[GitHub] [apisix] jenskeiner commented on a change in pull request #3308: feat: authz-keycloak plugin - dynamic scope and resource mapping.

Mon, 18 Jan 2021 01:22:35 -0800 


jenskeiner commented on a change in pull request #3308:
URL: https://github.com/apache/apisix/pull/3308#discussion_r559420280



##########
File path: apisix/plugins/authz-keycloak.lua
##########
@@ -224,31 +239,332 @@ local function authz_keycloak_get_token_endpoint(conf)
 end
 
 
-local function is_path_protected(conf)
-    -- TODO if permissions are empty lazy load paths from Keycloak
-    if conf.permissions == nil then
-        return false
+local function authz_keycloak_get_resource_registration_endpoint(conf)
+    return authz_keycloak_get_endpoint(conf, "resource_registration_endpoint")
+end
+
+
+-- computes access_token expires_in value (in seconds)
+local function authz_keycloak_access_token_expires_in(opts, expires_in)
+  return (expires_in or opts.access_token_expires_in or 300)
+         - 1 - (opts.access_token_expires_leeway or 0)
+end
+
+
+-- computes refresh_token expires_in value (in seconds)
+local function authz_keycloak_refresh_token_expires_in(opts, expires_in)
+  return (expires_in or opts.refresh_token_expires_in or 3600)
+         - 1 - (opts.refresh_token_expires_leeway or 0)

Review comment:
       This has been copied over from the `openidc` module. As far as I know, 
you cannot assume that the token endpoint will always return an `expires_in` 
and/or `refresh_expires_in` field as well. If it's not returned, this code 
allows to configure an expiry time assumption via 
`opts.refresh_token_expires_in`, falling back to a hard-coded default if that's 
not available neither.
   
   Generally, I think having a fallback in place is useful. If needed, we could 
expose it through the schema as well. Same holds for the `leeway` parameter 
which can be used to make the plugin refresh tokens earlier. On the other hand, 
it's true that the mentioned options are currently not set anywhere.
   
   Please advise whether this should be removed for now, or whether keeping it 
makes sense.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to