mirror of
https://gitee.com/iresty/apisix.git
synced 2024-11-29 18:48:31 +08:00
feat: support post_logout_redirect_uri config in openid-connect plugin (#6455)
This commit is contained in:
parent
a7bde90d9a
commit
6c233d35f9
@ -67,6 +67,10 @@ local schema = {
|
|||||||
type = "string",
|
type = "string",
|
||||||
description = "use ngx.var.request_uri if not configured"
|
description = "use ngx.var.request_uri if not configured"
|
||||||
},
|
},
|
||||||
|
post_logout_redirect_uri = {
|
||||||
|
type = "string",
|
||||||
|
description = "the URI will be redirect when request logout_path",
|
||||||
|
},
|
||||||
public_key = {type = "string"},
|
public_key = {type = "string"},
|
||||||
token_signing_alg_values_expected = {type = "string"},
|
token_signing_alg_values_expected = {type = "string"},
|
||||||
set_access_token_header = {
|
set_access_token_header = {
|
||||||
|
@ -47,6 +47,7 @@ The OAuth 2 / Open ID Connect(OIDC) plugin provides authentication and introspec
|
|||||||
| realm | string | optional | "apisix" | | Realm used for the authentication |
|
| realm | string | optional | "apisix" | | Realm used for the authentication |
|
||||||
| bearer_only | boolean | optional | false | | Setting this `true` will check for the authorization header in the request with a bearer token |
|
| bearer_only | boolean | optional | false | | Setting this `true` will check for the authorization header in the request with a bearer token |
|
||||||
| logout_path | string | optional | "/logout" | | |
|
| logout_path | string | optional | "/logout" | | |
|
||||||
|
| post_logout_redirect_uri | string | optional | | | URL want to redirect when request logout_path |
|
||||||
| redirect_uri | string | optional | "ngx.var.request_uri" | | |
|
| redirect_uri | string | optional | "ngx.var.request_uri" | | |
|
||||||
| timeout | integer | optional | 3 | [1,...] | Timeout in seconds |
|
| timeout | integer | optional | 3 | [1,...] | Timeout in seconds |
|
||||||
| ssl_verify | boolean | optional | false | | |
|
| ssl_verify | boolean | optional | false | | |
|
||||||
|
@ -45,6 +45,7 @@ OAuth 2 / Open ID Connect(OIDC)插件为 APISIX 提供身份验证和自省
|
|||||||
| realm | string | 可选 | "apisix" | | 用于认证 |
|
| realm | string | 可选 | "apisix" | | 用于认证 |
|
||||||
| bearer_only | boolean | 可选 | false | | 设置为 `true` 将检查请求中带有承载令牌的授权标头 |
|
| bearer_only | boolean | 可选 | false | | 设置为 `true` 将检查请求中带有承载令牌的授权标头 |
|
||||||
| logout_path | string | 可选 | "/logout" | | |
|
| logout_path | string | 可选 | "/logout" | | |
|
||||||
|
| post_logout_redirect_uri | string | 可选 | | | 调用登出接口后想要跳转的地址 |
|
||||||
| redirect_uri | string | 可选 | "ngx.var.request_uri" | | |
|
| redirect_uri | string | 可选 | "ngx.var.request_uri" | | |
|
||||||
| timeout | integer | 可选 | 3 | [1,...] | 超时时间,单位为秒 |
|
| timeout | integer | 可选 | 3 | [1,...] | 超时时间,单位为秒 |
|
||||||
| ssl_verify | boolean | 可选 | false | | |
|
| ssl_verify | boolean | 可选 | false | | |
|
||||||
|
136
t/lib/keycloak.lua
Normal file
136
t/lib/keycloak.lua
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
--
|
||||||
|
-- Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
-- contributor license agreements. See the NOTICE file distributed with
|
||||||
|
-- this work for additional information regarding copyright ownership.
|
||||||
|
-- The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
-- (the "License"); you may not use this file except in compliance with
|
||||||
|
-- the License. You may obtain a copy of the License at
|
||||||
|
--
|
||||||
|
-- http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
--
|
||||||
|
-- Unless required by applicable law or agreed to in writing, software
|
||||||
|
-- distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
-- See the License for the specific language governing permissions and
|
||||||
|
-- limitations under the License.
