nic-chen commented on code in PR #11987:
URL: https://github.com/apache/apisix/pull/11987#discussion_r1966676298
##########
apisix/plugins/openid-connect.lua:
##########
@@ -89,6 +90,33 @@ local schema = {
type = "string",
default = "apisix",
},
+ claim_validator = {
+ type = "object",
+ properties = {
+ audience = {
+ type = "object",
+ description = "audience claim value to validate",
+ properties = {
+ claim = {
+ type = "string",
+ description = "custom claim name",
+ default = "aud",
+ },
+ required = {
+ type = "boolean",
+ description = "audience claim is required",
+ default = false,
+ },
+ match_with_client_id = {
+ type = "boolean",
+ description = "audience must euqal to or includes
client_id",
Review Comment:
From the code, it can only be equals?
##########
apisix/plugins/openid-connect.lua:
##########
@@ -547,6 +575,40 @@ function _M.rewrite(plugin_conf, ctx)
return 403, core.json.encode(error_response)
end
end
+
+ -- jwt audience claim validator
+ local audience_claim = core.table.try_read_attr(conf,
"claim_validator",
+ "audience",
"claim") or "aud"
+ local audience_value = response[audience_claim]
+ if core.table.try_read_attr(conf, "claim_validator", "audience",
"required")
+ and not audience_value then
+ core.log.error("OIDC introspection failed: required audience
(",
+ audience_claim, ") not present")
+ local error_response = { error = "required audience claim not
present" }
+ return 403, core.json.encode(error_response)
+ end
+ if core.table.try_read_attr(conf, "claim_validator", "audience",
"match_with_client_id")
+ and audience_value ~= nil then
+ local error_response = { error = "mismatched audience" }
+ local matched = false
+ if type(audience_value) == "table" then
+ for _, v in ipairs(audience_value) do
+ if conf.client_id == v then
+ matched = true
+ end
+ end
+ if not matched then
+ core.log.error("OIDC introspection failed: ",
+ "audience list does not contain the
client id")
+ return 403, core.json.encode(error_response)
+ end
+ elseif conf.client_id ~= audience_value then
+ core.log.error("OIDC introspection failed: ",
Review Comment:
Compared to `error`, `warn` level seems more appropriate for these logs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
