You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/05/15 04:15:34 UTC

[GitHub] [apisix] spamokm opened a new issue, #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

spamokm opened a new issue, #7052:
URL: https://github.com/apache/apisix/issues/7052

   ### Description
   
   As a User, I want to use oAuth2 with PKCE support, so that I can configure an oAuth2 connection without using client/secret.
   
   I am using an IDP. which has implemented the [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth).
   
   From the docs of the IdP: 
   The IdP implements the [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth), preferably with [PKCE](https://oauth.net/2/pkce/). The PKCE flow is the recommended and most universal authorization flow that supports mobile apps, single page applications and traditional server-rendered applications and doesn't require the exchange of a shared secret.
   
   The Flow:
   1. user opens a web app (in my case an APISIXROUTE, using openid plugin) 
   2. code challenge using sha256 is created by the openid plugin
   3. redirect to the idp authorization endpoint
   4. login of the user
   5. redirect to the redirect_url with "authcode" as URL Queryparameter
   6. openId plugin uses the authcode to receive a JWT from the idp token endpoint
   
   Could you implement this oAuth flow with pkce support?
   Please add a section to the documentation as well, tkaning care on the configuration of the pkce and the redirect_url
   
    Thank you


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tao12345666333 commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1127493532

   This is a relatively simple function, just need to upgrade the resty.openidc version that APISIX depends on, and add some adaptations.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tao12345666333 commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1173791350

   yes


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander closed issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
spacewander closed issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE
URL: https://github.com/apache/apisix/issues/7052


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] qihaiyan commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
qihaiyan commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1166205986

   I can fix this issue @tao12345666333 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] moonming commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
moonming commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1127479678

   great idea 👍
   @spamokm Are you interested in adding this feature to Apache APISIX?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tao12345666333 commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1173815124

   You can see this file https://github.com/apache/apisix/blob/master/ci/pod/docker-compose.plugin.yml
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spamokm commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
spamokm commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1128947808

   > great idea 👍 @spamokm Are you interested in adding this feature to Apache APISIX?
   
   As @tao12345666333 has a clear idea about the implementation and my luna skills are not available, it isn't a good idea :-)
   
   Thank you Jintao for taking over.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] qihaiyan commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
qihaiyan commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1173786208

   `#   Failed test 't/plugin/openid-connect.t TEST 9: Access route w/o bearer token and go through the full OIDC Relying Party authentication process. - pattern "[error]" should not match any line in error.log but matches line "2022/07/04 20:45:31 [error] 2009\#2009: *32 [lua] openid-connect.lua:315: phase_func(): OIDC authentication failed: accessing discovery url (http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration) failed: connection refused, client: 127.0.0.1, server: localhost, request: \"GET /uri HTTP/1.1\", host: \"127.0.0.1:1984\"" (req 0)
   `
   why this error occurs when i run the openid-connect.t unit test, should i start a mock server? @tao12345666333 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tao12345666333 commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1132464330

   I don't have enough time in the last few days to make it happen, 
   if no one takes it in two weeks, I will implement it.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tao12345666333 commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1166214068

   @qihaiyan thanks. Assigned 
   
   If you need any help,feel free to ping me 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] qihaiyan commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
qihaiyan commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1173806548

   how to start the mock server? I can't find the instruction the apisix's docs. @tao12345666333 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tao12345666333 commented on issue #7052: feat: As a User, I want to be able to use oAuth2 with PKCE

Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on issue #7052:
URL: https://github.com/apache/apisix/issues/7052#issuecomment-1127327552

   Thanks for your report.
   
   I think there is value in implementing it,
   Using this method improves security.
   
   What do you think? 
   cc @spacewander @membphis @moonming 
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org