|
||||||
|
--
|
||||||
|
local http = require "resty.http"
|
||||||
|
|
||||||
|
local _M = {}
|
||||||
|
|
||||||
|
|
||||||
|
-- Request APISIX and redirect to keycloak,
|
||||||
|
-- Login keycloak and return the res of APISIX
|
||||||
|
function _M.login_keycloak(uri, username, password)
|
||||||
|
local httpc = http.new()
|
||||||
|
|
||||||
|
local res, err = httpc:request_uri(uri, {method = "GET"})
|
||||||
|
if not res then
|
||||||
|
return nil, err
|
||||||
|
elseif res.status ~= 302 then
|
||||||
|
-- Not a redirect which we expect.
|
||||||
|
-- Use 500 to indicate error.
|
||||||
|
return nil, "Initial request was not redirected to ID provider authorization endpoint."
|
||||||
|
else
|
||||||
|
-- Extract cookies. Important since OIDC module tracks state with a session cookie.
|
||||||
|
local cookies = res.headers['Set-Cookie']
|
||||||
|
|
||||||
|
-- Concatenate cookies into one string as expected when sent in request header.
|
||||||
|
local cookie_str = _M.concatenate_cookies(cookies)
|
||||||
|
|
||||||
|
-- Call authorization endpoint we were redirected to.
|
||||||
|
-- Note: This typically returns a login form which is the case here for Keycloak as well.
|
||||||
|
-- However, how we process the form to perform the login is specific to Keycloak and
|
||||||
|
-- possibly even the version used.
|
||||||
|
res, err = httpc:request_uri(res.headers['Location'], {method = "GET"})
|
||||||
|
if not res then
|
||||||
|
-- No response, must be an error.
|
||||||
|
return nil, err
|
||||||
|
elseif res.status ~= 200 then
|
||||||
|
-- Unexpected response.
|
||||||
|
return nil, res.body
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Check if response code was ok.
|
||||||
|
if res.status ~= 200 then
|
||||||
|
return nil, "unexpected status " .. res.status
|
||||||
|
end
|
||||||
|
|
||||||
|
-- From the returned form, extract the submit URI and parameters.
|
||||||
|
local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">')
|
||||||
|
|
||||||
|
-- Substitute escaped ampersand in parameters.
|
||||||
|
params = params:gsub("&", "&")
|
||||||
|
|
||||||
|
-- Get all cookies returned. Probably not so important since not part of OIDC specification.
|
||||||
|
local auth_cookies = res.headers['Set-Cookie']
|
||||||
|
|
||||||
|
-- Concatenate cookies into one string as expected when sent in request header.
|
||||||
|
local auth_cookie_str = _M.concatenate_cookies(auth_cookies)
|
||||||
|
|
||||||
|
-- Invoke the submit URI with parameters and cookies, adding username
|
||||||
|
-- and password in the body.
|
||||||
|
-- Note: Username and password are specific to the Keycloak Docker image used.
|
||||||
|
res, err = httpc:request_uri(uri .. "?" .. params, {
|
||||||
|
method = "POST",
|
||||||
|
body = "username=" .. username .. "&password=" .. password,
|
||||||
|
headers = {
|
||||||
|
["Content-Type"] = "application/x-www-form-urlencoded",
|
||||||
|
["Cookie"] = auth_cookie_str
|
||||||
|
}
|
||||||
|
})
|
||||||
|
if not res then
|
||||||
|
-- No response, must be an error.
|
||||||
|
return nil, err
|
||||||
|
elseif res.status ~= 302 then
|
||||||
|
-- Not a redirect which we expect.
|
||||||
|
return nil, "Login form submission did not return redirect to redirect URI."
