
```
##
docs/en/latest/plugins/forward-auth.md:
##
@@ -40,8 +40,9 @@ This Plugin moves the authentication and authorization logic
to a dedicated exte
| - | - | | --- | -- |
--
|
| uri | string| True | ||
URI of the authorization service.
|
| ssl_verify| boolean | False| true||
When set to `true`, verifies the SSL certificate.
|
-| request_method| string| False| GET | ["GET","POST"] |
HTTP method for a client to send requests to the authorization service. When
set to `POST` the request body is send to the authorization service. |
+| request_method| string| False| GET | ["GET","POST"] |
HTTP method for a client to send requests to the authorization service. When
set to `POST` the request body is send to the authorization service. (not
recommended. See `extra_headers`) |
Review Comment:
Redirecting users to `extra_headers` in the attribute table does not explain
clearly why one should consider `extra_headers` instead.
This paragraph is a bit more clear, so perhaps you would want to link to
this section.
https://github.com/user-attachments/assets/63b15260-ecfa-4527-828f-5b6dd41e4762";
/>
##
docs/en/latest/plugins/forward-auth.md:
##
@@ -166,6 +167,122 @@ HTTP/1.1 403 Forbidden
Location: http://example.com/auth
```
+### Using data from POST body to make decision on Authorization service
+
+::: note
+When the decision is to be made on the basis of POST body, then it is
recommended to use `$post_arg.xyz` with `extra_headers` field and make the
decision on Authorization service on basis of headers rather than using POST
`request_method` to pass the entire request
