test/apisix
1
0
Fork 0
mirror of https://gitee.com/iresty/apisix.git synced 2024-11-29 18:48:31 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: support post_logout_redirect_uri config in openid-connect plugin (#6455)

Browse Source
This commit is contained in:
Peter Zhu 2022-03-02 09:39:08 +08:00 committed by GitHub
parent a7bde90d9a
commit 6c233d35f9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 313 additions and 350 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apisix/plugins/openid-connect.lua
View File

@ -67,6 +67,10 @@ local schema = {
type = "string", type = "string",
description = "use ngx.var.request_uri if not configured" description = "use ngx.var.request_uri if not configured"
}, },
post_logout_redirect_uri = {
type = "string",
description = "the URI will be redirect when request logout_path",
},
public_key = {type = "string"}, public_key = {type = "string"},
token_signing_alg_values_expected = {type = "string"}, token_signing_alg_values_expected = {type = "string"},
set_access_token_header = { set_access_token_header = {

1
docs/en/latest/plugins/openid-connect.md
View File

@ -47,6 +47,7 @@ The OAuth 2 / Open ID Connect(OIDC) plugin provides authentication and introspec
| realm | string | optional | "apisix" | | Realm used for the authentication | | realm | string | optional | "apisix" | | Realm used for the authentication |
| bearer_only | boolean | optional | false | | Setting this `true` will check for the authorization header in the request with a bearer token | | bearer_only | boolean | optional | false | | Setting this `true` will check for the authorization header in the request with a bearer token |
| logout_path | string | optional | "/logout" | | | | logout_path | string | optional | "/logout" | | |
| post_logout_redirect_uri | string | optional | | | URL want to redirect when request logout_path |
| redirect_uri | string | optional | "ngx.var.request_uri" | | | | redirect_uri | string | optional | "ngx.var.request_uri" | | |
| timeout | integer | optional | 3 | [1,...] | Timeout in seconds | | timeout | integer | optional | 3 | [1,...] | Timeout in seconds |
| ssl_verify | boolean | optional | false | | | | ssl_verify | boolean | optional | false | | |

1
docs/zh/latest/plugins/openid-connect.md
View File

@ -45,6 +45,7 @@ OAuth 2 / Open ID ConnectOIDC插件为 APISIX 提供身份验证和自省
| realm | string | 可选 | "apisix" | | 用于认证 | | realm | string | 可选 | "apisix" | | 用于认证 |
| bearer_only | boolean | 可选 | false | | 设置为 `true` 将检查请求中带有承载令牌的授权标头 | | bearer_only | boolean | 可选 | false | | 设置为 `true` 将检查请求中带有承载令牌的授权标头 |
| logout_path | string | 可选 | "/logout" | | | | logout_path | string | 可选 | "/logout" | | |
| post_logout_redirect_uri | string | 可选 | | | 调用登出接口后想要跳转的地址 |
| redirect_uri | string | 可选 | "ngx.var.request_uri" | | | | redirect_uri | string | 可选 | "ngx.var.request_uri" | | |
| timeout | integer | 可选 | 3 | [1,...] | 超时时间,单位为秒 | | timeout | integer | 可选 | 3 | [1,...] | 超时时间,单位为秒 |
| ssl_verify | boolean | 可选 | false | | | | ssl_verify | boolean | 可选 | false | | |

