You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/04/11 14:12:47 UTC
[GitHub] [apisix] navendu-pottekkat opened a new pull request, #6824: docs: update "Authentication" Plugins
navendu-pottekkat opened a new pull request, #6824:
URL: https://github.com/apache/apisix/pull/6824
Signed-off-by: Navendu Pottekkat <na...@gmail.com>
### Description
<!-- Please include a summary of the change and which issue is fixed. -->
<!-- Please also include relevant motivation and context. -->
Updates the documentation of the "Authentication" Plugins.
Child PR of #6734
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] juzhiyuan commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
juzhiyuan commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r847993966
##########
docs/en/latest/plugins/authz-keycloak.md:
##########
@@ -23,118 +29,111 @@ title: authz-keycloak
## Description
-`authz-keycloak` is an authorization plugin to be used with the Keycloak Identity Server. Keycloak is an OAuth/OIDC and
-UMA compliant Identity Server. Although, it's developed working in conjunction with Keycloak it should work with any
-OAuth/OIDC and UMA compliant identity providers as well.
+The `authz-keycloak` Plugin can be used to add authentication with [Keycloak Identity Server](https://www.keycloak.org/).
-For more information on Keycloak, refer to [Keycloak Authorization Docs](https://www.keycloak.org/docs/latest/authorization_services) for more information.
+:::tip
+
+Although this Plugin was developed to work with Keycloak, it should work with any OAuth/OIDC and UMA compliant identity providers as well.
+
+:::
+
+Refer to [Authorization Services Guide](https://www.keycloak.org/docs/latest/authorization_services/) for more information on Keycloak.
## Attributes
-| Name | Type | Requirement | Default | Valid | Description |
-| ------------------------------ | ------------- | ----------- | --------------------------------------------- | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| discovery | string | optional | | https://host.domain/auth/realms/foo/.well-known/uma2-configuration | URL to discovery document for Keycloak Authorization Services. |
-| token_endpoint | string | optional | | https://host.domain/auth/realms/foo/protocol/openid-connect/token | A OAuth2-compliant Token Endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type. Overrides value from discovery, if given. |
-| resource_registration_endpoint | string | optional | | https://host.domain/auth/realms/foo/authz/protection/resource_set | A Keycloak Protection API-compliant resource registration endpoint. Overrides value from discovery, if given. |
-| client_id | string | optional | | | The client identifier of the resource server to which the client is seeking access. One of `client_id` or `audience` is required. |
-| audience | string | optional | | | Legacy parameter now replaced by `client_id`. Kept for backwards compatibility. One of `client_id` or `audience` is required. |
-| client_secret | string | optional | | | The client secret, if required. |
-| grant_type | string | optional | "urn:ietf:params:oauth:grant-type:uma-ticket" | ["urn:ietf:params:oauth:grant-type:uma-ticket"] | |
-| policy_enforcement_mode | string | optional | "ENFORCING" | ["ENFORCING", "PERMISSIVE"] | |
-| permissions | array[string] | optional | | | Static permission to request, an array of strings each representing a resources and optionally one or more scopes the client is seeking access. |
-| lazy_load_paths | boolean | optional | false | | Dynamically resolve the request URI to resource(s) using the resource registration endpoint instead of using the static permission. |
-| http_method_as_scope | boolean | optional | false | | Map HTTP request type to scope of same name and add to all permissions requested. |
-| timeout | integer | optional | 3000 | [1000, ...] | Timeout(ms) for the http connection with the Identity Server. |
-| access_token_expires_in | integer | optional | 300 | [1, ...] | The expiration time(s) of the access token. |
-| access_token_expires_leeway | integer | optional | 0 | [0, ...] | Expiration leeway(s) for access_token renewal. If this is set, renewal will happen access_token_expires_leeway seconds before the token expiration. This avoids errors in case the access_token just expires when arriving to the OAuth Resource Server.|
-| refresh_token_expires_in | integer | optional | 3600 | [1, ...] | The expiration time(s) of the refresh token. |
-| refresh_token_expires_leeway | integer | optional | 0 | [0, ...] | Expiration leeway(s) for refresh_token renewal. If this is set, renewal will happen refresh_token_expires_leeway seconds before the token expiration. This avoids errors in case the refresh_token just expires when arriving to the OAuth Resource Server.|
-| ssl_verify | boolean | optional | true | | Verify if TLS certificate matches hostname. |
