mirror of
https://gitee.com/iresty/apisix.git
synced 2024-12-04 21:17:36 +08:00
1490 lines
62 KiB
Perl
1490 lines
62 KiB
Perl
#
|
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
|
# contributor license agreements. See the NOTICE file distributed with
|
|
# this work for additional information regarding copyright ownership.
|
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
|
# (the "License"); you may not use this file except in compliance with
|
|
# the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
use t::APISIX 'no_plan';
|
|
|
|
repeat_each(1);
|
|
no_long_string();
|
|
no_root_location();
|
|
no_shuffle();
|
|
run_tests;
|
|
|
|
__DATA__
|
|
|
|
=== TEST 1: Sanity check with minimal valid configuration.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local plugin = require("apisix.plugins.openid-connect")
|
|
local ok, err = plugin.check_schema({client_id = "a", client_secret = "b", discovery = "c"})
|
|
if not ok then
|
|
ngx.say(err)
|
|
end
|
|
|
|
ngx.say("done")
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
done
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 2: Missing `client_id`.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local plugin = require("apisix.plugins.openid-connect")
|
|
local ok, err = plugin.check_schema({client_secret = "b", discovery = "c"})
|
|
if not ok then
|
|
ngx.say(err)
|
|
end
|
|
|
|
ngx.say("done")
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
property "client_id" is required
|
|
done
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 3: Wrong type for `client_id`.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local plugin = require("apisix.plugins.openid-connect")
|
|
local ok, err = plugin.check_schema({client_id = 123, client_secret = "b", discovery = "c"})
|
|
if not ok then
|
|
ngx.say(err)
|
|
end
|
|
|
|
ngx.say("done")
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
property "client_id" validation failed: wrong type: expected string, got number
|
|
done
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 4: Set up new route with plugin matching URI `/hello`.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local t = require("lib.test_admin").test
|
|
local code, body = t('/apisix/admin/routes/1',
|
|
ngx.HTTP_PUT,
|
|
[[{
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "http://127.0.0.1:1980/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"scope": "apisix"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
}]],
|
|
[[{
|
|
"node": {
|
|
"value": {
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "http://127.0.0.1:1980/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"scope": "apisix"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
},
|
|
"key": "/apisix/routes/1"
|
|
},
|
|
"action": "set"
|
|
}]]
|
|
)
|
|
|
|
if code >= 300 then
|
|
ngx.status = code
|
|
end
|
|
ngx.say(body)
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
passed
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 5: Access route w/o bearer token. Should redirect to authentication endpoint of ID provider.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local http = require "resty.http"
|
|
local httpc = http.new()
|
|
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello"
|
|
local res, err = httpc:request_uri(uri, {method = "GET"})
|
|
ngx.status = res.status
|
|
local location = res.headers['Location']
|
|
if location and string.find(location, 'https://samples.auth0.com/authorize') ~= -1 and
|
|
string.find(location, 'scope=apisix') ~= -1 and
|
|
string.find(location, 'client_id=kbyuFDidLLm280LIwVFiazOqjO3ty8KH') ~= -1 and
|
|
string.find(location, 'response_type=code') ~= -1 and
|
|
string.find(location, 'redirect_uri=https://iresty.com') ~= -1 then
|
|
ngx.say(true)
|
|
end
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- timeout: 10s
|
|
--- response_body
|
|
true
|
|
--- error_code: 302
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 6: Modify route to match catch-all URI `/*` and point plugin to local Keycloak instance.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local t = require("lib.test_admin").test
|
|
local code, body = t('/apisix/admin/routes/1',
|
|
ngx.HTTP_PUT,
|
|
[[{
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
|
|
"realm": "University",
|
|
"client_id": "course_management",
|
|
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
|
|
"redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/authenticated",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"introspection_endpoint_auth_method": "client_secret_post",
|
|
"introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect",
|
|
"set_access_token_header": true,
|
|
"access_token_in_authorization_header": false,
|
|
"set_id_token_header": true,
|
|
"set_userinfo_header": true
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/*"
|
|
}]],
|
|
[[{
|
|
"node": {
|
|
"value": {
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "course_management",
|
|
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
|
|
"discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
|
|
"redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/authenticated",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"realm": "University",
|
|
"introspection_endpoint_auth_method": "client_secret_post",
|
|
"introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect",
|
|
"set_access_token_header": true,
|
|
"access_token_in_authorization_header": false,
|
|
"set_id_token_header": true,
|
|
"set_userinfo_header": true
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/*"
|
|
},
|
|
"key": "/apisix/routes/1"
|
|
},
|
|
"action": "set"
|
|
}]]
|
|
)
|
|
|
|
if code >= 300 then
|
|
ngx.status = code
|
|
end
|
|
ngx.say(body)
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
passed
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 7: Access route w/o bearer token and go through the full OIDC Relying Party authentication process.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local http = require "resty.http"
|
|
local httpc = http.new()
|
|
|
|
-- Invoke /uri endpoint w/o bearer token. Should receive redirect to Keycloak authorization endpoint.
