[GitHub] [apisix] hndoss commented on issue #8466: help request: Parse $request_body and add authorization header when using websockets

[GitBox <gi...@apache.org>]

hndoss commented on issue #8466:
URL: https://github.com/apache/apisix/issues/8466#issuecomment-1341080579

   > > * How to extract the authorization header from the payload? There is more data in the message that is not headers.
   > >   e.g.
   > 
   > I do not quite understand, you can describe more detailed.
   
   >
   
   authz-keycloak uses the authorization header in the requests allowing apisix to validate with Keycloak the permissions and thus decide whether to let the request through or return an error saying that it does not have the necessary permissions. This works great, except for websockets because websockets [don't have this authorization header that the plugin uses.](https://github.com/joewalnes/reconnecting-websocket/issues/103)
   
   So, we are adding the authorization header as part of the request body, and not in the header. So, we need to somehow rewrite the request, taking the token from the request body and putting it in the header before the authz-keycloak plugin does its job.
   
   The problem is that in addition to the header, we are adding more information in the request body so that we need to parse the content of the request body and extract only the JWT. This is what we have thought to do, however, it is a good opportunity to see if there is any other approach.
   
   How to authorize websockets with Keycloak and Apisix if Websockets don't use authorization header?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org