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Extract the redirect URI from the response header.
|
||||||
|
-- TODO: Consider validating this against the plugin configuration.
|
||||||
|
local redirect_uri = res.headers['Location']
|
||||||
|
|
||||||
|
-- Invoke the redirect URI (which contains the authorization code as an URL parameter).
|
||||||
|
res, err = httpc:request_uri(redirect_uri, {
|
||||||
|
method = "GET",
|
||||||
|
headers = {
|
||||||
|
["Cookie"] = cookie_str
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
if not res then
|
||||||
|
-- No response, must be an error.
|
||||||
|
return nil, err
|
||||||
|
elseif res.status ~= 302 then
|
||||||
|
-- Not a redirect which we expect.
|
||||||
|
return nil, "Invoking redirect URI with authorization code" ..
|
||||||
|
"did not return redirect to original URI."
|
||||||
|
end
|
||||||
|
|
||||||
|
return res, nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
-- Concatenate cookies into one string as expected when sent in request header.
|
||||||
|
function _M.concatenate_cookies(cookies)
|
||||||
|
local cookie_str = ""
|
||||||
|
if type(cookies) == 'string' then
|
||||||
|
cookie_str = cookies:match('([^;]*); .*')
|
||||||
|
else
|
||||||
|
-- Must be a table.
|
||||||
|
local len = #cookies
|
||||||
|
if len > 0 then
|
||||||
|
cookie_str = cookies[1]:match('([^;]*); .*')
|
||||||
|
for i = 2, len do
|
||||||
|
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
return cookie_str, nil
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
return _M
|
521
t/plugin/openid-connect.t
vendored
521
t/plugin/openid-connect.t
vendored
@ -280,194 +280,44 @@ passed
|
|||||||
location /t {
|
location /t {
|
||||||
content_by_lua_block {
|
content_by_lua_block {
|
||||||
local http = require "resty.http"
|
local http = require "resty.http"
|
||||||
|
local login_keycloak = require("lib.keycloak").login_keycloak
|
||||||
|
local concatenate_cookies = require("lib.keycloak").concatenate_cookies
|
||||||
|
|
||||||
local httpc = http.new()
|
local httpc = http.new()
|
||||||
|
|
||||||
-- Invoke /uri endpoint w/o bearer token. Should receive redirect to Keycloak authorization endpoint.
|
|
||||||
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
|
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
|
||||||
local res, err = httpc:request_uri(uri, {method = "GET"})
|
local res, err = login_keycloak(uri, "teacher@gmail.com", "123456")
|
||||||
|
if err then
|
||||||
|
ngx.status = 500
|
||||||
|
ngx.say(err)
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
|
||||||
|
-- Make the final call back to the original URI.
|
||||||
|
local redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
|
||||||
|
res, err = httpc:request_uri(redirect_uri, {
|
||||||
|
method = "GET",
|
||||||
|
headers = {
|
||||||
|
["Cookie"] = cookie_str
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
if not res then
|
if not res then
|
||||||
-- No response, must be an error.
|
-- No response, must be an error.
|
||||||
ngx.status = 500
|
ngx.status = 500
|
||||||
ngx.say(err)
|
ngx.say(err)
|
||||||
return
|
return
|
||||||
elseif res.status ~= 302 then
|
elseif res.status ~= 200 then
|
||||||
-- Not a redirect which we expect.
|
-- Not a valid response.
|
||||||
-- Use 500 to indicate error.
|
-- Use 500 to indicate error.
|
||||||
ngx.status = 500
|
ngx.status = 500
|
||||||
ngx.say("Initial request was not redirected to ID provider authorization endpoint.")
|
ngx.say("Invoking the original URI didn't return the expected result.")
|
||||||
return
|
return
|
||||||
else
|
|
||||||
-- Redirect to ID provider's authorization endpoint.
|
|
||||||
|
|
||||||
-- Extract nonce and state from response header.
|
|
||||||
local nonce = res.headers['Location']:match('.*nonce=([^&]+).*')
|
|
||||||
local state = res.headers['Location']:match('.*state=([^&]+).*')
|
|
||||||
|
|
||||||
-- Extract cookies. Important since OIDC module tracks state with a session cookie.
|
|
||||||
local cookies = res.headers['Set-Cookie']
|
|
||||||
|
|
||||||
-- Concatenate cookies into one string as expected when sent in request header.
