Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

request help: Could I use X-ID-Token header to visit the route protected by apisix openid-connect plugin #5311

Open
haowang-pony opened this issue Oct 22, 2021 · 2 comments
Open

request help: Could I use X-ID-Token header to visit the route protected by apisix openid-connect plugin #5311

haowang-pony opened this issue Oct 22, 2021 · 2 comments
Assignees
@haowang-pony
Labels
enhancement New feature or request

Comments

@haowang-pony
Copy link

haowang-pony commented Oct 22, 2021
edited
Loading

Issue description

I want to implement such workflow
Screenshot (56)

However I met two problems:

  1. The openid-connect plugin only read access_token when verify the jwt token.

    apisix/apisix/plugins/openid-connect.lua

    Line 161 in fa8a34f

    local has_token, token, err = get_bearer_access_token(ctx)
  2. the openid-connect plugin only support introspection_endpoint, could we add cert endpoint in config which used to get public key from keycloak and such that we could verify the token after receive public key from keycloak. Because I don't want define public_key in ApisixRoute. It's ugly and it would have problem if keycloak public key was changed.
    why I don't use authz-keycloak plugin: authz-keycloak must need jwt token when request apisix, but I want also want to implement the following workflow, therefore I give up to use authz-keycloak plugin

Screenshot (57)

For first problems, maybe we could just add get_bearer_id_token() in introspect function when there is no access token. If it makes sense, I could help to do that.

For second problems, I'm not sure whether it's allowed to add cert endpoint in openid-connect config. If it's not allowed, I hope authz-keycloak could support this workflow. It should be copy the main logic of openid-connect plugin. If this make sense, I could also contribute about this and write an article about how to integrate with keycloak.

Environment

  • apisix version (cmd: apisix version):
  • OS (cmd: uname -a):
  • OpenResty / Nginx version (cmd: nginx -V or openresty -V):
  • etcd version, if have (cmd: run curl http://127.0.0.1:9090/v1/server_info to get the info from server-info API):
  • apisix-dashboard version, if have:
  • the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
  • luarocks version, if the issue is about installation (cmd: luarocks --version):
@spacewander
Copy link
Member

PR is welcome!
For the second problem, we can try to add cert endpoint for it.

@spacewander spacewander added the enhancement New feature or request label Oct 25, 2021
@spacewander
Copy link
Member

BTW, please submit a separate PR for each problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@haowang-pony haowang-pony

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spacewander @haowang-pony