|
|
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
|
|
local res, err = httpc:request_uri(uri, {method = "GET"})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 302 then
|
|
-- Not a redirect which we expect.
|
|
-- Use 500 to indicate error.
|
|
ngx.status = 500
|
|
ngx.say("Initial request was not redirected to ID provider authorization endpoint.")
|
|
return
|
|
else
|
|
-- Redirect to ID provider's authorization endpoint.
|
|
|
|
-- Extract nonce and state from response header.
|
|
local nonce = res.headers['Location']:match('.*nonce=([^&]+).*')
|
|
local state = res.headers['Location']:match('.*state=([^&]+).*')
|
|
|
|
-- Extract cookies. Important since OIDC module tracks state with a session cookie.
|
|
local cookies = res.headers['Set-Cookie']
|
|
|
|
-- Concatenate cookies into one string as expected when sent in request header.
|
|
local cookie_str = ""
|
|
|
|
if type(cookies) == 'string' then
|
|
cookie_str = cookies:match('([^;]*); .*')
|
|
else
|
|
-- Must be a table.
|
|
local len = #cookies
|
|
if len > 0 then
|
|
cookie_str = cookies[1]:match('([^;]*); .*')
|
|
for i = 2, len do
|
|
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
|
|
end
|
|
end
|
|
end
|
|
|
|
-- Call authorization endpoint we were redirected to.
|
|
-- Note: This typically returns a login form which is the case here for Keycloak as well.
|
|
-- However, how we process the form to perform the login is specific to Keycloak and
|
|
-- possibly even the version used.
|
|
res, err = httpc:request_uri(res.headers['Location'], {method = "GET"})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 200 then
|
|
-- Unexpected response.
|
|
ngx.status = res.status
|
|
ngx.say(res.body)
|
|
return
|
|
end
|
|
|
|
-- Check if response code was ok.
|
|
if res.status == 200 then
|
|
-- From the returned form, extract the submit URI and parameters.
|
|
local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">')
|
|
|
|
-- Substitute escaped ampersand in parameters.
|
|
params = params:gsub("&", "&")
|
|
|
|
-- Get all cookies returned. Probably not so important since not part of OIDC specification.
|
|
local auth_cookies = res.headers['Set-Cookie']
|
|
|
|
-- Concatenate cookies into one string as expected when sent in request header.
|
|
local auth_cookie_str = ""
|
|
|
|
if type(auth_cookies) == 'string' then
|
|
auth_cookie_str = auth_cookies:match('([^;]*); .*')
|
|
else
|
|
-- Must be a table.
|
|
local len = #auth_cookies
|
|
if len > 0 then
|
|
auth_cookie_str = auth_cookies[1]:match('([^;]*); .*')
|
|
for i = 2, len do
|
|
auth_cookie_str = auth_cookie_str .. "; " .. auth_cookies[i]:match('([^;]*); .*')
|
|
end
|
|
end
|
|
end
|
|
|
|
-- Invoke the submit URI with parameters and cookies, adding username and password in the body.
|
|
-- Note: Username and password are specific to the Keycloak Docker image used.
|
|
res, err = httpc:request_uri(uri .. "?" .. params, {
|
|
method = "POST",
|
|
body = "username=teacher@gmail.com&password=123456",
|
|
headers = {
|
|
["Content-Type"] = "application/x-www-form-urlencoded",
|
|
["Cookie"] = auth_cookie_str
|
|
}
|
|
})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 302 then
|
|
-- Not a redirect which we expect.
|
|
-- Use 500 to indicate error.
|
|
ngx.status = 500
|
|
ngx.say("Login form submission did not return redirect to redirect URI.")