-| cache_ttl_seconds | integer | optional | 86400 (equivalent to 24h) | positive integer >= 1 | The maximum period in seconds up to which the plugin caches discovery documents and tokens, used by the plugin to authenticate to Keycloak. |
-| keepalive | boolean | optional | true | | Enable HTTP keep-alive to keep connections open after use. Set to `true` if you expect a lot of requests to Keycloak. |
-| keepalive_timeout | integer | optional | 60000 | positive integer >= 1000 | Idle timeout after which established HTTP connections will be closed. |
-| keepalive_pool | integer | optional | 5 | positive integer >= 1 | Maximum number of connections in the connection pool. |
-| access_denied_redirect_uri | string | optional | | [1, 2048] | Redirect unauthorized user with the given uri like "http://127.0.0.1/test", instead of returning `"error_description":"not_authorized"`. |
-| password_grant_token_generation_incoming_uri | string | optional | | /api/token | You can set this uri value to generate token using password grant type. Plugin will compare incoming request uri with this value. |
+| Name | Type | Required | Default | Valid values | Description |
+|----------------------------------------------|---------------|----------|-----------------------------------------------|--------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| discovery | string | False | | https://host.domain/auth/realms/foo/.well-known/uma2-configuration | URL to [discovery document](https://www.keycloak.org/docs/14.0/authorization_services/#_service_authorization_api) of Keycloak Authorization Services. |
+| token_endpoint | string | False | | https://host.domain/auth/realms/foo/protocol/openid-connect/token | An OAuth2-compliant token endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type. If provided, overrides the value from discovery. |
+| resource_registration_endpoint | string | False | | https://host.domain/auth/realms/foo/authz/protection/resource_set | A UMA-compliant resource registration endpoint. If provided, overrides the value from discovery. |
+| client_id | string | False | | | The identifier of the resource server to which the client is seeking access. Either `client_id` or `audience` is required. |
+| audience | string | False | | | Legacy parameter now replaced by `client_id` kept for backwards compatibility. Either `client_id` or `audience` is required. |
+| client_secret | string | False | | | The client secret, if required. |
+| grant_type | string | False | "urn:ietf:params:oauth:grant-type:uma-ticket" | ["urn:ietf:params:oauth:grant-type:uma-ticket"] | |
+| policy_enforcement_mode | string | False | "ENFORCING" | ["ENFORCING", "PERMISSIVE"] | |
+| permissions | array[string] | False | | | An array of strings, each representing a set of one or more resources and scopes the client is seeking access. |
+| lazy_load_paths | boolean | False | false | | When set to true, dynamically resolves the request URI to resource(s) using the resource registration endpoint instead of the static permission. |
+| http_method_as_scope | boolean | optional | false | | When set to true, maps the HTTP request type to scope of the same name and adds to all requested permissions. |
+| timeout | integer | optional | 3000 | [1000, ...] | Timeout in ms for the HTTP connection with the Identity Server. |
+| access_token_expires_in | integer | optional | 300 | [1, ...] | Expiration time(s) of the access token. |
Review Comment:
Hi, should we use `True/False` for the `Required` field?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hf400159 commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
hf400159 commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r847437789
##########
docs/en/latest/plugins/hmac-auth.md:
##########
@@ -266,10 +282,13 @@ plugin_attr:
body_digest_key: X-APISIX-HMAC-BODY-DIGEST
```
-**After customizing the header, request example:**
+Now you can use the new keys while making a request:
+
+```shell
+curl http://127.0.0.1:9080/index.html -H 'X-APISIX-HMAC-SIGNATURE: base64_encode(SIGNATURE)' -H 'X-APISIX-HMAC-ALGORITHM: ALGORITHM' -H 'X-APISIX-DATE: DATE' -H 'X-APISIX-HMAC-ACCESS-KEY: ACCESS_KEY' -H 'X-APISIX-HMAC-SIGNED-HEADERS: SIGNED_HEADERS' -H 'X-APISIX-HMAC-BODY-DIGEST: BODY_DIGEST' -i
Review Comment:
```suggestion
curl http://127.0.0.1:9080/index.html \
-H 'X-APISIX-HMAC-SIGNATURE: base64_encode(SIGNATURE)' \
-H 'X-APISIX-HMAC-ALGORITHM: ALGORITHM' \
-H 'X-APISIX-DATE: DATE' \
-H 'X-APISIX-HMAC-ACCESS-KEY: ACCESS_KEY' \
-H 'X-APISIX-HMAC-SIGNED-HEADERS: SIGNED_HEADERS' \
-H 'X-APISIX-HMAC-BODY-DIGEST: BODY_DIGEST' -i
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] bisakhmondal commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
bisakhmondal commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r850086404
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -174,29 +207,20 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
}'
```
-This plugin uses rsa public key from consumer configuration and uses the private key directly fetched from vault.
