Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop merged PR #11824: URL: https://github.com/apache/apisix/pull/11824 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-3088931746 @bzp2010 @nic-6443 @Revolyssup @AlinsRan cc? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-3071583217 @bzp2010 @nic-6443 @Revolyssup @AlinsRan cc -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
membphis commented on code in PR #11824: URL: https://github.com/apache/apisix/pull/11824#discussion_r2196477496 ## apisix/plugins/openid-connect.lua: ## @@ -528,6 +541,18 @@ local function required_scopes_present(required_scopes, http_scopes) return true end +local function validate_claims_in_oidcauth_response(resp, conf) +if not conf.claim_schema then +return true, nil Review Comment: ```suggestion return true ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-3054983084 The failed tests are not related to this PR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-3054908289 @Baoyuantop Please help me rerun the failed tests. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2192435526
##
apisix/plugins/openid-connect.lua:
##
@@ -331,6 +339,7 @@ local _M = {
schema = schema,
}
+local generic_claim_validator = nil
Review Comment:
I haved updated my code. Thank you for your patience.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2192265597
##
apisix/plugins/openid-connect.lua:
##
@@ -331,6 +339,7 @@ local _M = {
schema = schema,
}
+local generic_claim_validator = nil
Review Comment:
> I think you can use the core.schema method directly? You can refer to the
implementation of the request-validation plugin
Ok, you are right.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2181359671
##
apisix/plugins/openid-connect.lua:
##
@@ -331,6 +339,7 @@ local _M = {
schema = schema,
}
+local generic_claim_validator = nil
Review Comment:
Hi @beardnick, any update?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2168044531
##
apisix/plugins/openid-connect.lua:
##
@@ -331,6 +339,7 @@ local _M = {
schema = schema,
}
+local generic_claim_validator = nil
Review Comment:
I think you can use the core.schema method directly? You can refer to the
implementation of the request-validation plugin
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-3004417193 @Baoyuantop Please review this PR again. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2987654119 @Baoyuantop Please review this PR again. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2146689517
##
apisix/plugins/openid-connect.lua:
##
@@ -331,6 +339,7 @@ local _M = {
schema = schema,
}
+local generic_claim_validator = nil;
Review Comment:
> No semicolon needed.
I'll remove it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2146686330
##
apisix/plugins/openid-connect.lua:
##
@@ -331,6 +339,7 @@ local _M = {
schema = schema,
}
+local generic_claim_validator = nil;
Review Comment:
> Is it possible to avoid using global variables?
There seems to be no better way to handle this situation. I scanned the
codebase, and the ai.lua seems to have done a similar thing.
https://github.com/beardnick/apisix/blob/3e5e0ebd1eb94f13dd110b2404ab702ce2835286/apisix/plugins/ai.lua#L34-L35
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2146686330
##
apisix/plugins/openid-connect.lua:
##
@@ -331,6 +339,7 @@ local _M = {
schema = schema,
}
+local generic_claim_validator = nil;
Review Comment:
> Is it possible to avoid using global variables?
There seems no better way to handle this situation. I scaned the codebase,
the ai.lua seems did the similar thing.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2146668725
##
t/plugin/openid-connect2.t:
##
@@ -401,3 +401,277 @@ passed
--- response_body
true
--- error_code: 302
+
+
+
+=== TEST 11: Set up route with plugin matching URI `/*` and point plugin to
local Keycloak instance and set claim validator.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"realm": "University",
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"redirect_uri": "http://127.0.0.1:]] ..
ngx.var.server_port .. [[/authenticated",
+"ssl_verify": false,
+"timeout": 10,
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"set_access_token_header": true,
+"access_token_in_authorization_header": false,
+"set_id_token_header": true,
+"set_userinfo_header": true,
+"set_refresh_token_header": true,
+"claim_schema": {
+"type": "object",
+"properties": {
+"access_token": { "type" : "string"},
+"id_token": { "type" : "object"},
+"user": { "type" : "object"}
+},
+"required" :
["access_token","id_token","user"]
+}
+}
+},
+"upstream": {
+"nodes": {
+"127.0.0.1:1980": 1
+},
+"type": "roundrobin"
+},
+"uri": "/*"
+}]]
+)
+
+if code >= 300 then
+ngx.status = code
+end
+ngx.say(body)
+}
+}
+--- response_body
+passed
+
+
+
+=== TEST 12: Access route w/o bearer token and go through the full OIDC
Relying Party authentication process and validate claim successfully.
+--- config
+location /t {
+content_by_lua_block {
+local http = require "resty.http"
+local login_keycloak = require("lib.keycloak").login_keycloak
+local concatenate_cookies =
require("lib.keycloak").concatenate_cookies
+
+local httpc = http.new()
+
+local uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/uri"
+local res, err = login_keycloak(uri, "[email protected]", "123456")
+if err then
+ngx.status = 500
+ngx.say(err)
+return
+end
+
+local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
+-- Make the final call back to the original URI.