|
|
return
|
|
end
|
|
|
|
-- Extract the redirect URI from the response header.
|
|
-- TODO: Consider validating this against the plugin configuration.
|
|
local redirect_uri = res.headers['Location']
|
|
|
|
-- Invoke the redirect URI (which contains the authorization code as an URL parameter).
|
|
res, err = httpc:request_uri(redirect_uri, {
|
|
method = "GET",
|
|
headers = {
|
|
["Cookie"] = cookie_str
|
|
}
|
|
})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 302 then
|
|
-- Not a redirect which we expect.
|
|
-- Use 500 to indicate error.
|
|
ngx.status = 500
|
|
ngx.say("Invoking redirect URI with authorization code did not return redirect to original URI.")
|
|
return
|
|
end
|
|
|
|
-- Get all cookies returned. This should update the session cookie maintained by the OIDC module with the new state.
|
|
-- E.g. the session cookie should now contain the access token, ID token and user info.
|
|
-- The cookie itself should however be treated as opaque.
|
|
cookies = res.headers['Set-Cookie']
|
|
|
|
-- Concatenate cookies into one string as expected when sent in request header.
|
|
if type(cookies) == 'string' then
|
|
cookie_str = cookies:match('([^;]*); .*')
|
|
else
|
|
-- Must be a table.
|
|
local len = #cookies
|
|
if len > 0 then
|
|
cookie_str = cookies[1]:match('([^;]*); .*')
|
|
for i = 2, len do
|
|
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
|
|
end
|
|
end
|
|
end
|
|
|
|
-- Get the final URI out of the Location response header. This should be the original URI that was requested.
|
|
-- TODO: Consider checking the URI against the original request URI.
|
|
redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
|
|
|
|
-- Make the final call back to the original URI.
|
|
res, err = httpc:request_uri(redirect_uri, {
|
|
method = "GET",
|
|
headers = {
|
|
["Cookie"] = cookie_str
|
|
}
|
|
})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 200 then
|
|
-- Not a valid response.
|
|
-- Use 500 to indicate error.
|
|
ngx.status = 500
|
|
ngx.say("Invoking the original URI didn't return the expected result.")
|
|
return
|
|
end
|
|
|
|
ngx.status = res.status
|
|
ngx.say(res.body)
|
|
else
|
|
-- Response from Keycloak not ok.
|
|
ngx.say(false)
|
|
end
|
|
end
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body_like
|
|
uri: /uri
|
|
cookie: .*
|
|
host: 127.0.0.1:1984
|
|
user-agent: .*
|
|
x-access-token: ey.*
|
|
x-id-token: ey.*
|
|
x-real-ip: 127.0.0.1
|
|
x-userinfo: ey.*
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 8: Re-configure plugin with respect to headers that get sent to upstream.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local t = require("lib.test_admin").test
|
|
local code, body = t('/apisix/admin/routes/1',
|
|
ngx.HTTP_PUT,
|
|
[[{
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
|
|
"realm": "University",
|
|
"client_id": "course_management",
|
|
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
|
|
"redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/authenticated",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"introspection_endpoint_auth_method": "client_secret_post",
|
|
"introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect",
|
|
"set_access_token_header": true,
|
|
"access_token_in_authorization_header": true,
|
|
"set_id_token_header": false,
|
|
"set_userinfo_header": false
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/*"
|
|
}]],
|
|
[[{
|
|
"node": {
|
|
"value": {
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "course_management",
|
|
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
|
|
"discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
|
|
"redirect_uri": "http://127.0.0.1:]] .. ngx.var.server_port .. [[/authenticated",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"realm": "University",
|
|
"introspection_endpoint_auth_method": "client_secret_post",
|
|
"introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect",
|
|
"set_access_token_header": true,
|
|
"access_token_in_authorization_header": true,
|
|
"set_id_token_header": false,
|
|
"set_userinfo_header": false
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/*"
|
|
},
|
|
"key": "/apisix/routes/1"
|
|
},
|
|
"action": "set"
|
|
}]]
|
|
)
|
|
|
|
if code >= 300 then
|
|
ngx.status = code
|
|
end
|
|
ngx.say(body)
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
passed
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 9: Access route w/o bearer token and go through the full OIDC Relying Party authentication process.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local http = require "resty.http"
|
|
local httpc = http.new()
|
|
|
|
-- Invoke /uri endpoint w/o bearer token. Should receive redirect to Keycloak authorization endpoint.
