You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2022/11/22 06:22:08 UTC
[apisix] branch master updated: fix(openid-connect): return userinfo when use_jwks is true (#8347)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 4346b0b2c fix(openid-connect): return userinfo when use_jwks is true (#8347)
4346b0b2c is described below
commit 4346b0b2c58f6473d31f6882c6aeabb7084f9c7f
Author: levy liu <37...@qq.com>
AuthorDate: Tue Nov 22 14:22:03 2022 +0800
fix(openid-connect): return userinfo when use_jwks is true (#8347)
Fixes https://github.com/apache/apisix/issues/8133
---
apisix/plugins/openid-connect.lua | 2 +-
t/plugin/openid-connect.t | 114 +++++++++++++++++++++++++++++++++++++-
2 files changed, 114 insertions(+), 2 deletions(-)
diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
index e7b96a34a..d45b4e757 100644
--- a/apisix/plugins/openid-connect.lua
+++ b/apisix/plugins/openid-connect.lua
@@ -237,7 +237,7 @@ local function introspect(ctx, conf)
-- Token successfully validated.
local method = (conf.public_key and "public_key") or (conf.use_jwks and "jwks")
core.log.debug("token validate successfully by ", method)
- return res, err, token, nil
+ return res, err, token, res
else
-- Validate token against introspection endpoint.
-- TODO: Same as above for public key validation.
diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
index 185bb7058..23dc8ea5b 100644
--- a/t/plugin/openid-connect.t
+++ b/t/plugin/openid-connect.t
@@ -561,12 +561,13 @@ passed
GET /uri HTTP/1.1
--- more_headers
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.Vq_sBN7nH67vMDbiJE01EP4hvJYE_5ju6izjkOX8pF5OS4g2RWKWpL6h6-b0tTkCzG4JD5BEl13LWW-Gxxw0i9vEK0FLg_kC_kZLYB8WuQ6B9B9YwzmZ3OLbgnYzt_VD7D-7psEbwapJl5hbFsIjDgOAEx-UCmjUcl2frZxZavG2LUiEGs9Ri7KqOZmTLgNDMWfeWh1t1LyD0_b-eTInbasVtKQxMlb5kR0Ln_Qg5092L-irJ7dqaZma7HItCnzXJROdqJEsMIBA [...]
---- response_body
+--- response_body_like
uri: /uri
authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.Vq_sBN7nH67vMDbiJE01EP4hvJYE_5ju6izjkOX8pF5OS4g2RWKWpL6h6-b0tTkCzG4JD5BEl13LWW-Gxxw0i9vEK0FLg_kC_kZLYB8WuQ6B9B9YwzmZ3OLbgnYzt_VD7D-7psEbwapJl5hbFsIjDgOAEx-UCmjUcl2frZxZavG2LUiEGs9Ri7KqOZmTLgNDMWfeWh1t1LyD0_b-eTInbasVtKQxMlb5kR0Ln_Qg5092L-irJ7dqaZma7HItCnzXJROdqJEsMIBA [...]
host: localhost
x-access-token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.Vq_sBN7nH67vMDbiJE01EP4hvJYE_5ju6izjkOX8pF5OS4g2RWKWpL6h6-b0tTkCzG4JD5BEl13LWW-Gxxw0i9vEK0FLg_kC_kZLYB8WuQ6B9B9YwzmZ3OLbgnYzt_VD7D-7psEbwapJl5hbFsIjDgOAEx-UCmjUcl2frZxZavG2LUiEGs9Ri7KqOZmTLgNDMWfeWh1t1LyD0_b-eTInbasVtKQxMlb5kR0Ln_Qg5092L-irJ7dqaZma7HItCnzXJROdqJEsMIBAYRwDGa [...]
x-real-ip: 127.0.0.1
+x-userinfo: ey.*
--- error_code: 200
@@ -1191,3 +1192,114 @@ passed
--- response_body
true
--- error_code: 302
+
+
+
+=== TEST 32: set use_jwks and set_userinfo_header to validate "x-userinfo" in request header
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "openid-connect": {
+ "client_id": "course_management",
+ "client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
+ "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
+ "realm": "University",
+ "bearer_only": true,
+ "access_token_in_authorization_header": true,
+ "set_userinfo_header": true,
+ "use_jwks": true,
+ "redirect_uri": "http://localhost:3000",
+ "ssl_verify": false,
+ "timeout": 10,
+ "introspection_endpoint_auth_method": "client_secret_post",
+ "introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 33: Access route to validate "x-userinfo" in request header
+--- config
+ location /t {
+ content_by_lua_block {
+ -- Obtain valid access token from Keycloak using known username and password.
+ local json_decode = require("toolkit.json").decode
+ local http = require "resty.http"
+ local httpc = http.new()
+ local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local res, err = httpc:request_uri(uri, {
+ method = "POST",
+ body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
+ headers = {
+ ["Content-Type"] = "application/x-www-form-urlencoded"
+ }
+ })
+
+ -- Check response from keycloak and fail quickly if there's no response.
+ if not res then
+ ngx.say(err)
+ return
+ end
+
+ -- Check if response code was ok.
+ if res.status == 200 then
+ -- Get access token from JSON response body.
+ local body = json_decode(res.body)
+ local accessToken = body["access_token"]
+
+ -- Access route using access token. Should work.
+ uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
+ local res, err = httpc:request_uri(uri, {
+ method = "GET",
+ headers = {
+ ["Authorization"] = "Bearer " .. body["access_token"]
+ }
+ })
+
+ if not res then
+ -- No response, must be an error.
+ ngx.status = 500
+ ngx.say(err)
+ return
+ elseif res.status ~= 200 then
+ -- Not a valid response.
+ -- Use 500 to indicate error.
+ ngx.status = 500
+ ngx.say("Invoking the original URI didn't return the expected result.")
+ return
+ end
+
+ ngx.status = res.status
+ ngx.say(res.body)
+
+ else
+ -- Response from Keycloak not ok.
+ ngx.say(false)
+ end
+ }
+ }
+--- response_body_like
+x-userinfo: ey.*