136
t/lib/keycloak.lua Normal file
View File

@ -0,0 +1,136 @@
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
local http = require "resty.http"
local _M = {}
-- Request APISIX and redirect to keycloak,
-- Login keycloak and return the res of APISIX
function _M.login_keycloak(uri, username, password)
local httpc = http.new()
local res, err = httpc:request_uri(uri, {method = "GET"})
if not res then
return nil, err
elseif res.status ~= 302 then
-- Not a redirect which we expect.
-- Use 500 to indicate error.
return nil, "Initial request was not redirected to ID provider authorization endpoint."
else
-- Extract cookies. Important since OIDC module tracks state with a session cookie.
local cookies = res.headers['Set-Cookie']
-- Concatenate cookies into one string as expected when sent in request header.
local cookie_str = _M.concatenate_cookies(cookies)
-- Call authorization endpoint we were redirected to.
-- Note: This typically returns a login form which is the case here for Keycloak as well.
-- However, how we process the form to perform the login is specific to Keycloak and
-- possibly even the version used.
res, err = httpc:request_uri(res.headers['Location'], {method = "GET"})
if not res then
-- No response, must be an error.
return nil, err
elseif res.status ~= 200 then
-- Unexpected response.
return nil, res.body
end
-- Check if response code was ok.
if res.status ~= 200 then
return nil, "unexpected status " .. res.status
end
-- From the returned form, extract the submit URI and parameters.
local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">')
-- Substitute escaped ampersand in parameters.
params = params:gsub("&", "&")
-- Get all cookies returned. Probably not so important since not part of OIDC specification.
local auth_cookies = res.headers['Set-Cookie']
-- Concatenate cookies into one string as expected when sent in request header.
local auth_cookie_str = _M.concatenate_cookies(auth_cookies)
-- Invoke the submit URI with parameters and cookies, adding username
-- and password in the body.
-- Note: Username and password are specific to the Keycloak Docker image used.
res, err = httpc:request_uri(uri .. "?" .. params, {
method = "POST",
body = "username=" .. username .. "&password=" .. password,
headers = {
["Content-Type"] = "application/x-www-form-urlencoded",
["Cookie"] = auth_cookie_str
}
})
if not res then
-- No response, must be an error.
return nil, err
elseif res.status ~= 302 then
-- Not a redirect which we expect.
return nil, "Login form submission did not return redirect to redirect URI."
end
-- Extract the redirect URI from the response header.
-- TODO: Consider validating this against the plugin configuration.
local redirect_uri = res.headers['Location']
-- Invoke the redirect URI (which contains the authorization code as an URL parameter).
res, err = httpc:request_uri(redirect_uri, {
method = "GET",
headers = {
["Cookie"] = cookie_str
}
})
if not res then
-- No response, must be an error.
return nil, err
elseif res.status ~= 302 then
-- Not a redirect which we expect.
return nil, "Invoking redirect URI with authorization code" ..
"did not return redirect to original URI."
end
return res, nil
end
end
-- Concatenate cookies into one string as expected when sent in request header.
function _M.concatenate_cookies(cookies)
local cookie_str = ""
if type(cookies) == 'string' then
cookie_str = cookies:match('([^;]*); .*')
else
-- Must be a table.
local len = #cookies
if len > 0 then
cookie_str = cookies[1]:match('([^;]*); .*')
for i = 2, len do
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
end
end
end
return cookie_str, nil
end
return _M