+local redirect_uri = "http://127.0.0.1:"; .. ngx.var.server_port ..
res.headers['Location']
+res, err = httpc:request_uri(redirect_uri, {
+method = "GET",
+headers = {
+["Cookie"] = cookie_str
+}
+})
+
+if not res then
+-- No response, must be an error.
+ngx.status = 500
+ngx.say(err)
+return
+elseif res.status ~= 200 then
+-- Not a valid response.
+-- Use 500 to indicate error.
+ngx.status = 500
+ngx.say("Invoking the original URI didn't return the expected
result.")
+return
+end
+
+ngx.status = res.status
+ngx.say(res.body)
+}
+}
+--- response_body_like
+uri: /uri
+cookie: .*
+host: 127.0.0.1:1984
+user-agent: .*
+x-access-token: ey.*
+x-id-token: ey.*
+x-real-ip: 127.0.0.1
+x-refresh-token: ey.*
+x-userinfo: ey.*
+
+
+
+=== TEST 13: Set up route with plugin matching URI `/*` and point plugin to
local Keycloak instance and set claim val
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2964807264 > > @Baoyuantop Could you please help to rerun the failed tests? > > Done Please review this PR again. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2141773779
##
apisix/plugins/openid-connect.lua:
##
@@ -331,6 +339,7 @@ local _M = {
schema = schema,
}
+local generic_claim_validator = nil;
Review Comment:
No semicolon needed.
##
t/plugin/openid-connect2.t:
##
@@ -401,3 +401,277 @@ passed
--- response_body
true
--- error_code: 302
+
+
+
+=== TEST 11: Set up route with plugin matching URI `/*` and point plugin to
local Keycloak instance and set claim validator.
+--- config
+location /t {
+content_by_lua_block {
+local t = require("lib.test_admin").test
+local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+"plugins": {
+"openid-connect": {
+"discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+"realm": "University",
+"client_id": "course_management",
+"client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+"redirect_uri": "http://127.0.0.1:]] ..
ngx.var.server_port .. [[/authenticated",
+"ssl_verify": false,
+"timeout": 10,
+"introspection_endpoint_auth_method":
"client_secret_post",
+"introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+"set_access_token_header": true,
+"access_token_in_authorization_header": false,
+"set_id_token_header": true,
+"set_userinfo_header": true,
+"set_refresh_token_header": true,
+"claim_schema": {
+"type": "object",
+"properties": {
+"access_token": { "type" : "string"},
+"id_token": { "type" : "object"},
+"user": { "type" : "object"}
+},
+"required" :
["access_token","id_token","user"]
+}
+}
+},
+"upstream": {
+"nodes": {
+"127.0.0.1:1980": 1
+},
+"type": "roundrobin"
+},
+"uri": "/*"
+}]]
+)
+
+if code >= 300 then
+ngx.status = code
+end
+ngx.say(body)
+}
+}
+--- response_body
+passed
+
+
+
+=== TEST 12: Access route w/o bearer token and go through the full OIDC
Relying Party authentication process and validate claim successfully.
+--- config
+location /t {
+content_by_lua_block {
+local http = require "resty.http"
+local login_keycloak = require("lib.keycloak").login_keycloak
+local concatenate_cookies =
require("lib.keycloak").concatenate_cookies
+
+local httpc = http.new()
+
+local uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/uri"
+local res, err = login_keycloak(uri, "[email protected]", "123456")
+if err then
+ngx.status = 500
+ngx.say(err)
+return
+end
+
+local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
+-- Make the final call back to the original URI.
+local redirect_uri = "http://127.0.0.1:"; .. ngx.var.server_port ..
res.headers['Location']
+res, err = httpc:request_uri(redirect_uri, {
+method = "GET",
+headers = {
+["Cookie"] = cookie_str
+}
+})
+
+if not res then
+-- No response, must be an error.
+ngx.status = 500
+ngx.say(err)
+return
+elseif res.status ~= 200 then
+-- Not a valid response.
+-- Use 500 to indicate error.
+ngx.status = 500
+ngx.say("Invoking the original URI didn't return the expected
result.")
+return
+end
+
+ngx.status = res.status
+ngx.say(res.body)
+}
+}
+--- response_body_like
+uri: /uri
+cookie: .*
+host: 127.0.0.1:1984
+user-agent: .*
+x-access-token: ey.*
+x-id-t
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2957513203 > @Baoyuantop Could you please help to rerun the failed tests? Done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2954756388 @Baoyuantop Could you please help to rerun the failed tests? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2134371109
##
apisix/plugins/openid-connect.lua:
##
@@ -528,6 +544,18 @@ local function required_scopes_present(required_scopes,
http_scopes)
return true
end
+local function validate_claims_in_oidcauth_response(resp)
+if not generic_claim_validator then
+return true, nil
+end
+local data = {
+user = resp.user,
Review Comment:
If these fields are empty and marked as required in the claim schema, the
validation will fail and an error will be generated.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2084265403
##
apisix/plugins/openid-connect.lua:
##
@@ -357,6 +365,14 @@ function _M.check_schema(conf)
return false, err
end
+if conf.claim_schema then
+local ok, res = pcall(jsonschema.generate_validator, conf.claim_schema)
+if not ok then
+return false, "generate claim_schema validator failed"
Review Comment:
It is recommended to include the original error message for better debugging.