Review Comment:
Gotcha!
##########
docs/en/latest/plugins/wolf-rbac.md:
##########
@@ -99,14 +102,20 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f1
}'
```
-## Test Plugin
+You can also use the [APISIX Dashboard](/docs/dashboard/USER_GUIDE) to complete the operation through a web UI.
-#### Setup routes for public API
+<!--
+
+
+
+-->
Review Comment:
By the way, just curious is it intentional or some debug comment?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander merged pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
spacewander merged PR #6824:
URL: https://github.com/apache/apisix/pull/6824
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] navendu-pottekkat commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
navendu-pottekkat commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r850081403
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -174,29 +207,20 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
}'
```
-This plugin uses rsa public key from consumer configuration and uses the private key directly fetched from vault.
Review Comment:
I had moved the line to above the code block. We do mention this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] bisakhmondal commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
bisakhmondal commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r849589972
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -23,47 +29,58 @@ title: jwt-auth
## Description
-`jwt-auth` is an authentication plugin that need to work with `consumer`. Add JWT Authentication to a `service` or `route`.
+The `jwt-auth` Plugin is used to add [JWT](https://jwt.io/) authentication to a [Service](../terminology/service.md) or a [Route](../terminology/route.md).
-The `consumer` then adds its key to the query string parameter, request header, or `cookie` to verify its request.
+A [Consumer](../terminology/consumer.md) of the service then needs to provide a key through a query string, a request header or a cookie to verify its request.
-For more information on JWT, refer to [JWT](https://jwt.io/) for more information.
-
-`jwt-auth` plugin can be integrated with HashiCorp Vault for storing and fetching secrets, RSA key pairs from its encrypted kv engine. See the [examples](#enable-jwt-auth-with-vault-compatibility) below to have an overview of how things work.
+The `jwt-auth` Plugin can be integrated with [HashiCorp Vault](https://www.vaultproject.io/) to store and fetch secrets and RSA keys pairs from its [encrypted KV engine](https://www.vaultproject.io/docs/secrets/kv). Learn more from the [examples](#enable-jwt-auth-with-vault-compatibility) below.
## Attributes
-For consumer side:
+For Consumer:
+
+| Name | Type | Required | Default | Valid values | Description |
+|---------------|---------|-------------------------------------------------------|---------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| key | string | True | | | Unique key for a Consumer. |
+| secret | string | False | | | The encryption key. If unspecified, auto generated in the background. |
+| public_key | string | True if `RS256` is set for the `algorithm` attribute. | | | RSA public key. |
+| private_key | string | True if `RS256` is set for the `algorithm` attribute. | | | RSA private key. |
+| algorithm | string | False | "HS256" | ["HS256", "HS512", "RS256"] | Encryption algorithm. |
+| exp | integer | False | 86400 | [1,...] | Expiry time of the token in seconds. |
+| base64_secret | boolean | False | false | | Set to true if the secret is base64 encoded. |
+| vault | object | False | | | Set to true to use Vault for storing and retrieving secret (secret for HS256/HS512 or public_key and private_key for RS256). By default, the Vault path is `kv/apisix/consumer//jwt-auth`. |
Review Comment:
```suggestion
| vault | object | False | | | Set to true to use Vault for storing and retrieving secret (secret for HS256/HS512 or public_key and private_key for RS256). By default, the Vault path is `kv/apisix/consumer/<consumer_name>/jwt-auth`. `consumer_name` is the name of your consumer that you have defined while creating a consumer object in APISIX. |
```
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -114,15 +135,23 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
-### Enable jwt-auth with Vault Compatibility
+### Usage with HashiCorp Vault
+
+[HashiCorp Vault](https://www.vaultproject.io/) offers a centralized key management solution and it can be used along with APISIX for authentication.