|
|
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/uri"
|
|
local res, err = httpc:request_uri(uri, {method = "GET"})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 302 then
|
|
-- Not a redirect which we expect.
|
|
-- Use 500 to indicate error.
|
|
ngx.status = 500
|
|
ngx.say("Initial request was not redirected to ID provider authorization endpoint.")
|
|
return
|
|
else
|
|
-- Redirect to ID provider's authorization endpoint.
|
|
|
|
-- Extract nonce and state from response header.
|
|
local nonce = res.headers['Location']:match('.*nonce=([^&]+).*')
|
|
local state = res.headers['Location']:match('.*state=([^&]+).*')
|
|
|
|
-- Extract cookies. Important since OIDC module tracks state with a session cookie.
|
|
local cookies = res.headers['Set-Cookie']
|
|
|
|
-- Concatenate cookies into one string as expected when sent in request header.
|
|
local cookie_str = ""
|
|
|
|
if type(cookies) == 'string' then
|
|
cookie_str = cookies:match('([^;]*); .*')
|
|
else
|
|
-- Must be a table.
|
|
local len = #cookies
|
|
if len > 0 then
|
|
cookie_str = cookies[1]:match('([^;]*); .*')
|
|
for i = 2, len do
|
|
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
|
|
end
|
|
end
|
|
end
|
|
|
|
-- Call authorization endpoint we were redirected to.
|
|
-- Note: This typically returns a login form which is the case here for Keycloak as well.
|
|
-- However, how we process the form to perform the login is specific to Keycloak and
|
|
-- possibly even the version used.
|
|
res, err = httpc:request_uri(res.headers['Location'], {method = "GET"})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 200 then
|
|
-- Unexpected response.
|
|
ngx.status = res.status
|
|
ngx.say(res.body)
|
|
return
|
|
end
|
|
|
|
-- Check if response code was ok.
|
|
if res.status == 200 then
|
|
-- From the returned form, extract the submit URI and parameters.
|
|
local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">')
|
|
|
|
-- Substitute escaped ampersand in parameters.
|
|
params = params:gsub("&", "&")
|
|
|
|
-- Get all cookies returned. Probably not so important since not part of OIDC specification.
|
|
local auth_cookies = res.headers['Set-Cookie']
|
|
|
|
-- Concatenate cookies into one string as expected when sent in request header.
|
|
local auth_cookie_str = ""
|
|
|
|
if type(auth_cookies) == 'string' then
|
|
auth_cookie_str = auth_cookies:match('([^;]*); .*')
|
|
else
|
|
-- Must be a table.
|
|
local len = #auth_cookies
|
|
if len > 0 then
|
|
auth_cookie_str = auth_cookies[1]:match('([^;]*); .*')
|
|
for i = 2, len do
|
|
auth_cookie_str = auth_cookie_str .. "; " .. auth_cookies[i]:match('([^;]*); .*')
|
|
end
|
|
end
|
|
end
|
|
|
|
-- Invoke the submit URI with parameters and cookies, adding username and password in the body.
|
|
-- Note: Username and password are specific to the Keycloak Docker image used.
|
|
res, err = httpc:request_uri(uri .. "?" .. params, {
|
|
method = "POST",
|
|
body = "username=teacher@gmail.com&password=123456",
|
|
headers = {
|
|
["Content-Type"] = "application/x-www-form-urlencoded",
|
|
["Cookie"] = auth_cookie_str
|
|
}
|
|
})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 302 then
|
|
-- Not a redirect which we expect.
|
|
-- Use 500 to indicate error.
|
|
ngx.status = 500
|
|
ngx.say("Login form submission did not return redirect to redirect URI.")
|
|
return
|
|
end
|
|
|
|
-- Extract the redirect URI from the response header.
|
|
-- TODO: Consider validating this against the plugin configuration.
|
|
local redirect_uri = res.headers['Location']
|
|
|
|
-- Invoke the redirect URI (which contains the authorization code as an URL parameter).
|
|
res, err = httpc:request_uri(redirect_uri, {
|
|
method = "GET",
|
|
headers = {
|
|
["Cookie"] = cookie_str
|
|
}
|
|
})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 302 then
|
|
-- Not a redirect which we expect.
