[GitHub] [apisix] tzssangglass opened a new issue #5425: request help: How to best handle oidc providers that do not support introspection endpoints?

Thu, 04 Nov 2021 09:09:20 -0700 


tzssangglass opened a new issue #5425:
URL: https://github.com/apache/apisix/issues/5425


   ### Discussed in https://github.com/apache/apisix/discussions/5416
   
   <div type='discussions-op-text'>
   
   <sup>Originally posted by **fbartels** November  4, 2021</sup>
   Hi,
   
   I an trying to configure openid auth for a RestAPI and we are using 
https://github.com/libregraph/lico as the oidc provider. Currently lico does 
not support introspection endpoints, so before starting to implement it I 
looked at it together with a developer and found that 
https://github.com/apache/apisix/blob/042ce5c1a6a4e040d6d6924f2d86e5534b730134/apisix/plugins/openid-connect.lua#L182
 is the culprit for us.
   
   I am configuring the route in the following way:
   
   ```
   curl "http://127.0.0.1:9080/apisix/admin/routes/1"; -H "X-API-KEY: 
edd1c9f034335f136f87ad84b625c8f1" -X PUT -d '
   {
     "uri": "/api/v1/*",
     "name": "Manage API",
     "plugins": {
       "openid-connect": {
         "client_id": "manage-api",
         "client_secret": "unconfigured",
         "discovery": 
"https://our-backend.local/.well-known/openid-configuration";,
         "access_token_in_authorization_header": true,
         "bearer_only": true,
         "use_jwks": true
       }
     },
     "upstream_id": "1"
   }'
   ```
   
   Tracing the lua script showed that the function in 
https://github.com/apache/apisix/blob/042ce5c1a6a4e040d6d6924f2d86e5534b730134/apisix/plugins/openid-connect.lua#L182-L214
 is setting the right headers for us, but we did not want to specify the public 
key in the config. Looking at the upstream library our jwks document should 
provide enough information to make the login succeed to we extended the if 
clause like this `if conf.use_jwks or conf.public_key then` along with setting 
`"use_jwks": true` in our route configuration. This made the login succeed for 
us.
   
   The question is now:
   - do you see a better way to handle this, or should I open a pull request 
with our modification?
   
   I am not the biggest developer myself and hope that I have made my case 
clear enough. If not please let me know.</div>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to