+
+So, if your organization changes the secret/keys (secret for HS256/HS512 or public_key and private_key for RS256) and you don't want to update the APISIX consumer each time or if you don't want to use the key through the Admin API, you can use Vault and the `jwt-auth` Plugin.
Review Comment:
```suggestion
So, if your organization changes the secret/keys (secret for HS256/HS512 or public_key and private_key for RS256) frequently and you don't want to update the APISIX consumer each time or if you don't want to use the key through the Admin API (to reduce secret sprawl), you can enable Vault support into the `jwt-auth` Plugin.
```
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -114,15 +135,23 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
}'
```
-### Enable jwt-auth with Vault Compatibility
+### Usage with HashiCorp Vault
+
+[HashiCorp Vault](https://www.vaultproject.io/) offers a centralized key management solution and it can be used along with APISIX for authentication.
+
+So, if your organization changes the secret/keys (secret for HS256/HS512 or public_key and private_key for RS256) and you don't want to update the APISIX consumer each time or if you don't want to use the key through the Admin API, you can use Vault and the `jwt-auth` Plugin.
+
+:::note
-Sometimes, it's quite natural in production to have a centralized key management solution like [HashiCorp Vault](https://www.vaultproject.io/) where you don't have to update the APISIX consumer each time some part of your organization changes the signing secret key (secret for HS256/HS512 or public_key and private_key for RS256) and/or for privacy concerns you don't want to use the key through APISIX admin APIs. APISIX got you covered here. The `jwt-auth` is capable of referencing keys from vault.
+The current version of Apache APISIX expects the key names of the secret/keys in Vault to be `secret`, `public_key`, `private_key`.
Review Comment:
Let's not use `secret/keys` here - people might think it's a vault path.
```suggestion
The current version of Apache APISIX expects the key name of secrets stored in the Vault path is among [ `secret`, `public_key`, `private_key` ]. The first one is for HS256/HS512 and the last two are for the RS256 algorithm.
```
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -174,29 +207,20 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
}'
```
-This plugin uses rsa public key from consumer configuration and uses the private key directly fetched from vault.
Review Comment:
Please keep this line. It's important to deliver the message.
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -137,14 +166,16 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
}'
```
-Here the plugin looks up for key `secret` inside vault path (`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`) for consumer username `jack` mentioned in the consumer config and uses it for subsequent signing and jwt verification. If the key is not found in the same path, the plugin logs error and fails to perform jwt authentication.
+The Plugin will look for a key "secret" in the provided Vault path (`<vault.prefix>/consumer/jack/jwt-auth`) and uses it for JWT authentication.
Review Comment:
```suggestion
The Plugin will look for a key "secret" in the provided Vault path (`<vault.prefix>/consumer/jack/jwt-auth`) and uses it for JWT authentication. The vault prefix can be set in the config yaml file based on the base path that you have chosen while enabling the Vault kv secret engine (eg: `vault secrets enable -path=foobar kv`, you should use `foobar` as `vault.prefix` in the config file).
```
Just to give some context.
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -137,14 +166,16 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
}'
```
-Here the plugin looks up for key `secret` inside vault path (`<vault.prefix from conf.yaml>/consumer/jack/jwt-auth`) for consumer username `jack` mentioned in the consumer config and uses it for subsequent signing and jwt verification. If the key is not found in the same path, the plugin logs error and fails to perform jwt authentication.
+The Plugin will look for a key "secret" in the provided Vault path (`<vault.prefix>/consumer/jack/jwt-auth`) and uses it for JWT authentication.