|
|
||||||
local cookie_str = ""
|
|
||||||
|
|
||||||
if type(cookies) == 'string' then
|
|
||||||
cookie_str = cookies:match('([^;]*); .*')
|
|
||||||
else
|
|
||||||
-- Must be a table.
|
|
||||||
local len = #cookies
|
|
||||||
if len > 0 then
|
|
||||||
cookie_str = cookies[1]:match('([^;]*); .*')
|
|
||||||
for i = 2, len do
|
|
||||||
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Call authorization endpoint we were redirected to.
|
|
||||||
-- Note: This typically returns a login form which is the case here for Keycloak as well.
|
|
||||||
-- However, how we process the form to perform the login is specific to Keycloak and
|
|
||||||
-- possibly even the version used.
|
|
||||||
res, err = httpc:request_uri(res.headers['Location'], {method = "GET"})
|
|
||||||
|
|
||||||
if not res then
|
|
||||||
-- No response, must be an error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say(err)
|
|
||||||
return
|
|
||||||
elseif res.status ~= 200 then
|
|
||||||
-- Unexpected response.
|
|
||||||
ngx.status = res.status
|
|
||||||
ngx.say(res.body)
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Check if response code was ok.
|
|
||||||
if res.status == 200 then
|
|
||||||
-- From the returned form, extract the submit URI and parameters.
|
|
||||||
local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">')
|
|
||||||
|
|
||||||
-- Substitute escaped ampersand in parameters.
|
|
||||||
params = params:gsub("&", "&")
|
|
||||||
|
|
||||||
-- Get all cookies returned. Probably not so important since not part of OIDC specification.
|
|
||||||
local auth_cookies = res.headers['Set-Cookie']
|
|
||||||
|
|
||||||
-- Concatenate cookies into one string as expected when sent in request header.
|
|
||||||
local auth_cookie_str = ""
|
|
||||||
|
|
||||||
if type(auth_cookies) == 'string' then
|
|
||||||
auth_cookie_str = auth_cookies:match('([^;]*); .*')
|
|
||||||
else
|
|
||||||
-- Must be a table.
|
|
||||||
local len = #auth_cookies
|
|
||||||
if len > 0 then
|
|
||||||
auth_cookie_str = auth_cookies[1]:match('([^;]*); .*')
|
|
||||||
for i = 2, len do
|
|
||||||
auth_cookie_str = auth_cookie_str .. "; " .. auth_cookies[i]:match('([^;]*); .*')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Invoke the submit URI with parameters and cookies, adding username and password in the body.
|
|
||||||
-- Note: Username and password are specific to the Keycloak Docker image used.
|
|
||||||
res, err = httpc:request_uri(uri .. "?" .. params, {
|
|
||||||
method = "POST",
|
|
||||||
body = "username=teacher@gmail.com&password=123456",
|
|
||||||
headers = {
|
|
||||||
["Content-Type"] = "application/x-www-form-urlencoded",
|
|
||||||
["Cookie"] = auth_cookie_str
|
|
||||||
}
|
|
||||||
})
|
|
||||||
|
|
||||||
if not res then
|
|
||||||
-- No response, must be an error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say(err)
|
|
||||||
return
|
|
||||||
elseif res.status ~= 302 then
|
|
||||||
-- Not a redirect which we expect.
|
|
||||||
-- Use 500 to indicate error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say("Login form submission did not return redirect to redirect URI.")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Extract the redirect URI from the response header.
|
|
||||||
-- TODO: Consider validating this against the plugin configuration.
|
|
||||||
local redirect_uri = res.headers['Location']
|
|
||||||
|
|
||||||
-- Invoke the redirect URI (which contains the authorization code as an URL parameter).
|
|
||||||
res, err = httpc:request_uri(redirect_uri, {
|
|
||||||
method = "GET",
|
|
||||||
headers = {
|
|
||||||
["Cookie"] = cookie_str
|
|
||||||
}
|
|
||||||
})
|
|
||||||
|
|
||||||
if not res then
|
|
||||||
-- No response, must be an error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say(err)
|
|
||||||
return
|
|
||||||
elseif res.status ~= 302 then
|
|
||||||
-- Not a redirect which we expect.