449
t/plugin/openid-connect.t vendored
View File

@ -280,167 +280,22 @@ passed
location /t { location /t {
content_by_lua_block { content_by_lua_block {
local http = require "resty.http" local http = require "resty.http"
local login_keycloak = require("lib.keycloak").login_keycloak
local concatenate_cookies = require("lib.keycloak").concatenate_cookies
local httpc = http.new() local httpc = http.new()
-- Invoke /uri endpoint w/o bearer token. Should receive redirect to Keycloak authorization endpoint.
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri" local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
local res, err = httpc:request_uri(uri, {method = "GET"}) local res, err = login_keycloak(uri, "teacher@gmail.com", "123456")
if err then
if not res then
-- No response, must be an error.
ngx.status = 500 ngx.status = 500
ngx.say(err) ngx.say(err)
return return
elseif res.status ~= 302 then
-- Not a redirect which we expect.
-- Use 500 to indicate error.
ngx.status = 500
ngx.say("Initial request was not redirected to ID provider authorization endpoint.")
return
else
-- Redirect to ID provider's authorization endpoint.
-- Extract nonce and state from response header.
local nonce = res.headers['Location']:match('.*nonce=([^&]+).*')
local state = res.headers['Location']:match('.*state=([^&]+).*')
-- Extract cookies. Important since OIDC module tracks state with a session cookie.
local cookies = res.headers['Set-Cookie']
-- Concatenate cookies into one string as expected when sent in request header.
local cookie_str = ""
if type(cookies) == 'string' then
cookie_str = cookies:match('([^;]*); .*')
else
-- Must be a table.
local len = #cookies
if len > 0 then
cookie_str = cookies[1]:match('([^;]*); .*')
for i = 2, len do
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
end
end
end end
-- Call authorization endpoint we were redirected to. local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
-- Note: This typically returns a login form which is the case here for Keycloak as well.
-- However, how we process the form to perform the login is specific to Keycloak and
-- possibly even the version used.
res, err = httpc:request_uri(res.headers['Location'], {method = "GET"})
if not res then
-- No response, must be an error.
ngx.status = 500
ngx.say(err)
return
elseif res.status ~= 200 then
-- Unexpected response.
ngx.status = res.status
ngx.say(res.body)
return
end
-- Check if response code was ok.
if res.status == 200 then
-- From the returned form, extract the submit URI and parameters.
local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">')
-- Substitute escaped ampersand in parameters.
params = params:gsub("&", "&")
-- Get all cookies returned. Probably not so important since not part of OIDC specification.
local auth_cookies = res.headers['Set-Cookie']
-- Concatenate cookies into one string as expected when sent in request header.
local auth_cookie_str = ""
if type(auth_cookies) == 'string' then
auth_cookie_str = auth_cookies:match('([^;]*); .*')
else
-- Must be a table.
local len = #auth_cookies
if len > 0 then
auth_cookie_str = auth_cookies[1]:match('([^;]*); .*')
for i = 2, len do
auth_cookie_str = auth_cookie_str .. "; " .. auth_cookies[i]:match('([^;]*); .*')
end
end
end
-- Invoke the submit URI with parameters and cookies, adding username and password in the body.
-- Note: Username and password are specific to the Keycloak Docker image used.
res, err = httpc:request_uri(uri .. "?" .. params, {
method = "POST",
body = "username=teacher@gmail.com&password=123456",
headers = {
["Content-Type"] = "application/x-www-form-urlencoded",
["Cookie"] = auth_cookie_str
}
})
if not res then
-- No response, must be an error.
ngx.status = 500
ngx.say(err)
return
elseif res.status ~= 302 then
-- Not a redirect which we expect.
-- Use 500 to indicate error.
ngx.status = 500
ngx.say("Login form submission did not return redirect to redirect URI.")
return
end
-- Extract the redirect URI from the response header.
-- TODO: Consider validating this against the plugin configuration.
local redirect_uri = res.headers['Location']
-- Invoke the redirect URI (which contains the authorization code as an URL parameter).
res, err = httpc:request_uri(redirect_uri, {
method = "GET",
headers = {
["Cookie"] = cookie_str
}
})
if not res then
-- No response, must be an error.
ngx.status = 500
ngx.say(err)
return
elseif res.status ~= 302 then
-- Not a redirect which we expect.
-- Use 500 to indicate error.
ngx.status = 500
ngx.say("Invoking redirect URI with authorization code did not return redirect to original URI.")
return
end
-- Get all cookies returned. This should update the session cookie maintained by the OIDC module with the new state.
-- E.g. the session cookie should now contain the access token, ID token and user info.
-- The cookie itself should however be treated as opaque.
cookies = res.headers['Set-Cookie']
