This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 29367a5 docs(openid-connect): add Authentication through OIDC Relying
Party flow description (#4978)
29367a5 is described below
commit 29367a58f958203863b10d634b6bd0540386e5f0
Author: okaybase <[email protected]>
AuthorDate: Mon Sep 6 17:55:59 2021 +0800
docs(openid-connect): add Authentication through OIDC Relying Party flow
description (#4978)
Co-authored-by: Peter Zhu <[email protected]>
---
docs/zh/latest/plugins/openid-connect.md | 37 ++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/docs/zh/latest/plugins/openid-connect.md
b/docs/zh/latest/plugins/openid-connect.md
index e7e407d..be1485d 100644
--- a/docs/zh/latest/plugins/openid-connect.md
+++ b/docs/zh/latest/plugins/openid-connect.md
@@ -142,6 +142,43 @@ curl http://127.0.0.1:9080/apisix/admin/routes/5 -H
'X-API-KEY: edd1c9f034335f13
}'
```
+#### 通过 OIDC 依赖方认证流程进行身份验证
+
+当一个请求在请求头或会话 Cookie 中不包含访问令牌时,
+插件可以充当 OIDC 依赖方并重定向到身份提供者的授权端点以通过 OIDC 授权代码流程;
+请参阅 https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth 。
+一旦用户通过身份提供者进行身份验证,插件将代表用户从身份提供者获取和管理访问令牌和更多信息。
+该信息当前存储在会话 cookie 中,该插件将识别 cookie 并使用其中的信息,以避免再次执行认证流程。
+
+以下命令将此操作模式添加到路由:
+
+```bash
+curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "uri": "/get",
+ "plugins": {
+ "proxy-rewrite": {
+ "scheme": "https"
+ },
+ "openid-connect": {
+ "client_id": "api_six_client_id",
+ "client_secret": "client_secret_code",
+ "discovery": "full_URL_of_the_discovery_endpoint",
+ "bearer_only": false,
+ "realm": "master"
+}
+ },
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "httpbin.org:443": 1
+ }
+ }
+}'
+```
+
+在该例子中,插件可以强制在各自配置的请求头中设置访问令牌、ID 令牌和 UserInfo 对象。
+
## 故障排除
如果 APISIX 无法解析/连接到身份提供者,请检查/修改 DNS 设置(`conf / config.yaml`)。