|
|
||||||
-- Use 500 to indicate error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say("Invoking redirect URI with authorization code did not return redirect to original URI.")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Get all cookies returned. This should update the session cookie maintained by the OIDC module with the new state.
|
|
||||||
-- E.g. the session cookie should now contain the access token, ID token and user info.
|
|
||||||
-- The cookie itself should however be treated as opaque.
|
|
||||||
cookies = res.headers['Set-Cookie']
|
|
||||||
|
|
||||||
-- Concatenate cookies into one string as expected when sent in request header.
|
|
||||||
if type(cookies) == 'string' then
|
|
||||||
cookie_str = cookies:match('([^;]*); .*')
|
|
||||||
else
|
|
||||||
-- Must be a table.
|
|
||||||
local len = #cookies
|
|
||||||
if len > 0 then
|
|
||||||
cookie_str = cookies[1]:match('([^;]*); .*')
|
|
||||||
for i = 2, len do
|
|
||||||
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Get the final URI out of the Location response header. This should be the original URI that was requested.
|
|
||||||
-- TODO: Consider checking the URI against the original request URI.
|
|
||||||
redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
|
|
||||||
|
|
||||||
-- Make the final call back to the original URI.
|
|
||||||
res, err = httpc:request_uri(redirect_uri, {
|
|
||||||
method = "GET",
|
|
||||||
headers = {
|
|
||||||
["Cookie"] = cookie_str
|
|
||||||
}
|
|
||||||
})
|
|
||||||
|
|
||||||
if not res then
|
|
||||||
-- No response, must be an error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say(err)
|
|
||||||
return
|
|
||||||
elseif res.status ~= 200 then
|
|
||||||
-- Not a valid response.
|
|
||||||
-- Use 500 to indicate error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say("Invoking the original URI didn't return the expected result.")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
ngx.status = res.status
|
|
||||||
ngx.say(res.body)
|
|
||||||
else
|
|
||||||
-- Response from Keycloak not ok.
|
|
||||||
ngx.say(false)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
ngx.status = res.status
|
||||||
|
ngx.say(res.body)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
--- request
|
--- request
|
||||||
@ -573,194 +423,44 @@ passed
|
|||||||
location /t {
|
location /t {
|
||||||
content_by_lua_block {
|
content_by_lua_block {
|
||||||
local http = require "resty.http"
|
local http = require "resty.http"
|
||||||
|
local login_keycloak = require("lib.keycloak").login_keycloak
|
||||||
|
local concatenate_cookies = require("lib.keycloak").concatenate_cookies
|
||||||
|
|
||||||
local httpc = http.new()
|
local httpc = http.new()
|
||||||
|
|
||||||
-- Invoke /uri endpoint w/o bearer token. Should receive redirect to Keycloak authorization endpoint.
|
|
||||||
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
|
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
|
||||||
local res, err = httpc:request_uri(uri, {method = "GET"})
|
local res, err = login_keycloak(uri, "teacher@gmail.com", "123456")
|
||||||
|
if err then
|
||||||
|
ngx.status = 500
|
||||||
|
ngx.say(err)
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
|
||||||
|
-- Make the final call back to the original URI.
|
||||||
|
local redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
|
||||||
|
res, err = httpc:request_uri(redirect_uri, {
|
||||||
|
method = "GET",
|
||||||
|
headers = {
|
||||||
|
["Cookie"] = cookie_str
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
if not res then
|
if not res then
|
||||||
-- No response, must be an error.
|
-- No response, must be an error.
|
||||||
ngx.status = 500
|
ngx.status = 500
|
||||||
ngx.say(err)
|
ngx.say(err)
|
||||||
return
|
return
|
||||||
elseif res.status ~= 302 then
|
elseif res.status ~= 200 then
|
||||||
-- Not a redirect which we expect.
|
-- Not a valid response.
|
||||||
-- Use 500 to indicate error.
