Skip to content

Commit

Permalink
feat: support OIDC claim validator (apache#8772)
Browse files Browse the repository at this point in the history
  • Loading branch information
@beardnick
beardnick authored and hugocheng committed Dec 12, 2024
1 parent 1f89705 commit 5125437
Show file tree
Hide file tree
Showing 2 changed files with 251 additions and 0 deletions.
34 changes: 34 additions & 0 deletions apisix/plugins/openid-connect.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ local core = require("apisix.core")
local ngx_re = require("ngx.re")
local openidc = require("resty.openidc")
local random = require("resty.random")
local jsonschema = require('jsonschema')
local string = string
local ngx = ngx
local ipairs = ipairs
Expand Down Expand Up @@ -275,6 +276,11 @@ local schema = {
items = {
type = "string"
}
},
claim_schema = {
description = "JSON schema of OIDC response claim",
type = "object",
default = nil,
}
},
encrypt_fields = {"client_secret", "client_rsa_private_key"},
Expand All @@ -289,6 +295,7 @@ local _M = {
schema = schema,
}

local claim_validator = nil;

function _M.check_schema(conf)
if conf.ssl_verify == "no" then
Expand All @@ -315,6 +322,14 @@ function _M.check_schema(conf)
return false, err
end

if conf.claim_schema then
local ok, res = pcall(jsonschema.generate_validator, conf.claim_schema)
if not ok then
return false, "generate claim_schema validator failed"
end
claim_validator = res
end

return true
end

Expand Down Expand Up @@ -470,6 +485,18 @@ local function required_scopes_present(required_scopes, http_scopes)
return true
end

local function validate_claims_in_oidcauth_response(resp)
if not claim_validator then
return true, nil
end
local data = {
user = resp.user,
access_token = resp.access_token,
id_token = resp.id_token,
}
return claim_validator(data)
end

function _M.rewrite(plugin_conf, ctx)
local conf = core.table.clone(plugin_conf)

Expand Down Expand Up @@ -590,6 +617,13 @@ function _M.rewrite(plugin_conf, ctx)
end

if response then
local ok, err = validate_claims_in_oidcauth_response( response)
if not ok then
core.log.error("OIDC claim validation failed: ", err)
ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. conf.realm ..
'", error="invalid_token", error_description="' .. err .. '"'
return ngx.HTTP_UNAUTHORIZED
end
-- If the openidc module has returned a response, it may contain,
-- respectively, the access token, the ID token, the refresh token,
-- and the userinfo.
Expand Down
217 changes: 217 additions & 0 deletions t/plugin/openid-connect2.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -401,3 +401,220 @@ passed
--- response_body
true
--- error_code: 302
=== TEST 11: Set up route with plugin matching URI `/*` and point plugin to local Keycloak instance and set claim validator.
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"openid-connect": {
"discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
"realm": "University",
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
"redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/authenticated",
"ssl_verify": false,
"timeout": 10,
"introspection_endpoint_auth_method": "client_secret_post",
"introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect",
"set_access_token_header": true,
"access_token_in_authorization_header": false,
"set_id_token_header": true,
"set_userinfo_header": true,
"set_refresh_token_header": true,
"claim_schema": {
"type": "object",
"properties": {
"access_token": { "type" : "string"},
"id_token": { "type" : "object"},
"user": { "type" : "object"}
},
"required" : ["access_token","id_token","user"]
}
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/*"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 12: Access route w/o bearer token and go through the full OIDC Relying Party authentication process and validate claim successfully.
--- config
location /t {
content_by_lua_block {
local http = require "resty.http"
local login_keycloak = require("lib.keycloak").login_keycloak
local concatenate_cookies = require("lib.keycloak").concatenate_cookies
local httpc = http.new()
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
local res, err = login_keycloak(uri, "[email protected]", "123456")
if err then
ngx.status = 500
ngx.say(err)
return
end
local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
-- Make the final call back to the original URI.
local redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
res, err = httpc:request_uri(redirect_uri, {
method = "GET",
headers = {
["Cookie"] = cookie_str
}
})
if not res then
-- No response, must be an error.
ngx.status = 500
ngx.say(err)
return
elseif res.status ~= 200 then
-- Not a valid response.
-- Use 500 to indicate error.
ngx.status = 500
ngx.say("Invoking the original URI didn't return the expected result.")
return
end
ngx.status = res.status
ngx.say(res.body)
}
}
--- response_body_like
uri: /uri
cookie: .*
host: 127.0.0.1:1984
user-agent: .*
x-access-token: ey.*
x-id-token: ey.*
x-real-ip: 127.0.0.1
x-refresh-token: ey.*
x-userinfo: ey.*
=== TEST 13: Set up route with plugin matching URI `/*` and point plugin to local Keycloak instance and set claim validator with more strict schema.
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"openid-connect": {
"discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
"realm": "University",
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
"redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/authenticated",
"ssl_verify": false,
"timeout": 10,
"introspection_endpoint_auth_method": "client_secret_post",
"introspection_endpoint": "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect",
"set_access_token_header": true,
"access_token_in_authorization_header": false,
"set_id_token_header": true,
"set_userinfo_header": true,
"set_refresh_token_header": true,
"claim_schema": {
"type": "object",
"properties": {
"access_token": { "type" : "string"},
"id_token": { "type" : "object"},
"user": { "type" : "object"},
"user1": { "type" : "object"}
},
"required" : ["access_token","id_token","user","user1"]
}
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/*"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 14: Access route w/o bearer token and go through the full OIDC Relying Party authentication process and fail to validate claim.
--- config
location /t {
content_by_lua_block {
local http = require "resty.http"
local login_keycloak = require("lib.keycloak").login_keycloak
local concatenate_cookies = require("lib.keycloak").concatenate_cookies
local httpc = http.new()
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
local res, err = login_keycloak(uri, "[email protected]", "123456")
if err then
ngx.status = 500
ngx.say(err)
return
end
local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
-- Make the final call back to the original URI.
local redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
res, err = httpc:request_uri(redirect_uri, {
method = "GET",
headers = {
["Cookie"] = cookie_str
}
})
if not res then
ngx.say('here error',err)
-- No response, must be an error.
ngx.status = 500
ngx.say(err)
return
end
ngx.status = res.status
ngx.say(res.body)
}
}
--- error_code: 401
--- error_log
property "user1" is required

0 comments on commit 5125437

Please sign in to comment.