You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/12/06 19:43:44 UTC
[GitHub] [apisix] hndoss opened a new issue, #8466: help request: Parse $request_body and add authorization header when using websockets
hndoss opened a new issue, #8466:
URL: https://github.com/apache/apisix/issues/8466
### Description
We are adding a Keycloak integration with Apisix. For this we are using [authz-keycloak](https://apisix.apache.org/docs/apisix/plugins/authz-keycloak/). Our platform makes use of websockets and therefore it is impossible for us to add in the Authorization header causing the request to fail.
Before implementing Apisix, we have been passing this header in the websocket payload, and now we want to use [proxy-rewrite](https://apisix.apache.org/docs/apisix/plugins/proxy-rewrite/) to somehow extract the Authorization header that is being sent in the message and add it in the headers.
And now we have two problems:
- Add the header if and only if it is not included in the request, we do not want to overwrite the content if it is present
- How to extract the authorization header from the payload? There is more data in the message that is not headers.
e.g.
```
{"type":"connection_init","payload":{"headers":{"authorization":"Bearer ey..."}}}
```
### Environment
- APISIX version (run `apisix version`):
```
2.15.0
```
- Operating system (run `uname -a`):
```
# using helm chart
Linux apisix-575b5cdf74-7z9rs 5.10.133+ #1 SMP Fri Jul 29 08:49:27 UTC 2022 x86_64 Linux
```
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
```
nginx version: openresty/1.21.4.1
```
---
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss commented on issue #8466: help request: Parse $request_body and add authorization header when using websockets
Posted by GitBox <gi...@apache.org>.
hndoss commented on issue #8466:
URL: https://github.com/apache/apisix/issues/8466#issuecomment-1341080579
> > * How to extract the authorization header from the payload? There is more data in the message that is not headers.
> > e.g.
>
> I do not quite understand, you can describe more detailed.
>
authz-keycloak uses the authorization header in the requests allowing apisix to validate with Keycloak the permissions and thus decide whether to let the request through or return an error saying that it does not have the necessary permissions. This works great, except for websockets because websockets [don't have this authorization header that the plugin uses.](https://github.com/joewalnes/reconnecting-websocket/issues/103)
So, we are adding the authorization header as part of the request body, and not in the header. So, we need to somehow rewrite the request, taking the token from the request body and putting it in the header before the authz-keycloak plugin does its job.
The problem is that in addition to the header, we are adding more information in the request body so that we need to parse the content of the request body and extract only the JWT. This is what we have thought to do, however, it is a good opportunity to see if there is any other approach.
How to authorize websockets with Keycloak and Apisix if Websockets don't use authorization header?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss commented on issue #8466: help request: Parse $request_body and add authorization header when using websockets
Posted by GitBox <gi...@apache.org>.
hndoss commented on issue #8466:
URL: https://github.com/apache/apisix/issues/8466#issuecomment-1347598721
Thanks for the help, but apparently our needs are not explained very well here, and therefore I will open a new one.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss closed issue #8466: help request: Parse $request_body and add authorization header when using websockets
Posted by GitBox <gi...@apache.org>.
hndoss closed issue #8466: help request: Parse $request_body and add authorization header when using websockets
URL: https://github.com/apache/apisix/issues/8466
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss commented on issue #8466: help request: Parse $request_body and add authorization header when using websockets
Posted by GitBox <gi...@apache.org>.
hndoss commented on issue #8466:
URL: https://github.com/apache/apisix/issues/8466#issuecomment-1343035852
> > > > * How to extract the authorization header from the payload? There is more data in the message that is not headers.
> >
> >
> > > > e.g.
> >
> >
> > >
> >
> >
> > > I do not quite understand, you can describe more detailed.
> >
> >
> > >
> >
> >
> > authz-keycloak uses the authorization header in the requests allowing apisix to validate with Keycloak the permissions and thus decide whether to let the request through or return an error saying that it does not have the necessary permissions. This works great, except for websockets because websockets [don't have this authorization header that the plugin uses.](https://github.com/joewalnes/reconnecting-websocket/issues/103)
> > So, we are adding the authorization header as part of the request body, and not in the header. So, we need to somehow rewrite the request, taking the token from the request body and putting it in the header before the authz-keycloak plugin does its job.
