You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/03/17 10:36:17 UTC
[GitHub] [incubator-apisix] sshniro commented on issue #1272: Support JWT
scopes to allow or reject requests in OAuth2 plugin
sshniro commented on issue #1272: Support JWT scopes to allow or reject requests in OAuth2 plugin
URL: https://github.com/apache/incubator-apisix/issues/1272#issuecomment-599997888
The following is the scenario I have in mind.
The getProducts endpoint should be accessible via a token which has the read scope.
```bash
curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/getProducts",
"plugins": {
"proxy-rewrite": {
"scheme": "https"
},
"openid-connect": {
"client_id": "api_six_client_id",
"client_secret": "client_secret_code",
"discovery": "full_URL_of_the_discovery_endpoint",
"required_scope": "read_scope",
}
}
}'
```
And the deleteProducts endpoint should be accessible via the token with a deletescope.
```bash
curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/deleteProducts",
"plugins": {
"proxy-rewrite": {
"scheme": "https"
},
"openid-connect": {
"client_id": "api_six_client_id",
"client_secret": "client_secret_code",
"discovery": "full_URL_of_the_discovery_endpoint",
"required_scope": "delete_scope",
}
}
}'
```
This is how the core OpenID Library is suggesting to handle this scenario.
https://github.com/zmartzone/lua-resty-openidc#sample-configuration-for-oauth-20-jwt-token-validation
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services