|
|
-- Use 500 to indicate error.
|
|
ngx.status = 500
|
|
ngx.say("Invoking redirect URI with authorization code did not return redirect to original URI.")
|
|
return
|
|
end
|
|
|
|
-- Get all cookies returned. This should update the session cookie maintained by the OIDC module with the new state.
|
|
-- E.g. the session cookie should now contain the access token, ID token and user info.
|
|
-- The cookie itself should however be treated as opaque.
|
|
cookies = res.headers['Set-Cookie']
|
|
|
|
-- Concatenate cookies into one string as expected when sent in request header.
|
|
if type(cookies) == 'string' then
|
|
cookie_str = cookies:match('([^;]*); .*')
|
|
else
|
|
-- Must be a table.
|
|
local len = #cookies
|
|
if len > 0 then
|
|
cookie_str = cookies[1]:match('([^;]*); .*')
|
|
for i = 2, len do
|
|
cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
|
|
end
|
|
end
|
|
end
|
|
|
|
-- Get the final URI out of the Location response header. This should be the original URI that was requested.
|
|
-- TODO: Consider checking the URI against the original request URI.
|
|
redirect_uri = "http://127.0.0.1:" .. ngx.var.server_port .. res.headers['Location']
|
|
|
|
-- Make the final call back to the original URI.
|
|
res, err = httpc:request_uri(redirect_uri, {
|
|
method = "GET",
|
|
headers = {
|
|
["Cookie"] = cookie_str
|
|
}
|
|
})
|
|
|
|
if not res then
|
|
-- No response, must be an error.
|
|
ngx.status = 500
|
|
ngx.say(err)
|
|
return
|
|
elseif res.status ~= 200 then
|
|
-- Not a valid response.
|
|
-- Use 500 to indicate error.
|
|
ngx.status = 500
|
|
ngx.say("Invoking the original URI didn't return the expected result.")
|
|
return
|
|
end
|
|
|
|
ngx.status = res.status
|
|
ngx.say(res.body)
|
|
else
|
|
-- Response from Keycloak not ok.
|
|
ngx.say(false)
|
|
end
|
|
end
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body_like
|
|
uri: /uri
|
|
authorization: Bearer ey.*
|
|
cookie: .*
|
|
host: 127.0.0.1:1984
|
|
user-agent: .*
|
|
x-real-ip: 127.0.0.1
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 10: Update plugin with `bearer_only=true`.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local t = require("lib.test_admin").test
|
|
local code, body = t('/apisix/admin/routes/1',
|
|
ngx.HTTP_PUT,
|
|
[[{
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
}]],
|
|
[[{
|
|
"node": {
|
|
"value": {
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
},
|
|
"key": "/apisix/routes/1"
|
|
},
|
|
"action": "set"
|
|
}]]
|
|
)
|
|
|
|
if code >= 300 then
|
|
ngx.status = code
|
|
end
|
|
ngx.say(body)
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
passed
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 11: Access route w/o bearer token. Should return 401 (Unauthorized).
|
|
--- timeout: 10s
|
|
--- request
|
|
GET /hello
|
|
--- error_code: 401
|
|
--- response_headers_like
|
|
WWW-Authenticate: Bearer realm="apisix"
|
|
--- error_log
|
|
OIDC introspection failed: No bearer token found in request.
|
|
|
|
|
|
|
|
=== TEST 12: Access route with invalid Authorization header value. Should return 400 (Bad Request).
|
|
--- timeout: 10s
|
|
--- request
|
|
GET /hello
|
|
--- more_headers
|
|
Authorization: foo
|
|
--- error_code: 400
|
|
--- error_log
|
|
OIDC introspection failed: Invalid Authorization header format.
|
|
|
|
|
|
|
|
=== TEST 13: Update plugin with ID provider public key, so tokens can be validated locally.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local t = require("lib.test_admin").test
|
|
local code, body = t('/apisix/admin/routes/1',
|
|
ngx.HTTP_PUT,
|
|
[[{ "plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix",
|
|
"public_key": "-----BEGIN PUBLIC KEY-----\n]] ..
|
|
[[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] ..
|
|
[[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] ..
|
|
[[-----END PUBLIC KEY-----",
|
|
"token_signing_alg_values_expected": "RS256"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
}]],
|
|
[[{ "node": {
|
|
"value": {
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix",
|
|
"public_key": "-----BEGIN PUBLIC KEY-----\n]] ..