-- Concatenate cookies into one string as expected when sent in request header.
if type(cookies) == 'string' then
cookie_str = cookies:match('([^;]*); .*')
else
-- Must be a table.
local len = #cookies
if len > 0 then
cookie_str = cookies[1]:match('([^;]*); .*')
for i = 2, len do
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
end
end
end
-- Get the final URI out of the Location response header. This should be the original URI that was requested.
-- TODO: Consider checking the URI against the original request URI.
redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
-- Make the final call back to the original URI. -- Make the final call back to the original URI.
local redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
res, err = httpc:request_uri(redirect_uri, { res, err = httpc:request_uri(redirect_uri, {
method = "GET", method = "GET",
headers = { headers = {
@ -463,11 +318,6 @@ passed
ngx.status = res.status ngx.status = res.status
ngx.say(res.body) ngx.say(res.body)
else
-- Response from Keycloak not ok.
ngx.say(false)
end
end
} }
} }
--- request --- request
@ -573,167 +423,22 @@ passed
location /t { location /t {
content_by_lua_block { content_by_lua_block {
local http = require "resty.http" local http = require "resty.http"
local login_keycloak = require("lib.keycloak").login_keycloak
local concatenate_cookies = require("lib.keycloak").concatenate_cookies
local httpc = http.new() local httpc = http.new()
-- Invoke /uri endpoint w/o bearer token. Should receive redirect to Keycloak authorization endpoint.
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri" local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
local res, err = httpc:request_uri(uri, {method = "GET"}) local res, err = login_keycloak(uri, "teacher@gmail.com", "123456")
if err then
if not res then
-- No response, must be an error.
ngx.status = 500 ngx.status = 500
ngx.say(err) ngx.say(err)
return return
elseif res.status ~= 302 then
-- Not a redirect which we expect.
-- Use 500 to indicate error.
ngx.status = 500
ngx.say("Initial request was not redirected to ID provider authorization endpoint.")
return
else
-- Redirect to ID provider's authorization endpoint.
-- Extract nonce and state from response header.
local nonce = res.headers['Location']:match('.*nonce=([^&]+).*')
local state = res.headers['Location']:match('.*state=([^&]+).*')
-- Extract cookies. Important since OIDC module tracks state with a session cookie.
local cookies = res.headers['Set-Cookie']
-- Concatenate cookies into one string as expected when sent in request header.
local cookie_str = ""
if type(cookies) == 'string' then
cookie_str = cookies:match('([^;]*); .*')
else
-- Must be a table.
local len = #cookies
if len > 0 then
cookie_str = cookies[1]:match('([^;]*); .*')
for i = 2, len do
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
end
end
end end
-- Call authorization endpoint we were redirected to. local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
-- Note: This typically returns a login form which is the case here for Keycloak as well.
-- However, how we process the form to perform the login is specific to Keycloak and
-- possibly even the version used.
res, err = httpc:request_uri(res.headers['Location'], {method = "GET"})
if not res then
-- No response, must be an error.
ngx.status = 500
ngx.say(err)
return
elseif res.status ~= 200 then
-- Unexpected response.
ngx.status = res.status
ngx.say(res.body)
return
end
-- Check if response code was ok.
if res.status == 200 then
-- From the returned form, extract the submit URI and parameters.
local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">')
-- Substitute escaped ampersand in parameters.
params = params:gsub("&", "&")
-- Get all cookies returned. Probably not so important since not part of OIDC specification.
local auth_cookies = res.headers['Set-Cookie']
-- Concatenate cookies into one string as expected when sent in request header.
local auth_cookie_str = ""
if type(auth_cookies) == 'string' then
auth_cookie_str = auth_cookies:match('([^;]*); .*')
else
-- Must be a table.
local len = #auth_cookies
if len > 0 then
auth_cookie_str = auth_cookies[1]:match('([^;]*); .*')
for i = 2, len do
auth_cookie_str = auth_cookie_str .. "; " .. auth_cookies[i]:match('([^;]*); .*')
end
end
end
-- Invoke the submit URI with parameters and cookies, adding username and password in the body.
-- Note: Username and password are specific to the Keycloak Docker image used.
res, err = httpc:request_uri(uri .. "?" .. params, {
method = "POST",
body = "username=teacher@gmail.com&password=123456",
headers = {
["Content-Type"] = "application/x-www-form-urlencoded",
["Cookie"] = auth_cookie_str
}
})
if not res then
-- No response, must be an error.
ngx.status = 500
ngx.say(err)
return
elseif res.status ~= 302 then
-- Not a redirect which we expect.
-- Use 500 to indicate error.