|
-- Use 500 to indicate error.
|
||||||
ngx.status = 500
|
ngx.status = 500
|
||||||
ngx.say("Initial request was not redirected to ID provider authorization endpoint.")
|
ngx.say("Invoking the original URI didn't return the expected result.")
|
||||||
return
|
return
|
||||||
else
|
|
||||||
-- Redirect to ID provider's authorization endpoint.
|
|
||||||
|
|
||||||
-- Extract nonce and state from response header.
|
|
||||||
local nonce = res.headers['Location']:match('.*nonce=([^&]+).*')
|
|
||||||
local state = res.headers['Location']:match('.*state=([^&]+).*')
|
|
||||||
|
|
||||||
-- Extract cookies. Important since OIDC module tracks state with a session cookie.
|
|
||||||
local cookies = res.headers['Set-Cookie']
|
|
||||||
|
|
||||||
-- Concatenate cookies into one string as expected when sent in request header.
|
|
||||||
local cookie_str = ""
|
|
||||||
|
|
||||||
if type(cookies) == 'string' then
|
|
||||||
cookie_str = cookies:match('([^;]*); .*')
|
|
||||||
else
|
|
||||||
-- Must be a table.
|
|
||||||
local len = #cookies
|
|
||||||
if len > 0 then
|
|
||||||
cookie_str = cookies[1]:match('([^;]*); .*')
|
|
||||||
for i = 2, len do
|
|
||||||
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Call authorization endpoint we were redirected to.
|
|
||||||
-- Note: This typically returns a login form which is the case here for Keycloak as well.
|
|
||||||
-- However, how we process the form to perform the login is specific to Keycloak and
|
|
||||||
-- possibly even the version used.
|
|
||||||
res, err = httpc:request_uri(res.headers['Location'], {method = "GET"})
|
|
||||||
|
|
||||||
if not res then
|
|
||||||
-- No response, must be an error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say(err)
|
|
||||||
return
|
|
||||||
elseif res.status ~= 200 then
|
|
||||||
-- Unexpected response.
|
|
||||||
ngx.status = res.status
|
|
||||||
ngx.say(res.body)
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Check if response code was ok.
|
|
||||||
if res.status == 200 then
|
|
||||||
-- From the returned form, extract the submit URI and parameters.
|
|
||||||
local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">')
|
|
||||||
|
|
||||||
-- Substitute escaped ampersand in parameters.
|
|
||||||
params = params:gsub("&", "&")
|
|
||||||
|
|
||||||
-- Get all cookies returned. Probably not so important since not part of OIDC specification.
|
|
||||||
local auth_cookies = res.headers['Set-Cookie']
|
|
||||||
|
|
||||||
-- Concatenate cookies into one string as expected when sent in request header.
|
|
||||||
local auth_cookie_str = ""
|
|
||||||
|
|
||||||
if type(auth_cookies) == 'string' then
|
|
||||||
auth_cookie_str = auth_cookies:match('([^;]*); .*')
|
|
||||||
else
|
|
||||||
-- Must be a table.
|
|
||||||
local len = #auth_cookies
|
|
||||||
if len > 0 then
|
|
||||||
auth_cookie_str = auth_cookies[1]:match('([^;]*); .*')
|
|
||||||
for i = 2, len do
|
|
||||||
auth_cookie_str = auth_cookie_str .. "; " .. auth_cookies[i]:match('([^;]*); .*')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Invoke the submit URI with parameters and cookies, adding username and password in the body.
|
|
||||||
-- Note: Username and password are specific to the Keycloak Docker image used.
|
|
||||||
res, err = httpc:request_uri(uri .. "?" .. params, {
|
|
||||||
method = "POST",
|
|
||||||
body = "username=teacher@gmail.com&password=123456",
|
|
||||||
headers = {
|
|
||||||
["Content-Type"] = "application/x-www-form-urlencoded",
|
|
||||||
["Cookie"] = auth_cookie_str
|
|
||||||
}
|
|
||||||
})
|
|
||||||
|
|
||||||
if not res then
|
|
||||||
-- No response, must be an error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say(err)
|
|
||||||
return
|
|
||||||
elseif res.status ~= 302 then
|
|
||||||
-- Not a redirect which we expect.