|
|
[[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] ..
|
|
[[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] ..
|
|
[[-----END PUBLIC KEY-----",
|
|
"token_signing_alg_values_expected": "RS256"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
},
|
|
"key": "/apisix/routes/1"
|
|
},
|
|
"action": "set"
|
|
}]]
|
|
)
|
|
|
|
if code >= 300 then
|
|
ngx.status = code
|
|
end
|
|
ngx.say(body)
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
passed
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 14: Access route with valid token.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local http = require "resty.http"
|
|
local httpc = http.new()
|
|
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello"
|
|
local res, err = httpc:request_uri(uri, {
|
|
method = "GET",
|
|
headers = {
|
|
["Authorization"] = "Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9" ..
|
|
".eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk" ..
|
|
"4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCB" ..
|
|
"jb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.u1ISx7JbuK_GFRIUqIMP175FqX" ..
|
|
"RyF9V7y86480Q4N3jNxs3ePbc51TFtIHDrKttstU4Tub28PYVSlr-HXfjo7w",
|
|
}
|
|
})
|
|
ngx.status = res.status
|
|
if res.status == 200 then
|
|
ngx.say(true)
|
|
end
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
true
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 15: Update route URI to '/uri' where upstream endpoint returns request headers in response body.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local t = require("lib.test_admin").test
|
|
local code, body = t('/apisix/admin/routes/1',
|
|
ngx.HTTP_PUT,
|
|
[[{ "plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix",
|
|
"public_key": "-----BEGIN PUBLIC KEY-----\n]] ..
|
|
[[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] ..
|
|
[[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] ..
|
|
[[-----END PUBLIC KEY-----",
|
|
"token_signing_alg_values_expected": "RS256"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/uri"
|
|
}]],
|
|
[[{ "node": {
|
|
"value": {
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix",
|
|
"public_key": "-----BEGIN PUBLIC KEY-----\n]] ..
|
|
[[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] ..
|
|
[[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] ..
|
|
[[-----END PUBLIC KEY-----",
|
|
"token_signing_alg_values_expected": "RS256"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/uri"
|
|
},
|
|
"key": "/apisix/routes/1"
|
|
},
|
|
"action": "set"
|
|
}]]
|
|
)
|
|
|
|
if code >= 300 then
|
|
ngx.status = code
|
|
end
|
|
ngx.say(body)
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
passed
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 16: Access route with valid token in `Authorization` header. Upstream should additionally get the token in the `X-Access-Token` header.
|
|
--- request
|
|
GET /uri HTTP/1.1
|
|
--- more_headers
|
|
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.u1ISx7JbuK_GFRIUqIMP175FqXRyF9V7y86480Q4N3jNxs3ePbc51TFtIHDrKttstU4Tub28PYVSlr-HXfjo7w
|
|
--- response_body
|
|
uri: /uri
|
|
authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.u1ISx7JbuK_GFRIUqIMP175FqXRyF9V7y86480Q4N3jNxs3ePbc51TFtIHDrKttstU4Tub28PYVSlr-HXfjo7w
|
|
host: localhost
|
|
x-access-token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.u1ISx7JbuK_GFRIUqIMP175FqXRyF9V7y86480Q4N3jNxs3ePbc51TFtIHDrKttstU4Tub28PYVSlr-HXfjo7w
|
|
x-real-ip: 127.0.0.1
|
|
--- no_error_log
|
|
[error]
|
|
--- error_code: 200
|
|
|
|
|
|
|
|
=== TEST 17: Update plugin to only use `Authorization` header.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local t = require("lib.test_admin").test
|
|
local code, body = t('/apisix/admin/routes/1',
|
|
ngx.HTTP_PUT,
|
|
[[{ "plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix",
|
|
"public_key": "-----BEGIN PUBLIC KEY-----\n]] ..
|
|
[[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] ..
|
|
[[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] ..
|
|
[[-----END PUBLIC KEY-----",
|
|
"token_signing_alg_values_expected": "RS256",
|
|
"set_access_token_header": true,
|
|
"access_token_in_authorization_header": true,
|
|
"set_id_token_header": false,
|
|
"set_userinfo_header": false
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/uri"
|
|
}]],
|
|
[[{ "node": {
|
|
"value": {
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix",
|
|
"public_key": "-----BEGIN PUBLIC KEY-----\n]] ..