> > The problem is that in addition to the header, we are adding more information in the request body so that we need to parse the content of the request body and extract only the JWT. This is what we have thought to do, however, it is a good opportunity to see if there is any other approach.
> > How to authorize websockets with Keycloak and Apisix if Websockets don't use authorization header?
>
> Do you mean extracting credentials from websocket frames, or just the request body in the 101 handshake request?
From the Websocket frames.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #8466: help request: Parse $request_body and add authorization header when using websockets
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #8466:
URL: https://github.com/apache/apisix/issues/8466#issuecomment-1341808415
> > > * How to extract the authorization header from the payload? There is more data in the message that is not headers.
>
> > > e.g.
>
> >
>
> > I do not quite understand, you can describe more detailed.
>
>
>
> >
>
>
>
> authz-keycloak uses the authorization header in the requests allowing apisix to validate with Keycloak the permissions and thus decide whether to let the request through or return an error saying that it does not have the necessary permissions. This works great, except for websockets because websockets [don't have this authorization header that the plugin uses.](https://github.com/joewalnes/reconnecting-websocket/issues/103)
>
>
>
> So, we are adding the authorization header as part of the request body, and not in the header. So, we need to somehow rewrite the request, taking the token from the request body and putting it in the header before the authz-keycloak plugin does its job.
>
>
>
> The problem is that in addition to the header, we are adding more information in the request body so that we need to parse the content of the request body and extract only the JWT. This is what we have thought to do, however, it is a good opportunity to see if there is any other approach.
>
>
>
> How to authorize websockets with Keycloak and Apisix if Websockets don't use authorization header?
Do you mean extracting credentials from websocket frames, or just the request body in the 101 handshake request?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #8466: help request: Parse $request_body and add authorization header when using websockets
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #8466:
URL: https://github.com/apache/apisix/issues/8466#issuecomment-1345513803
We have some options to achieve this.
1. Write a piece of Lua code to implement this feature.
2. Support a special APISIX variable, to fetch field from the request body, e.g., `$req_body_json_xxxx`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hndoss commented on issue #8466: help request: Parse $request_body and add authorization header when using websockets
Posted by GitBox <gi...@apache.org>.
hndoss commented on issue #8466:
URL: https://github.com/apache/apisix/issues/8466#issuecomment-1344494558
> > > > * How to extract the authorization header from the payload? There is more data in the message that is not headers.
> >
> >
> > > > e.g.
> >
> >
> > >
> >
> >
> > > I do not quite understand, you can describe more detailed.
> >
> >
> > >
> >
> >
> > authz-keycloak uses the authorization header in the requests allowing apisix to validate with Keycloak the permissions and thus decide whether to let the request through or return an error saying that it does not have the necessary permissions. This works great, except for websockets because websockets [don't have this authorization header that the plugin uses.](https://github.com/joewalnes/reconnecting-websocket/issues/103)
> > So, we are adding the authorization header as part of the request body, and not in the header. So, we need to somehow rewrite the request, taking the token from the request body and putting it in the header before the authz-keycloak plugin does its job.
> > The problem is that in addition to the header, we are adding more information in the request body so that we need to parse the content of the request body and extract only the JWT. This is what we have thought to do, however, it is a good opportunity to see if there is any other approach.
> > How to authorize websockets with Keycloak and Apisix if Websockets don't use authorization header?
>
> Do you mean extracting credentials from websocket frames, or just the request body in the 101 handshake request?
From the request body.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8466: help request: Parse $request_body and add authorization header when using websockets
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8466:
URL: https://github.com/apache/apisix/issues/8466#issuecomment-1340343525
> * How to extract the authorization header from the payload? There is more data in the message that is not headers.
> e.g.
I do not quite understand, you can describe more detailed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8466: help request: Parse $request_body and add authorization header when using websockets
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8466:
URL: https://github.com/apache/apisix/issues/8466#issuecomment-1340342313
> * Add the header if and only if it is not included in the request, we do not want to overwrite the content if it is present
has supported by #8336, would release in next version
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org