Review Comment:
Also this message is important, can we embed it here somehow as the lookup is dynamic based on the username of the consumer and users should know what would happen if the key path is empty (though obvious but we should be explicit i think). WDYT?
`
consumer username `jack` mentioned in the consumer config and uses it for subsequent signing and jwt verification. If the key is not found in the same path, the plugin logs error and fails to perform jwt authentication.
`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] navendu-pottekkat commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
navendu-pottekkat commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r850083030
##########
docs/en/latest/plugins/jwt-auth.md:
##########
@@ -174,29 +207,20 @@ curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
}'
```
-This plugin uses rsa public key from consumer configuration and uses the private key directly fetched from vault.
Review Comment:
I had moved the line to above the code block. We do mention this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] navendu-pottekkat commented on pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
navendu-pottekkat commented on PR #6824:
URL: https://github.com/apache/apisix/pull/6824#issuecomment-1098709708
@bisakhmondal I have made the changes as you suggested. Please review.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] navendu-pottekkat commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
navendu-pottekkat commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r848580538
##########
docs/en/latest/plugins/authz-keycloak.md:
##########
@@ -23,118 +29,111 @@ title: authz-keycloak
## Description
-`authz-keycloak` is an authorization plugin to be used with the Keycloak Identity Server. Keycloak is an OAuth/OIDC and
-UMA compliant Identity Server. Although, it's developed working in conjunction with Keycloak it should work with any
-OAuth/OIDC and UMA compliant identity providers as well.
+The `authz-keycloak` Plugin can be used to add authentication with [Keycloak Identity Server](https://www.keycloak.org/).
-For more information on Keycloak, refer to [Keycloak Authorization Docs](https://www.keycloak.org/docs/latest/authorization_services) for more information.
+:::tip
+
+Although this Plugin was developed to work with Keycloak, it should work with any OAuth/OIDC and UMA compliant identity providers as well.
+
+:::
+
+Refer to [Authorization Services Guide](https://www.keycloak.org/docs/latest/authorization_services/) for more information on Keycloak.
## Attributes
-| Name | Type | Requirement | Default | Valid | Description |
-| ------------------------------ | ------------- | ----------- | --------------------------------------------- | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| discovery | string | optional | | https://host.domain/auth/realms/foo/.well-known/uma2-configuration | URL to discovery document for Keycloak Authorization Services. |
-| token_endpoint | string | optional | | https://host.domain/auth/realms/foo/protocol/openid-connect/token | A OAuth2-compliant Token Endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type. Overrides value from discovery, if given. |
-| resource_registration_endpoint | string | optional | | https://host.domain/auth/realms/foo/authz/protection/resource_set | A Keycloak Protection API-compliant resource registration endpoint. Overrides value from discovery, if given. |
-| client_id | string | optional | | | The client identifier of the resource server to which the client is seeking access. One of `client_id` or `audience` is required. |
-| audience | string | optional | | | Legacy parameter now replaced by `client_id`. Kept for backwards compatibility. One of `client_id` or `audience` is required. |
-| client_secret | string | optional | | | The client secret, if required. |
-| grant_type | string | optional | "urn:ietf:params:oauth:grant-type:uma-ticket" | ["urn:ietf:params:oauth:grant-type:uma-ticket"] | |
-| policy_enforcement_mode | string | optional | "ENFORCING" | ["ENFORCING", "PERMISSIVE"] | |
-| permissions | array[string] | optional | | | Static permission to request, an array of strings each representing a resources and optionally one or more scopes the client is seeking access. |
-| lazy_load_paths | boolean | optional | false | | Dynamically resolve the request URI to resource(s) using the resource registration endpoint instead of using the static permission. |
-| http_method_as_scope | boolean | optional | false | | Map HTTP request type to scope of same name and add to all permissions requested. |
-| timeout | integer | optional | 3000 | [1000, ...] | Timeout(ms) for the http connection with the Identity Server. |
-| access_token_expires_in | integer | optional | 300 | [1, ...] | The expiration time(s) of the access token. |
-| access_token_expires_leeway | integer | optional | 0 | [0, ...] | Expiration leeway(s) for access_token renewal. If this is set, renewal will happen access_token_expires_leeway seconds before the token expiration. This avoids errors in case the access_token just expires when arriving to the OAuth Resource Server.|