|
|
[[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] ..
|
|
[[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] ..
|
|
[[-----END PUBLIC KEY-----",
|
|
"token_signing_alg_values_expected": "RS256",
|
|
"access_token_in_authorization_header": true,
|
|
"set_id_token_header": false,
|
|
"set_userinfo_header": false
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/uri"
|
|
},
|
|
"key": "/apisix/routes/1"
|
|
},
|
|
"action": "set"
|
|
}]]
|
|
)
|
|
|
|
if code >= 300 then
|
|
ngx.status = code
|
|
end
|
|
ngx.say(body)
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
passed
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 18: Access route with valid token in `Authorization` header. Upstream should not get the additional `X-Access-Token` header.
|
|
--- request
|
|
GET /uri HTTP/1.1
|
|
--- more_headers
|
|
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.u1ISx7JbuK_GFRIUqIMP175FqXRyF9V7y86480Q4N3jNxs3ePbc51TFtIHDrKttstU4Tub28PYVSlr-HXfjo7w
|
|
--- response_body
|
|
uri: /uri
|
|
authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCBjb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.u1ISx7JbuK_GFRIUqIMP175FqXRyF9V7y86480Q4N3jNxs3ePbc51TFtIHDrKttstU4Tub28PYVSlr-HXfjo7w
|
|
host: localhost
|
|
x-real-ip: 127.0.0.1
|
|
--- no_error_log
|
|
[error]
|
|
--- error_code: 200
|
|
|
|
|
|
|
|
=== TEST 19: Switch route URI back to `/hello`.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local t = require("lib.test_admin").test
|
|
local code, body = t('/apisix/admin/routes/1',
|
|
ngx.HTTP_PUT,
|
|
[[{ "plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix",
|
|
"public_key": "-----BEGIN PUBLIC KEY-----\n]] ..
|
|
[[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] ..
|
|
[[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] ..
|
|
[[-----END PUBLIC KEY-----",
|
|
"token_signing_alg_values_expected": "RS256"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
}]],
|
|
[[{ "node": {
|
|
"value": {
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
"client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
"discovery": "https://samples.auth0.com/.well-known/openid-configuration",
|
|
"redirect_uri": "https://iresty.com",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"scope": "apisix",
|
|
"public_key": "-----BEGIN PUBLIC KEY-----\n]] ..
|
|
[[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] ..
|
|
[[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] ..
|
|
[[-----END PUBLIC KEY-----",
|
|
"token_signing_alg_values_expected": "RS256"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
},
|
|
"key": "/apisix/routes/1"
|
|
},
|
|
"action": "set"
|
|
}]]
|
|
)
|
|
|
|
if code >= 300 then
|
|
ngx.status = code
|
|
end
|
|
ngx.say(body)
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
passed
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 20: Access route with invalid token. Should return 401.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local http = require "resty.http"
|
|
local httpc = http.new()
|
|
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello"
|
|
local res, err = httpc:request_uri(uri, {
|
|
method = "GET",
|
|
headers = {
|
|
["Authorization"] = "Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9" ..
|
|
".eyJkYXRhMSI6IkRhdGEgMSIsImlhdCI6MTU4NTEyMjUwMiwiZXhwIjoxOTAwNjk" ..
|
|
"4NTAyLCJhdWQiOiJodHRwOi8vbXlzb2Z0Y29ycC5pbiIsImlzcyI6Ik15c29mdCB" ..
|
|
"jb3JwIiwic3ViIjoic29tZUB1c2VyLmNvbSJ9.u1ISx7JbuK_GFRIUqIMP175FqX" ..
