[GitHub] [james-project] Arsnael commented on a diff in pull request #1565: JAMES-3907 OIDC example with Apache APISIX

["Arsnael (via GitHub)" <gi...@apache.org>]

Arsnael commented on code in PR #1565:
URL: https://github.com/apache/james-project/pull/1565#discussion_r1198494023


##########
examples/oidc/apisix-lemonldap-ldap/apisix/conf/apisix.yaml:
##########
@@ -0,0 +1,236 @@
+routes:
+  #  OIDC authentication endpoints
+  -
+    id: jmap
+    uri: /oidc/jmap
+    service_id: jmap_service_oidc
+    methods:
+      - POST
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /jmap
+  -
+    id: jmap_websocket
+    uri: /oidc/jmap/ws
+    service_id: jmap_service_oidc
+    enable_websocket: true
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /jmap/ws
+  -
+    id: jmap_session_oidc
+    uri: /oidc/jmap/session
+    service_id: jmap_service_oidc
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /jmap/session
+  -
+    id: download
+    uri: /oidc/download/*
+    service_id: jmap_service_oidc
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        regex_uri:
+          - "^/oidc/download/(.*)/(.*)"
+          - "/download/$1/$2"
+  -
+    id: upload
+    uri: /oidc/upload/*
+    service_id: jmap_service_oidc
+    methods:
+      - POST
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        regex_uri:
+          - "^/oidc/upload/(.*)"
+          - "/upload/$1"
+  -
+    id: web_known_finger
+    uris:
+      - /oidc/.well-known/webfinger
+      - /.well-known/webfinger
+    service_id: jmap_service_basic_auth
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /.well-known/webfinger
+  -
+    id: web_known_linagora_ecosystem
+    uri: /oidc/.well-known/linagora-ecosystem
+    service_id: jmap_service_oidc
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /.well-known/linagora-ecosystem
+  -
+    id: web_known_jmap
+    uri: /oidc/.well-known/jmap
+    service_id: jmap_service_oidc
+    methods:
+      - GET
+      - OPTIONS
+    plugin_config_id: jmap-plugin
+    plugins:
+      proxy-rewrite:
+        uri: /.well-known/jmap
+      response-rewrite:
+        _meta:
+          filter:
+            - - request_method
+              - "~="
+              - OPTIONS
+        headers:
+          set:
+            Location: "/oidc/jmap/session"
+
+  #  Basic authentication endpoints
+  - id: jmap_session_basic_auth

Review Comment:
   I disagree with this though... I think it's good to have oidc and basic auth endpoints in the demo, so that people have an example with both. Basic auth might be enough for a lot of cases actually



##########
examples/oidc/apisix-lemonldap-ldap/docker-compose.yml:
##########
@@ -0,0 +1,103 @@
+version: "3"
+
+services:
+  apisix:
+    container_name: apisix.example.com
+    image: linagora/apisix:3.2.0-debian-javaplugin
+    volumes:
+      - ./apisix/conf/apisix.yaml:/usr/local/apisix/conf/apisix.yaml
+      - ./apisix/conf/config.yaml:/usr/local/apisix/conf/config.yaml
+    networks:
+      - james
+    ports:
+      - "9080:9080/tcp"
+
+  james:
+    depends_on:
+      - ldap
+    networks:
+      - james
+    image: apache/james:memory-latest
+    container_name: james
+    hostname: james.local
+    command:
+      - --generate-keystore
+    volumes:
+      - ./james/usersrepository.xml:/root/conf/usersrepository.xml
+      - ./james/jmap.properties:/root/conf/jmap.properties
+    ports:
+      - "8000:8000"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://james:8000/domains"]
+
+  llngdb:
+    image: yadd/lemonldap-ng-pg-database
+    container_name: llngdb
+    environment:
+      - POSTGRES_PASSWORD=zz
+    healthcheck:
+      test: "exit 0"
+    volumes:
+      - "./lemonldap/lmConf-1.json:/llng-conf/conf.json"
+    networks:
+      - james
+
+  sso.example.com:
+    image: yadd/lemonldap-ng-full

Review Comment:
   The RPC handler plugin was a krakend limitation... The bloom filter where the tokens were stored on krakend was only accessible with gRPC, thus why we needed to write a sidecar container taking in the http request and doing the gRPC call to krakend. 
   
   With Apisix no need of that



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org