-| refresh_token_expires_in | integer | optional | 3600 | [1, ...] | The expiration time(s) of the refresh token. |
-| refresh_token_expires_leeway | integer | optional | 0 | [0, ...] | Expiration leeway(s) for refresh_token renewal. If this is set, renewal will happen refresh_token_expires_leeway seconds before the token expiration. This avoids errors in case the refresh_token just expires when arriving to the OAuth Resource Server.|
-| ssl_verify | boolean | optional | true | | Verify if TLS certificate matches hostname. |
-| cache_ttl_seconds | integer | optional | 86400 (equivalent to 24h) | positive integer >= 1 | The maximum period in seconds up to which the plugin caches discovery documents and tokens, used by the plugin to authenticate to Keycloak. |
-| keepalive | boolean | optional | true | | Enable HTTP keep-alive to keep connections open after use. Set to `true` if you expect a lot of requests to Keycloak. |
-| keepalive_timeout | integer | optional | 60000 | positive integer >= 1000 | Idle timeout after which established HTTP connections will be closed. |
-| keepalive_pool | integer | optional | 5 | positive integer >= 1 | Maximum number of connections in the connection pool. |
-| access_denied_redirect_uri | string | optional | | [1, 2048] | Redirect unauthorized user with the given uri like "http://127.0.0.1/test", instead of returning `"error_description":"not_authorized"`. |
-| password_grant_token_generation_incoming_uri | string | optional | | /api/token | You can set this uri value to generate token using password grant type. Plugin will compare incoming request uri with this value. |
+| Name | Type | Required | Default | Valid values | Description |
+|----------------------------------------------|---------------|----------|-----------------------------------------------|--------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| discovery | string | False | | https://host.domain/auth/realms/foo/.well-known/uma2-configuration | URL to [discovery document](https://www.keycloak.org/docs/14.0/authorization_services/#_service_authorization_api) of Keycloak Authorization Services. |
+| token_endpoint | string | False | | https://host.domain/auth/realms/foo/protocol/openid-connect/token | An OAuth2-compliant token endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type. If provided, overrides the value from discovery. |
+| resource_registration_endpoint | string | False | | https://host.domain/auth/realms/foo/authz/protection/resource_set | A UMA-compliant resource registration endpoint. If provided, overrides the value from discovery. |
+| client_id | string | False | | | The identifier of the resource server to which the client is seeking access. Either `client_id` or `audience` is required. |
+| audience | string | False | | | Legacy parameter now replaced by `client_id` kept for backwards compatibility. Either `client_id` or `audience` is required. |
+| client_secret | string | False | | | The client secret, if required. |
+| grant_type | string | False | "urn:ietf:params:oauth:grant-type:uma-ticket" | ["urn:ietf:params:oauth:grant-type:uma-ticket"] | |
+| policy_enforcement_mode | string | False | "ENFORCING" | ["ENFORCING", "PERMISSIVE"] | |
+| permissions | array[string] | False | | | An array of strings, each representing a set of one or more resources and scopes the client is seeking access. |
+| lazy_load_paths | boolean | False | false | | When set to true, dynamically resolves the request URI to resource(s) using the resource registration endpoint instead of the static permission. |
+| http_method_as_scope | boolean | optional | false | | When set to true, maps the HTTP request type to scope of the same name and adds to all requested permissions. |
+| timeout | integer | optional | 3000 | [1000, ...] | Timeout in ms for the HTTP connection with the Identity Server. |
+| access_token_expires_in | integer | optional | 300 | [1, ...] | Expiration time(s) of the access token. |
Review Comment:
@juzhiyuan Fixed this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] hf400159 commented on pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
hf400159 commented on PR #6824:
URL: https://github.com/apache/apisix/pull/6824#issuecomment-1096540344
I will modify the Chinese version synchronously.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] navendu-pottekkat commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
navendu-pottekkat commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r848441309
##########
docs/en/latest/plugins/authz-keycloak.md:
##########
@@ -23,118 +29,111 @@ title: authz-keycloak
## Description
-`authz-keycloak` is an authorization plugin to be used with the Keycloak Identity Server. Keycloak is an OAuth/OIDC and
-UMA compliant Identity Server. Although, it's developed working in conjunction with Keycloak it should work with any
-OAuth/OIDC and UMA compliant identity providers as well.