##
docs/en/latest/plugins/openid-connect.md:
##
@@ -96,6 +96,7 @@ description: OpenID Connect allows the client to obtain user
information from th
| introspection_expiry_claim | string | False | | | Name of the expiry
claim, which controls the TTL of the cached and introspected access token. The
default value is 0, which means this option is not used and the plugin defaults
to use the TTL passed by expiry claim defined in `introspection_expiry_claim`.
If `introspection_interval` is larger than 0 and less than the TTL passed by
expiry claim defined in `introspection_expiry_claim`, use
`introspection_interval`. |
| introspection_addon_headers | string[] | False | | | Array of strings.
Used to append additional header values to the introspection HTTP request. If
the specified header does not exist in origin request, value will not be
appended. |
| claim_validator.issuer.valid_issuers | string[] | False | | | Whitelist
the vetted issuers of the jwt. When not passed by the user, the issuer returned
by discovery endpoint will be used. In case both are missing, the issuer will
not be validated. |
+| claim_schema | object | False | | | JSON schema of OIDC response claim. |
Review Comment:
It is recommended to add specific configuration examples.
##
apisix/plugins/openid-connect.lua:
##
@@ -528,6 +544,18 @@ local function required_scopes_present(required_scopes,
http_scopes)
return true
end
+local function validate_claims_in_oidcauth_response(resp)
+if not generic_claim_validator then
+return true, nil
+end
+local data = {
+user = resp.user,
Review Comment:
What happens if these fields in resp are empty
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2863447163 > Already rerun, please make sure you have merged the latest master branch Hi @Baoyuantop, I've already merged the latest master. However, some tests still failed. Could you please help me rerun the failed tests? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2857332091 Already rerun, please make sure you have merged the latest master branch -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2857011302 Hi @Baoyuantop, it seems that the failed tests are not caused by my code. Could you please help me run them again? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2850235046 > Hi @beardnick, I don't see this PR as conflicting with #11987, but rather as complementary features, with #11987 providing specific audience validation (in line with the OIDC specification) and #11824 providing a more generalized validation approach. cc @bzp2010 Hi @Baoyuantop. Thank you for your help. My concern was that the APISIX team might not want to expose a flexible claim validator, like JSON Schema, to users. Since there is no design issue regarding this, I will continue working on this PR. I have updated the documentation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2835508484 Hi @beardnick, I don't see this PR as conflicting with #11987, but rather as complementary features, with #11987 providing specific audience validation (in line with the OIDC specification) and #11824 providing a more generalized validation approach. cc @bzp2010 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2822881828 > @Baoyuantop I took a more detailed look at the code. Seems this pr(#11987) did something similar to my pr. Do you think my pr is still necessary? I will check it -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
jmaasing commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2781228548 > @Baoyuantop I took a more detailed look at the code. Seems this pr(#11987) did something similar to my pr. Do you think my pr is still necessary? I'm not an apisix-developer but a user so I can't say anything about the implenetation details. But I am looking to your PR to have the ability to configure the plugin to only allow requests through if the user has a "roles" claim containing one or more specific roles. The PR you are referencing seems similar but geared towards checking the 'aud' claim only, which is nice but does not cover my use case. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2781220503 @Baoyuantop I took a more detailed look at the code. Seems this pr(https://github.com/apache/apisix/pull/11987) did something similar to my pr. Do you think my pr is still necessary? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2774559984 > Hi @beardnick, do you have time to continue working on this PR? Sorry, I'm busy last few days. I'll continue work on it tomorrow. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2774553815 Hi @beardnick, do you have time to continue working on this PR? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2015358392
##
apisix/plugins/openid-connect.lua:
##
@@ -317,6 +319,11 @@ local schema = {
items = {
type = "string"
}
+},
Review Comment:
need to add documentation for this
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2754022139 > Hi @beardnick, please make the test pass Could you give me some advise on how to fix these failed tests? I have these questions. 1. The failed tests don't give much information about the reason for the failure. They only give messages like "exited on code 2" 2. How can I run these Github actions by myself? Do I have to rely on you to execute these Github actions? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
Baoyuantop commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2753955780 Hi @beardnick, please make the test pass -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
beardnick commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2753964481 > Hi @beardnick, please make the test pass Ok, I'll take a look -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] feat: support OIDC claim validator (#8772) [apisix]
github-actions[bot] commented on PR #11824: URL: https://github.com/apache/apisix/pull/11824#issuecomment-2753856301 This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
