This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 845c3c925 feat: Add support for capturing OIDC refresh tokens (#7220)
845c3c925 is described below
commit 845c3c925c3a4a841ddaf93b0826f083d9f044dd
Author: Nassos Michas <[email protected]>
AuthorDate: Wed Jun 15 05:13:29 2022 +0300
feat: Add support for capturing OIDC refresh tokens (#7220)
---
apisix/plugins/openid-connect.lua | 18 +++++++++++++++---
docs/en/latest/plugins/openid-connect.md | 1 +
t/plugin/openid-connect.t | 6 ++++--
3 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/apisix/plugins/openid-connect.lua
b/apisix/plugins/openid-connect.lua
index 73427bc33..4a6dbda1c 100644
--- a/apisix/plugins/openid-connect.lua
+++ b/apisix/plugins/openid-connect.lua
@@ -96,6 +96,12 @@ local schema = {
"header to the request for downstream.",
type = "boolean",
default = true
+ },
+ set_refresh_token_header = {
+ description = "Whether the refresh token should be added in the
X-Refresh-Token " ..
+ "header to the request for downstream.",
+ type = "boolean",
+ default = false
}
},
required = {"client_id", "client_secret", "discovery"}
@@ -260,7 +266,7 @@ function _M.rewrite(plugin_conf, ctx)
conf.ssl_verify = "no"
end
- local response, err
+ local response, err, session, _
if conf.bearer_only or conf.introspection_endpoint or conf.public_key then
-- An introspection endpoint or a public key has been configured. Try
to
@@ -298,7 +304,7 @@ function _M.rewrite(plugin_conf, ctx)
-- provider's authorization endpoint to initiate the Relying Party
flow.
-- This code path also handles when the ID provider then redirects to
-- the configured redirect URI after successful authentication.
- response, err = openidc.authenticate(conf)
+ response, err, _, session = openidc.authenticate(conf)
if err then
core.log.error("OIDC authentication failed: ", err)
@@ -307,7 +313,8 @@ function _M.rewrite(plugin_conf, ctx)
if response then
-- If the openidc module has returned a response, it may contain,
- -- respectively, the access token, the ID token, and the userinfo.
+ -- respectively, the access token, the ID token, the refresh token,
+ -- and the userinfo.
-- Add respective headers to the request, if so configured.
-- Add configured access token header, maybe.
@@ -324,6 +331,11 @@ function _M.rewrite(plugin_conf, ctx)
core.request.set_header(ctx, "X-Userinfo",
ngx_encode_base64(core.json.encode(response.user)))
end
+
+ -- Add X-Refresh-Token header, maybe.
+ if session.data.refresh_token and conf.set_refresh_token_header
then
+ core.request.set_header(ctx, "X-Refresh-Token",
session.data.refresh_token)
+ end
end
end
end
diff --git a/docs/en/latest/plugins/openid-connect.md
b/docs/en/latest/plugins/openid-connect.md
index 29949107e..5b33e5d53 100644
--- a/docs/en/latest/plugins/openid-connect.md
+++ b/docs/en/latest/plugins/openid-connect.md
@@ -55,6 +55,7 @@ The `openid-connect` Plugin provides authentication and
introspection capability
| access_token_in_authorization_header | boolean | False | false
| | When set to true, sets the access token in the
`Authorization` header. Otherwise, set the `X-Access-Token` header. |
| set_id_token_header | boolean | False | true
| | When set to true and the ID token is available, sets the
ID token in the `X-ID-Token` request header. |
| set_userinfo_header | boolean | False | true
| | When set to true and the UserInfo object is available,
sets it in the `X-Userinfo` request header. |
+| set_refresh_token_header | boolean | False | false
| | When set to true and a refresh token object is
available, sets it in the `X-Refresh-Token` request header. |
## Modes of operation
diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
index a97898d6e..22786eaea 100644
--- a/t/plugin/openid-connect.t
+++ b/t/plugin/openid-connect.t
@@ -189,7 +189,8 @@ true
"set_access_token_header": true,
"access_token_in_authorization_header": false,
"set_id_token_header": true,
- "set_userinfo_header": true
+ "set_userinfo_header": true,
+ "set_refresh_token_header": true
}
},
"upstream": {
@@ -272,6 +273,7 @@ user-agent: .*
x-access-token: ey.*
x-id-token: ey.*
x-real-ip: 127.0.0.1
+x-refresh-token: ey.*
x-userinfo: ey.*
--- no_error_log
[error]
@@ -916,7 +918,7 @@ OIDC introspection failed: invalid token
--- request
GET /t
--- response_body
-{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_userinfo_header":true,"ssl_verify":false,"timeout":3}
+{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_heade
[...]
--- no_error_log
[error]