+The `authz-keycloak` Plugin can be used to add authentication with [Keycloak Identity Server](https://www.keycloak.org/).
-For more information on Keycloak, refer to [Keycloak Authorization Docs](https://www.keycloak.org/docs/latest/authorization_services) for more information.
+:::tip
+
+Although this Plugin was developed to work with Keycloak, it should work with any OAuth/OIDC and UMA compliant identity providers as well.
+
+:::
+
+Refer to [Authorization Services Guide](https://www.keycloak.org/docs/latest/authorization_services/) for more information on Keycloak.
## Attributes
-| Name | Type | Requirement | Default | Valid | Description |
-| ------------------------------ | ------------- | ----------- | --------------------------------------------- | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| discovery | string | optional | | https://host.domain/auth/realms/foo/.well-known/uma2-configuration | URL to discovery document for Keycloak Authorization Services. |
-| token_endpoint | string | optional | | https://host.domain/auth/realms/foo/protocol/openid-connect/token | A OAuth2-compliant Token Endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type. Overrides value from discovery, if given. |
-| resource_registration_endpoint | string | optional | | https://host.domain/auth/realms/foo/authz/protection/resource_set | A Keycloak Protection API-compliant resource registration endpoint. Overrides value from discovery, if given. |
-| client_id | string | optional | | | The client identifier of the resource server to which the client is seeking access. One of `client_id` or `audience` is required. |
-| audience | string | optional | | | Legacy parameter now replaced by `client_id`. Kept for backwards compatibility. One of `client_id` or `audience` is required. |
-| client_secret | string | optional | | | The client secret, if required. |
-| grant_type | string | optional | "urn:ietf:params:oauth:grant-type:uma-ticket" | ["urn:ietf:params:oauth:grant-type:uma-ticket"] | |
-| policy_enforcement_mode | string | optional | "ENFORCING" | ["ENFORCING", "PERMISSIVE"] | |
-| permissions | array[string] | optional | | | Static permission to request, an array of strings each representing a resources and optionally one or more scopes the client is seeking access. |
-| lazy_load_paths | boolean | optional | false | | Dynamically resolve the request URI to resource(s) using the resource registration endpoint instead of using the static permission. |
-| http_method_as_scope | boolean | optional | false | | Map HTTP request type to scope of same name and add to all permissions requested. |
-| timeout | integer | optional | 3000 | [1000, ...] | Timeout(ms) for the http connection with the Identity Server. |
-| access_token_expires_in | integer | optional | 300 | [1, ...] | The expiration time(s) of the access token. |
-| access_token_expires_leeway | integer | optional | 0 | [0, ...] | Expiration leeway(s) for access_token renewal. If this is set, renewal will happen access_token_expires_leeway seconds before the token expiration. This avoids errors in case the access_token just expires when arriving to the OAuth Resource Server.|
-| refresh_token_expires_in | integer | optional | 3600 | [1, ...] | The expiration time(s) of the refresh token. |
-| refresh_token_expires_leeway | integer | optional | 0 | [0, ...] | Expiration leeway(s) for refresh_token renewal. If this is set, renewal will happen refresh_token_expires_leeway seconds before the token expiration. This avoids errors in case the refresh_token just expires when arriving to the OAuth Resource Server.|
-| ssl_verify | boolean | optional | true | | Verify if TLS certificate matches hostname. |
-| cache_ttl_seconds | integer | optional | 86400 (equivalent to 24h) | positive integer >= 1 | The maximum period in seconds up to which the plugin caches discovery documents and tokens, used by the plugin to authenticate to Keycloak. |
-| keepalive | boolean | optional | true | | Enable HTTP keep-alive to keep connections open after use. Set to `true` if you expect a lot of requests to Keycloak. |
-| keepalive_timeout | integer | optional | 60000 | positive integer >= 1000 | Idle timeout after which established HTTP connections will be closed. |
-| keepalive_pool | integer | optional | 5 | positive integer >= 1 | Maximum number of connections in the connection pool. |
