amyrprv commented on issue #9073:
URL: https://github.com/apache/apisix/issues/9073#issuecomment-1474878438
I duplicated the `key-auth` plugin and modified it to read the `azp`
attribute from the JWT payload. and then I used the `consumer-restriction`
plugin on services to whitelist consumers. Is it a good approach for this
solution?
here is my code:
```
local core = require("apisix.core")
local jwt = require("resty.jwt")
local consumer_mod = require("apisix.consumer")
local plugin_name = "j-auth"
local sub_str = string.sub
local schema = {
type = "object",
properties = {
header = {
type = "string",
default = "apikey",
},
query = {
type = "string",
default = "apikey",
},
hide_credentials = {
type = "boolean",
default = false,
}
},
}
local consumer_schema = {
type = "object",
properties = {
key = { type = "string" },
},
encrypt_fields = { "key" },
required = { "key" },
}
local _M = {
version = 0.1,
priority = 2500,
type = 'auth',
name = plugin_name,
schema = schema,
consumer_schema = consumer_schema,
}
function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_CONSUMER then
return core.schema.check(consumer_schema, conf)
else
return core.schema.check(schema, conf)
end
end
local function fetch_jwt_token(conf, ctx)
local token = core.request.header(ctx, conf.header)
if token then
if conf.hide_credentials then
-- hide for header
core.request.set_header(ctx, conf.header, nil)
end
local prefix = sub_str(token, 1, 7)
if prefix == 'Bearer ' or prefix == 'bearer ' then
return sub_str(token, 8)
end
return token
end
end
function _M.rewrite(conf, ctx)
local from_header = true
-- Get token in authoraztion header
local key = fetch_jwt_token(conf, ctx)
if not key then
local uri_args = core.request.get_uri_args(ctx) or {}
key = uri_args[conf.query]
from_header = false
end
if not key then
return 401, { message = "Missing API key found in request" }
end
--Decode JWT
local jwt_obj = jwt:load_jwt(key)
core.log.warn("is Valid: ", jwt_obj.valid)
--Check Token is valid
if not jwt_obj.valid then
core.log.warn("JWT token invalid: ", jwt_obj.reason)
return 401, { message = "JWT token invalid" }
end
key = jwt_obj.payload and jwt_obj.payload.azp
if not key then
return 401, { message = "missing user key in JWT token" }
end
local consumer_conf = consumer_mod.plugin(plugin_name)
if not consumer_conf then
return 401, { message = "Missing related consumer" }
end
local consumers = consumer_mod.consumers_kv(plugin_name, consumer_conf,
"key")
local consumer = consumers[key]
if not consumer then
return 401, { message = "Invalid API key in request" }
end
core.log.info("consumer: ", core.json.delay_encode(consumer))
if conf.hide_credentials then
if from_header then
core.request.set_header(ctx, conf.header, nil)
else
local args = core.request.get_uri_args(ctx)
args[conf.query] = nil
core.request.set_uri_args(ctx, args)
end
end
consumer_mod.attach_consumer(ctx, consumer, consumer_conf)
core.log.info("hit j-auth rewrite")
end
return _M
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
