You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/06/11 22:40:11 UTC

[GitHub] [apisix] ohayak opened a new pull request, #7236: Add token exchnage support to authz-keycloak plugin

ohayak opened a new pull request, #7236:
URL: https://github.com/apache/apisix/pull/7236

   ### Description
   
   Hello,
   
   I'm working on a project using multiple keycloak instances to manage users in different spaces. One master keycloak which used as an Identity Provider (IDP) for all the others (identity brokers). In this scenario, we used the token exchange feature to limit handled tokens to one.   
   
   The token issued by the Identity Provider can not be used to verify permissions on the brokers. Therefore, this token need to be exchanged to against a second token issued by the broker in order to be used by authz-keycloak plugin to verify permissions.
   
   The most elegant way to achieve our goal is to let the plugin handle the exchange. Unfortunately, the plugin didn't support this kind of requests, so I tweaked the plugin to support this feature. 
   
   More details about token exchange are available [here](https://www.keycloak.org/docs/latest/securing_apps/#_token-exchange)
   
   I appreciate your efforts and the time to review my pull request. 
   
   Regards,
   
   ### Checklist
   
   - [X] I have explained the need for this PR and the problem it solves
   - [X] I have explained the changes or the new features added to this PR
   - [ ] I have added tests corresponding to this change
   - [X] I have updated the documentation to reflect this change
   - [X] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first)
   
   <!--
   
   Note
   
   1. Mark the PR as draft until it's ready to be reviewed.
   2. Always add/update tests for any changes unless you have a good reason.
   3. Always update the documentation to reflect the changes made in the PR.
   4. Make a new commit to resolve conversations instead of `push -f`.
   5. To resolve merge conflicts, merge master instead of rebasing.
   6. Use "request review" to notify the reviewer after making changes.
   7. Only a reviewer can mark a conversation as resolved.
   
   -->
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] github-actions[bot] commented on pull request #7236: feat(authz-keycloak): support token exchange

Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #7236:
URL: https://github.com/apache/apisix/pull/7236#issuecomment-1321087207

   This pull request/issue has been closed due to lack of activity. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] ohayak commented on pull request #7236: Add token exchange support to authz-keycloak plugin

Posted by GitBox <gi...@apache.org>.
ohayak commented on PR #7236:
URL: https://github.com/apache/apisix/pull/7236#issuecomment-1153013317

   subject_issuer validation not working as expected


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] ohayak commented on pull request #7236: Add token exchange support to authz-keycloak plugin

Posted by GitBox <gi...@apache.org>.
ohayak commented on PR #7236:
URL: https://github.com/apache/apisix/pull/7236#issuecomment-1222045659

   Any chance to get this PR reviewed ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] github-actions[bot] closed pull request #7236: feat(authz-keycloak): support token exchange

Posted by GitBox <gi...@apache.org>.
github-actions[bot] closed pull request #7236: feat(authz-keycloak): support token exchange
URL: https://github.com/apache/apisix/pull/7236


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] github-actions[bot] commented on pull request #7236: feat(authz-keycloak): support token exchange

Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #7236:
URL: https://github.com/apache/apisix/pull/7236#issuecomment-1288073400

   This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on pull request #7236: Add token exchange support to authz-keycloak plugin

Posted by GitBox <gi...@apache.org>.
tzssangglass commented on PR #7236:
URL: https://github.com/apache/apisix/pull/7236#issuecomment-1222185746

   hi @ohayak, thanks for your contribution, pls resolve conflicts files first.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on pull request #7236: feat(authz-keycloak): support token exchange

Posted by GitBox <gi...@apache.org>.
spacewander commented on PR #7236:
URL: https://github.com/apache/apisix/pull/7236#issuecomment-1225256465

   Please make the CI pass, thanks!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org