|
|
"RyF9V7y86480Q4N3jNxs3ePbc51TFtIHDrKttstU4Tub28PYVSlr-HXfjo7",
|
|
}
|
|
})
|
|
ngx.status = res.status
|
|
if res.status == 200 then
|
|
ngx.say(true)
|
|
end
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- error_code: 401
|
|
--- error_log
|
|
jwt signature verification failed
|
|
|
|
|
|
|
|
=== TEST 21: Update route with Keycloak introspection endpoint and public key removed. Should now invoke introspection endpoint to validate tokens.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local t = require("lib.test_admin").test
|
|
local code, body = t('/apisix/admin/routes/1',
|
|
ngx.HTTP_PUT,
|
|
[[{
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "course_management",
|
|
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
|
|
"discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
|
|
"redirect_uri": "http://localhost:3000",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"realm": "University",
|
|
"introspection_endpoint_auth_method": "client_secret_post",
|
|
"introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
}]],
|
|
[[{
|
|
"node": {
|
|
"value": {
|
|
"plugins": {
|
|
"openid-connect": {
|
|
"client_id": "course_management",
|
|
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
|
|
"discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
|
|
"redirect_uri": "http://localhost:3000",
|
|
"ssl_verify": false,
|
|
"timeout": 10,
|
|
"bearer_only": true,
|
|
"realm": "University",
|
|
"introspection_endpoint_auth_method": "client_secret_post",
|
|
"introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect"
|
|
}
|
|
},
|
|
"upstream": {
|
|
"nodes": {
|
|
"127.0.0.1:1980": 1
|
|
},
|
|
"type": "roundrobin"
|
|
},
|
|
"uri": "/hello"
|
|
},
|
|
"key": "/apisix/routes/1"
|
|
},
|
|
"action": "set"
|
|
}]]
|
|
)
|
|
|
|
if code >= 300 then
|
|
ngx.status = code
|
|
end
|
|
ngx.say(body)
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
passed
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 22: Obtain valid token and access route with it.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
-- Obtain valid access token from Keycloak using known username and password.
|
|
local json_decode = require("toolkit.json").decode
|
|
local http = require "resty.http"
|
|
local httpc = http.new()
|
|
local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
|
|
local res, err = httpc:request_uri(uri, {
|
|
method = "POST",
|
|
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
|
|
headers = {
|
|
["Content-Type"] = "application/x-www-form-urlencoded"
|
|
}
|
|
})
|
|
|
|
-- Check response from keycloak and fail quickly if there's no response.
|
|
if not res then
|
|
ngx.say(err)
|
|
return
|
|
end
|
|
|
|
-- Check if response code was ok.
|
|
if res.status == 200 then
|
|
-- Get access token from JSON response body.
|
|
local body = json_decode(res.body)
|
|
local accessToken = body["access_token"]
|
|
|
|
-- Access route using access token. Should work.
|
|
uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello"
|
|
local res, err = httpc:request_uri(uri, {
|
|
method = "GET",
|
|
headers = {
|
|
["Authorization"] = "Bearer " .. body["access_token"]
|
|
}
|
|
})
|
|
|
|
if res.status == 200 then
|
|
-- Route accessed successfully.
|
|
ngx.say(true)
|
|
else
|
|
-- Couldn't access route.
|
|
ngx.say(false)
|
|
end
|
|
else
|
|
-- Response from Keycloak not ok.
|
|
ngx.say(false)
|
|
end
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
true
|
|
--- no_error_log
|
|
[error]
|
|
|
|
|
|
|
|
=== TEST 23: Access route with an invalid token.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
-- Access route using a fake access token.
|
|
local http = require "resty.http"
|
|
local httpc = http.new()
|
|
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello"
|
|
local res, err = httpc:request_uri(uri, {
|
|
method = "GET",
|
|
headers = {
|
|
["Authorization"] = "Bearer " .. "fake access token",
|
|
}
|
|
})
|
|
|
|
if res.status == 200 then
|
|
ngx.say(true)
|
|
else
|
|
ngx.say(false)
|
|
end
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
false
|
|
--- error_log
|
|
OIDC introspection failed: invalid token
|
|
|
|
|
|
|
|
=== TEST 24: Check defaults.
|
|
--- config
|
|
location /t {
|
|
content_by_lua_block {
|
|
local json = require("t.toolkit.json")
|
|
local plugin = require("apisix.plugins.openid-connect")
|
|
local s = {
|
|
client_id = "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
|
|
client_secret = "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa",
|
|
discovery = "http://127.0.0.1:1980/.well-known/openid-configuration",
|
|
}
|
|
local ok, err = plugin.check_schema(s)
|
|
if not ok then
|
|
ngx.say(err)
|
|
end
|
|
|
|
ngx.say(json.encode(s))
|
|
}
|
|
}
|
|
--- request
|
|
GET /t
|
|
--- response_body
|
|
{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_userinfo_header":true,"ssl_verify":false,"timeout":3}
|
|
--- no_error_log
|
|
[error]
|