spacewander commented on a change in pull request #3263:
URL: https://github.com/apache/apisix/pull/3263#discussion_r556505949
##########
File path: apisix/plugins/authz-keycloak.lua
##########
@@ -64,10 +67,169 @@ local _M = {
schema = schema,
}
+
function _M.check_schema(conf)
return core.schema.check(schema, conf)
end
+
+-- Some auxiliary functions below heavily inspired by the excellent
+-- lua-resty-openidc module; see https://github.com/zmartzone/lua-resty-openidc
+
+
+-- Retrieve value from server-wide cache, if available.
+local function authz_keycloak_cache_get(type, key)
+ local dict = ngx.shared[type]
+ local value
+ if dict then
+ value = dict:get(key)
+ if value then log.debug("cache hit: type=", type, " key=", key) end
+ end
+ return value
+end
+
+
+-- Set value in server-wide cache, if available.
+local function authz_keycloak_cache_set(type, key, value, exp)
+ local dict = ngx.shared[type]
+ if dict and (exp > 0) then
+ local success, err, forcible = dict:set(key, value, exp)
+ if err then
+ log.error("cache set: success=", success, " err=", err, " forcible=",
forcible)
+ else
+ log.debug("cache set: success=", success, " err=", err, " forcible=",
forcible)
+ end
+ end
+end
+
+
+-- Configure timeouts.
+local function authz_keycloak_configure_timeouts(httpc, timeout)
+ if timeout then
+ if type(timeout) == "table" then
+ httpc:set_timeouts(timeout.connect or 0, timeout.send or 0, timeout.read
or 0)
+ else
+ httpc:set_timeout(timeout)
+ end
+ end
+end
+
+
+-- Set outgoing proxy options.
+local function authz_keycloak_configure_proxy(httpc, proxy_opts)
+ if httpc and proxy_opts and type(proxy_opts) == "table" then
+ log.debug("authz_keycloak_configure_proxy : use http proxy")
+ httpc:set_proxy_options(proxy_opts)
+ else
+ log.debug("authz_keycloak_configure_proxy : don't use http proxy")
+ end
+end
+
+
+-- Parse the JSON result from a call to the OP.
+local function authz_keycloak_parse_json_response(response,
ignore_body_on_success)
Review comment:
What is the `ignore_body_on_success` for? It seems there is nowhere to
pass it.
##########
File path: apisix/plugins/authz-keycloak.lua
##########
@@ -52,8 +55,7 @@ local schema = {
keepalive_timeout = {type = "integer", minimum = 1000, default =
60000},
keepalive_pool = {type = "integer", minimum = 1, default = 5},
ssl_verify = {type = "boolean", default = true},
- },
- required = {"token_endpoint"}
Review comment:
OK
##########
File path: doc/plugins/authz-keycloak.md
##########
@@ -40,14 +40,23 @@ For more information on Keycloak, refer to [Keycloak
Authorization Docs](https:/
| Name | Type | Requirement | Default
| Valid |
Description
|
| ----------------------- | ------------- | ----------- |
--------------------------------------------- |
----------------------------------------------- |
-----------------------------------------------------------------------------------------------------------------------------------------------------------
|
-| token_endpoint | string | required |
| [1, 4096] | A
OAuth2-compliant Token Endpoint that supports the
`urn:ietf:params:oauth:grant-type:uma-ticket` grant type.
|
+| discovery | string | optional |
| [1, 4096] |
URL to discovery document for Keycloak Authorization Services.
|
Review comment:
We should change the `[1, 4096]` to a valid example. It is the problem
of original doc.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