ngx.status = 500
ngx.say("Login form submission did not return redirect to redirect URI.")
return
end
-- Extract the redirect URI from the response header.
-- TODO: Consider validating this against the plugin configuration.
local redirect_uri = res.headers['Location']
-- Invoke the redirect URI (which contains the authorization code as an URL parameter).
res, err = httpc:request_uri(redirect_uri, {
method = "GET",
headers = {
["Cookie"] = cookie_str
}
})
if not res then
-- No response, must be an error.
ngx.status = 500
ngx.say(err)
return
elseif res.status ~= 302 then
-- Not a redirect which we expect.
-- Use 500 to indicate error.
ngx.status = 500
ngx.say("Invoking redirect URI with authorization code did not return redirect to original URI.")
return
end
-- Get all cookies returned. This should update the session cookie maintained by the OIDC module with the new state.
-- E.g. the session cookie should now contain the access token, ID token and user info.
-- The cookie itself should however be treated as opaque.
cookies = res.headers['Set-Cookie']
-- Concatenate cookies into one string as expected when sent in request header.
if type(cookies) == 'string' then
cookie_str = cookies:match('([^;]*); .*')
else
-- Must be a table.
local len = #cookies
if len > 0 then
cookie_str = cookies[1]:match('([^;]*); .*')
for i = 2, len do
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
end
end
end
-- Get the final URI out of the Location response header. This should be the original URI that was requested.
-- TODO: Consider checking the URI against the original request URI.
redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
-- Make the final call back to the original URI. -- Make the final call back to the original URI.
local redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
res, err = httpc:request_uri(redirect_uri, { res, err = httpc:request_uri(redirect_uri, {
method = "GET", method = "GET",
headers = { headers = {
@ -756,11 +461,6 @@ passed
ngx.status = res.status ngx.status = res.status
ngx.say(res.body) ngx.say(res.body)
else
-- Response from Keycloak not ok.
ngx.say(false)
end
end
} }
} }
--- request --- request
@ -1665,3 +1365,124 @@ GET /t
false false
--- error_log --- error_log
OIDC introspection failed: invalid jwt: invalid jwt string OIDC introspection failed: invalid jwt: invalid jwt string
=== TEST 28: Modify route to match catch-all URI `/*` and add post_logout_redirect_uri option.
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"openid-connect": {
"discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
"realm": "University",
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
"redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/authenticated",
"ssl_verify": false,
"timeout": 10,
"introspection_endpoint_auth_method": "client_secret_post",
"introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect",
"set_access_token_header": true,
"access_token_in_authorization_header": false,
"set_id_token_header": true,
"set_userinfo_header": true,
"post_logout_redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/hello"
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/*"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 29: Access route w/o bearer token and request logout to redirect to post_logout_redirect_uri.
--- config
location /t {
content_by_lua_block {
local http = require "resty.http"
local login_keycloak = require("lib.keycloak").login_keycloak
local concatenate_cookies = require("lib.keycloak").concatenate_cookies
local httpc = http.new()
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
local res, err = login_keycloak(uri, "teacher@gmail.com", "123456")
if err then
ngx.status = 500
ngx.say(err)
return
end
local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
-- Request the logout uri with the log-in cookie
local logout_uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/logout"
res, err = httpc:request_uri(logout_uri, {
method = "GET",
headers = {
["Cookie"] = cookie_str
}
})
if not res then
-- No response, must be an error
-- Use 500 to indicate error
ngx.status = 500
ngx.say(err)
return
elseif res.status ~= 302 then
ngx.status = 500
ngx.say("Request the logout URI didn't return the expected status.")
return
end
-- Request the location, it's a URL of keycloak and contains the post_logout_redirect_uri
-- Like:
-- http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/logout?post_logout_redirect=http://127.0.0.1:1984/hello
local location = res.headers["Location"]
res, err = httpc:request_uri(location, {
method = "GET"
})
if not res then
ngx.status = 500
ngx.say(err)
return
elseif res.status ~= 302 then
ngx.status = 500
ngx.say("Request the keycloak didn't return the expected status.")
return
end
ngx.status = 200
ngx.say(res.headers["Location"])
}
}
--- request
GET /t
--- response_body_like
http://127.0.0.1:.*/hello
--- no_error_log
[error]