|
|
||||||
-- Use 500 to indicate error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say("Login form submission did not return redirect to redirect URI.")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Extract the redirect URI from the response header.
|
|
||||||
-- TODO: Consider validating this against the plugin configuration.
|
|
||||||
local redirect_uri = res.headers['Location']
|
|
||||||
|
|
||||||
-- Invoke the redirect URI (which contains the authorization code as an URL parameter).
|
|
||||||
res, err = httpc:request_uri(redirect_uri, {
|
|
||||||
method = "GET",
|
|
||||||
headers = {
|
|
||||||
["Cookie"] = cookie_str
|
|
||||||
}
|
|
||||||
})
|
|
||||||
|
|
||||||
if not res then
|
|
||||||
-- No response, must be an error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say(err)
|
|
||||||
return
|
|
||||||
elseif res.status ~= 302 then
|
|
||||||
-- Not a redirect which we expect.
|
|
||||||
-- Use 500 to indicate error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say("Invoking redirect URI with authorization code did not return redirect to original URI.")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Get all cookies returned. This should update the session cookie maintained by the OIDC module with the new state.
|
|
||||||
-- E.g. the session cookie should now contain the access token, ID token and user info.
|
|
||||||
-- The cookie itself should however be treated as opaque.
|
|
||||||
cookies = res.headers['Set-Cookie']
|
|
||||||
|
|
||||||
-- Concatenate cookies into one string as expected when sent in request header.
|
|
||||||
if type(cookies) == 'string' then
|
|
||||||
cookie_str = cookies:match('([^;]*); .*')
|
|
||||||
else
|
|
||||||
-- Must be a table.
|
|
||||||
local len = #cookies
|
|
||||||
if len > 0 then
|
|
||||||
cookie_str = cookies[1]:match('([^;]*); .*')
|
|
||||||
for i = 2, len do
|
|
||||||
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Get the final URI out of the Location response header. This should be the original URI that was requested.
|
|
||||||
-- TODO: Consider checking the URI against the original request URI.
|
|
||||||
redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
|
|
||||||
|
|
||||||
-- Make the final call back to the original URI.
|
|
||||||
res, err = httpc:request_uri(redirect_uri, {
|
|
||||||
method = "GET",
|
|
||||||
headers = {
|
|
||||||
["Cookie"] = cookie_str
|
|
||||||
}
|
|
||||||
})
|
|
||||||
|
|
||||||
if not res then
|
|
||||||
-- No response, must be an error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say(err)
|
|
||||||
return
|
|
||||||
elseif res.status ~= 200 then
|
|
||||||
-- Not a valid response.
|
|
||||||
-- Use 500 to indicate error.
|
|
||||||
ngx.status = 500
|
|
||||||
ngx.say("Invoking the original URI didn't return the expected result.")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
ngx.status = res.status
|
|
||||||
ngx.say(res.body)
|
|
||||||
else
|
|
||||||
-- Response from Keycloak not ok.
|
|
||||||
ngx.say(false)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
ngx.status = res.status
|
||||||
|
ngx.say(res.body)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
--- request
|
--- request
|
||||||
@ -1665,3 +1365,124 @@ GET /t
|
|||||||
false
|
false
|
||||||
--- error_log
|
--- error_log
|
||||||
OIDC introspection failed: invalid jwt: invalid jwt string
|
OIDC introspection failed: invalid jwt: invalid jwt string
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
=== TEST 28: Modify route to match catch-all URI `/*` and add post_logout_redirect_uri option.
