jenskeiner commented on a change in pull request #3308:
URL: https://github.com/apache/apisix/pull/3308#discussion_r559699532
##########
File path: apisix/plugins/authz-keycloak.lua
##########
@@ -224,31 +239,332 @@ local function authz_keycloak_get_token_endpoint(conf)
end
-local function is_path_protected(conf)
- -- TODO if permissions are empty lazy load paths from Keycloak
- if conf.permissions == nil then
- return false
+local function authz_keycloak_get_resource_registration_endpoint(conf)
+ return authz_keycloak_get_endpoint(conf, "resource_registration_endpoint")
+end
+
+
+-- computes access_token expires_in value (in seconds)
+local function authz_keycloak_access_token_expires_in(opts, expires_in)
+ return (expires_in or opts.access_token_expires_in or 300)
+ - 1 - (opts.access_token_expires_leeway or 0)
+end
+
+
+-- computes refresh_token expires_in value (in seconds)
+local function authz_keycloak_refresh_token_expires_in(opts, expires_in)
+ return (expires_in or opts.refresh_token_expires_in or 3600)
+ - 1 - (opts.refresh_token_expires_leeway or 0)
+end
+
+
+local function authz_keycloak_ensure_sa_access_token(conf)
+ local token_endpoint = authz_keycloak_get_token_endpoint(conf)
+
+ if not token_endpoint then
+ log.error("Unable to determine token endpoint.")
+ return 500, "Unable to determine token endpoint."
end
- return true
+
+ local session = authz_keycloak_cache_get("access_tokens", token_endpoint
.. ":"
+ .. conf.client_id)
+
+ if session then
+ -- Decode session string.
+ local err
+ session, err = core.json.decode(session)
+
+ if not session then
+ -- Should never happen.
+ return 500, err
+ end
+
+ local current_time = ngx.time()
+
+ if current_time < session.access_token_expiration then
+ -- Access token is still valid.
+ log.debug("Access token is still valid.")
+ return session.access_token
+ else
+ -- Access token has expired.
+ log.debug("Access token has expired.")
+ if session.refresh_token
+ and (not session.refresh_token_expiration
+ or current_time < session.refresh_token_expiration) then
+ -- Try to get a new access token, using the refresh token.
+ log.debug("Trying to get new access token using refresh
token.")
+
+ local httpc = http.new()
+ httpc:set_timeout(conf.timeout)
+
+ local params = {
+ method = "POST",
+ body = ngx.encode_args({
+ grant_type = "refresh_token",
+ client_id = conf.client_id,
+ client_secret = conf.client_secret,
+ refresh_token = session.refresh_token,
+ }),
+ ssl_verify = conf.ssl_verify,
+ headers = {
+ ["Content-Type"] = "application/x-www-form-urlencoded"
+ }
+ }
+
+ local current_time = ngx.time()
+
+ local res, err = httpc:request_uri(token_endpoint, params)
+
+ if not res then
+ err = "Accessing token endpoint URL (" .. token_endpoint
+ .. ") failed: " .. err
+ log.error(err)
+ return nil, err
+ end
+
+ log.debug("Response data: " .. res.body)
+ local json, err = authz_keycloak_parse_json_response(res)
+
+ if not json then
+ err = "Could not decode JSON from token endpoint"
+ .. (err and (": " .. err) or '.')
+ log.error(err)
+ return nil, err
+ end
+
+ if not json.access_token then
+ -- Clear session.
+ log.debug("Answer didn't contain a new access token.
Clearing session.")
+ session = nil
+ else
+ log.debug("Got new access token.")
+ -- Save access token.
+ session.access_token = json.access_token
+
+ -- Calculate and save access token expiry time.
+ session.access_token_expiration = current_time
+ + authz_keycloak_access_token_expires_in(conf,
json.expires_in)
+
+ -- Save refresh token, maybe.
+ if json.refresh_token ~= nil then
+ log.debug("Got new refresh token.")
+ session.refresh_token = json.refresh_token
+
+ -- Calculate and save refresh token expiry time.
+ session.refresh_token_expiration = current_time
+ + authz_keycloak_refresh_token_expires_in(conf,
+
json.refresh_expires_in)
+ end
+
+ authz_keycloak_cache_set("access_tokens",
+ token_endpoint .. ":" ..
conf.client_id,
+ core.json.encode(session), 24 *
60 * 60)
Review comment:
done
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
