Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add required scopes configuration property to openid-connect plugin #10493

Merged
merged 9 commits into from
Nov 21, 2023
Merged

feat: add required scopes configuration property to openid-connect plugin #10493

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
84e6601
adding required_scopes check. #10352
csotiriou Nov 15, 2023
c61259b
updated documentation
csotiriou Nov 15, 2023
300fe93
add test case
Revolyssup Nov 16, 2023
b0861e3
solve merge conflict
Revolyssup Nov 16, 2023
5962fd6
fix lint test
Revolyssup Nov 16, 2023
e957eb6
fix lint test
Revolyssup Nov 16, 2023
3dc8fcb
fix merge conflict
Revolyssup Nov 20, 2023
a29d1a5
add extra test case for success
Revolyssup Nov 20, 2023
15f379a
Merge branch 'feature/oidc-required-scopes' of https://github.com/cso…
Revolyssup Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions apisix/plugins/openid-connect.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ local openidc = require("resty.openidc")
local random = require("resty.random")
local string = string
local ngx = ngx
local ipairs = ipairs
local concat = table.concat

local ngx_encode_base64 = ngx.encode_base64

Expand Down Expand Up @@ -160,6 +162,13 @@ local schema = {
authorization_params = {
description = "Extra authorization params to the authorize endpoint",
type = "object"
},
required_scopes = {
description = "List of scopes that are required to be granted to the access token",
type = "array",
items = {
type = "string"
}
}
},
encrypt_fields = {"client_secret"},
Expand Down Expand Up @@ -315,6 +324,24 @@ local function add_access_token_header(ctx, conf, token)
end
end

-- Function to split the scope string into a table
local function split_scopes_by_space(scope_string)
local scopes = {}
for scope in string.gmatch(scope_string, "%S+") do
scopes[scope] = true
end
return scopes
end

-- Function to check if all required scopes are present
local function required_scopes_present(required_scopes, http_scopes)
soulbird marked this conversation as resolved.
Show resolved Hide resolved
for _, scope in ipairs(required_scopes) do
if not http_scopes[scope] then
return false
end
end
return true
end

function _M.rewrite(plugin_conf, ctx)
local conf = core.table.clone(plugin_conf)
Expand Down Expand Up @@ -351,6 +378,18 @@ function _M.rewrite(plugin_conf, ctx)
end

if response then
if conf.required_scopes then
local http_scopes = response.scope and split_scopes_by_space(response.scope) or {}
local is_authorized = required_scopes_present(conf.required_scopes, http_scopes)
if not is_authorized then
core.log.error("OIDC introspection failed: ", "required scopes not present")
local error_response = {
error = "required scopes " .. concat(conf.required_scopes, ", ") ..
" not present"
}
return 403, core.json.encode(error_response)
end
end
-- Add configured access token header, maybe.
add_access_token_header(ctx, conf, access_token)

Expand Down
Loading
Loading