|
||||||
|
--- config
|
||||||
|
location /t {
|
||||||
|
content_by_lua_block {
|
||||||
|
local t = require("lib.test_admin").test
|
||||||
|
local code, body = t('/apisix/admin/routes/1',
|
||||||
|
ngx.HTTP_PUT,
|
||||||
|
[[{
|
||||||
|
"plugins": {
|
||||||
|
"openid-connect": {
|
||||||
|
"discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
|
||||||
|
"realm": "University",
|
||||||
|
"client_id": "course_management",
|
||||||
|
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
|
||||||
|
"redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/authenticated",
|
||||||
|
"ssl_verify": false,
|
||||||
|
"timeout": 10,
|
||||||
|
"introspection_endpoint_auth_method": "client_secret_post",
|
||||||
|
"introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect",
|
||||||
|
"set_access_token_header": true,
|
||||||
|
"access_token_in_authorization_header": false,
|
||||||
|
"set_id_token_header": true,
|
||||||
|
"set_userinfo_header": true,
|
||||||
|
"post_logout_redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/hello"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"upstream": {
|
||||||
|
"nodes": {
|
||||||
|
"127.0.0.1:1980": 1
|
||||||
|
},
|
||||||
|
"type": "roundrobin"
|
||||||
|
},
|
||||||
|
"uri": "/*"
|
||||||
|
}]]
|
||||||
|
)
|
||||||
|
|
||||||
|
if code >= 300 then
|
||||||
|
ngx.status = code
|
||||||
|
end
|
||||||
|
ngx.say(body)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--- request
|
||||||
|
GET /t
|
||||||
|
--- response_body
|
||||||
|
passed
|
||||||
|
--- no_error_log
|
||||||
|
[error]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
=== TEST 29: Access route w/o bearer token and request logout to redirect to post_logout_redirect_uri.
|
||||||
|
--- config
|
||||||
|
location /t {
|
||||||
|
content_by_lua_block {
|
||||||
|
local http = require "resty.http"
|
||||||
|
local login_keycloak = require("lib.keycloak").login_keycloak
|
||||||
|
local concatenate_cookies = require("lib.keycloak").concatenate_cookies
|
||||||
|
|
||||||
|
local httpc = http.new()
|
||||||
|
|
||||||
|
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
|
||||||
|
local res, err = login_keycloak(uri, "teacher@gmail.com", "123456")
|
||||||
|
if err then
|
||||||
|
ngx.status = 500
|
||||||
|
ngx.say(err)
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
local cookie_str = concatenate_cookies(res.headers['Set-Cookie'])
|
||||||
|
|
||||||
|
-- Request the logout uri with the log-in cookie
|
||||||
|
local logout_uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/logout"
|
||||||
|
res, err = httpc:request_uri(logout_uri, {
|
||||||
|
method = "GET",
|
||||||
|
headers = {
|
||||||
|
["Cookie"] = cookie_str
|
||||||
|
}
|
||||||
|
})
|
||||||
|
if not res then
|
||||||
|
-- No response, must be an error
|
||||||
|
-- Use 500 to indicate error
|
||||||
|
ngx.status = 500
|
||||||
|
ngx.say(err)
|
||||||
|
return
|
||||||
|
elseif res.status ~= 302 then
|
||||||
|
ngx.status = 500
|
||||||
|
ngx.say("Request the logout URI didn't return the expected status.")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Request the location, it's a URL of keycloak and contains the post_logout_redirect_uri
|
||||||
|
-- Like:
|
||||||
|
-- http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/logout?post_logout_redirect=http://127.0.0.1:1984/hello
|
||||||
|
local location = res.headers["Location"]
|
||||||
|
res, err = httpc:request_uri(location, {
|
||||||
|
method = "GET"
|
||||||
|
})
|
||||||
|
if not res then
|
||||||
|
ngx.status = 500
|
||||||
|
ngx.say(err)
|
||||||
|
return
|
||||||
|
elseif res.status ~= 302 then
|
||||||
|
ngx.status = 500
|
||||||
|
ngx.say("Request the keycloak didn't return the expected status.")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
ngx.status = 200
|
||||||
|
ngx.say(res.headers["Location"])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--- request
|
||||||
|
GET /t
|
||||||
|
--- response_body_like
|
||||||
|
http://127.0.0.1:.*/hello
|
||||||
|
--- no_error_log
|
||||||
|
[error]
|
||||||
|
Loading…
Reference in New Issue
Block a user