-| access_denied_redirect_uri | string | optional | | [1, 2048] | Redirect unauthorized user with the given uri like "http://127.0.0.1/test", instead of returning `"error_description":"not_authorized"`. |
-| password_grant_token_generation_incoming_uri | string | optional | | /api/token | You can set this uri value to generate token using password grant type. Plugin will compare incoming request uri with this value. |
+| Name | Type | Required | Default | Valid values | Description |
+|----------------------------------------------|---------------|----------|-----------------------------------------------|--------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| discovery | string | False | | https://host.domain/auth/realms/foo/.well-known/uma2-configuration | URL to [discovery document](https://www.keycloak.org/docs/14.0/authorization_services/#_service_authorization_api) of Keycloak Authorization Services. |
+| token_endpoint | string | False | | https://host.domain/auth/realms/foo/protocol/openid-connect/token | An OAuth2-compliant token endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type. If provided, overrides the value from discovery. |
+| resource_registration_endpoint | string | False | | https://host.domain/auth/realms/foo/authz/protection/resource_set | A UMA-compliant resource registration endpoint. If provided, overrides the value from discovery. |
+| client_id | string | False | | | The identifier of the resource server to which the client is seeking access. Either `client_id` or `audience` is required. |
+| audience | string | False | | | Legacy parameter now replaced by `client_id` kept for backwards compatibility. Either `client_id` or `audience` is required. |
+| client_secret | string | False | | | The client secret, if required. |
+| grant_type | string | False | "urn:ietf:params:oauth:grant-type:uma-ticket" | ["urn:ietf:params:oauth:grant-type:uma-ticket"] | |
+| policy_enforcement_mode | string | False | "ENFORCING" | ["ENFORCING", "PERMISSIVE"] | |
+| permissions | array[string] | False | | | An array of strings, each representing a set of one or more resources and scopes the client is seeking access. |
+| lazy_load_paths | boolean | False | false | | When set to true, dynamically resolves the request URI to resource(s) using the resource registration endpoint instead of the static permission. |
+| http_method_as_scope | boolean | optional | false | | When set to true, maps the HTTP request type to scope of the same name and adds to all requested permissions. |
+| timeout | integer | optional | 3000 | [1000, ...] | Timeout in ms for the HTTP connection with the Identity Server. |
+| access_token_expires_in | integer | optional | 300 | [1, ...] | Expiration time(s) of the access token. |
Review Comment:
Yes. Good find. I missed it. Will make the change ASAP.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] bisakhmondal commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
bisakhmondal commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r850099678
##########
docs/en/latest/plugins/wolf-rbac.md:
##########
@@ -99,14 +102,20 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f1
}'
```
-## Test Plugin
+You can also use the [APISIX Dashboard](/docs/dashboard/USER_GUIDE) to complete the operation through a web UI.
-#### Setup routes for public API
+<!--
+
+
+
+-->
Review Comment:
Sounds great :+1: . Please make sure you are keeping it tracked in an issue or somewhere so that people know/track the purpose/progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] navendu-pottekkat commented on a diff in pull request #6824: docs: update "Authentication" Plugins
Posted by GitBox <gi...@apache.org>.
navendu-pottekkat commented on code in PR #6824:
URL: https://github.com/apache/apisix/pull/6824#discussion_r850089734
##########
docs/en/latest/plugins/wolf-rbac.md:
##########
@@ -99,14 +102,20 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f1
}'
```
-## Test Plugin
+You can also use the [APISIX Dashboard](/docs/dashboard/USER_GUIDE) to complete the operation through a web UI.
-#### Setup routes for public API
+<!--
+
+
+
+-->
Review Comment:
It was intentional. We can move the docs for the dashboard to a single place. It gets repeated on every page. I commented this out just so that we know we have these images. Can delete these images or repurpose them on different pages in the future.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org