From 2af32a1e9bdfffea08166ad43c4fc1f2b379577b Mon Sep 17 00:00:00 2001 From: darksheep404 Date: Wed, 2 Aug 2023 17:18:32 +0800 Subject: [PATCH 01/11] docs: add proxy_opts attribute for openid-connect.md (#9922) --- docs/en/latest/plugins/openid-connect.md | 1 + docs/zh/latest/plugins/openid-connect.md | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index a5e015089d40..ea19a3127469 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -61,6 +61,7 @@ description: OpenID Connect allows the client to obtain user information from th | session | object | False | | | When bearer_only is set to false, openid-connect will use Authorization Code flow to authenticate on the IDP, so you need to set the session-related configuration. | | session.secret | string | True | Automatic generation | 16 or more characters | The key used for session encrypt and HMAC operation. | | unauth_action | string | False | "auth" | | Specify the response type on unauthenticated requests. "auth" redirects to identity provider, "deny" results in a 401 response, "pass" will allow the request without authentication. | +| proxy_opts | object | False | | {
http_proxy: http://your-proxy.com:your-proxy-port,
https_proxy: http://your-proxy.com:your-proxy-port
} | domain and port of the proxy server | NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md index c914f5241511..40fa9ac6274f 100644 --- a/docs/zh/latest/plugins/openid-connect.md +++ b/docs/zh/latest/plugins/openid-connect.md @@ -60,6 +60,7 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议 | set_refresh_token_header | boolean | 否 | false | | 当设置为 `true` 并且刷新令牌可用时,则会将该属性设置在`X-Refresh-Token`请求头中。 | | session | object | 否 | | | 当设置 bearer_only 为 false 时,openid-connect 插件将使用 Authorization Code 在 IDP 上进行认证,因此你必须设置 session 相关设置。 | | session.secret | string | 是 | 自动生成 | 16 个以上字符 | 用于 session 加密和 HMAC 计算的密钥。 | +| proxy_opts | object | 否 | | {
http_proxy: http://your-proxy.com:your-proxy-port,
https_proxy: http://your-proxy.com:your-proxy-port
} | 用于设置代理服务器域名与端口 | 注意:schema 中还定义了 `encrypt_fields = {"client_secret"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。 From 682e6383cecdef2e0a2e27abd5cc4efa52e726b7 Mon Sep 17 00:00:00 2001 From: darksheep404 Date: Wed, 2 Aug 2023 17:18:48 +0800 Subject: [PATCH 02/11] test: add proxy_opts attribute for openid-connect.md (#9922) --- t/plugin/openid-connect.t | 41 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 515319248c9b..da9b0a400ca7 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -1303,3 +1303,44 @@ passed } --- response_body_like x-userinfo: ey.* + +=== TEST 34: Set up new route access the auth server via http proxy +--- ONLY +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "openid-connect": { + "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", + "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", + "discovery": "http://127.0.0.1:1980/.well-known/openid-configuration", + "redirect_uri": "https://iresty.com", + "ssl_verify": false, + "timeout": 10, + "scope": "apisix", + "proxy_opts": "http://username:password@127.0.0.1:8080", + "use_pkce": false + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed From d2cf65300867554013e98e049d4372cc82f88ebf Mon Sep 17 00:00:00 2001 From: darksheep404 Date: Wed, 2 Aug 2023 17:55:08 +0800 Subject: [PATCH 03/11] feat: add proxy_opts attribute for openid-connect (#9922) --- apisix/plugins/openid-connect.lua | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 5058eba47d28..dca52908d4e1 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -130,6 +130,15 @@ local schema = { "header to the request for downstream.", type = "boolean", default = false + }, + proxy_opts = { + description = "Domain and port of the proxy server,like" .. + "{" .. + "http_proxy: http://your-proxy.com:your-proxy-port," .. + "https_proxy: http://your-proxy.com:your-proxy-port" .. + "}", + type = "object", + default = {} } }, encrypt_fields = {"client_secret"}, From 7ff7c670910130faaa9c26700d283460b4bfec91 Mon Sep 17 00:00:00 2001 From: Sn0rt Date: Thu, 3 Aug 2023 11:15:22 +0800 Subject: [PATCH 04/11] fix: openid-connect support http(s) proxy Signed-off-by: Sn0rt --- apisix/plugins/openid-connect.lua | 24 +++++-- t/plugin/openid-connect.t | 41 ----------- t/plugin/openid-connect3.t | 111 ++++++++++++++++++++++++++++++ 3 files changed, 130 insertions(+), 46 deletions(-) create mode 100644 t/plugin/openid-connect3.t diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index dca52908d4e1..667003af7394 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -132,12 +132,26 @@ local schema = { default = false }, proxy_opts = { - description = "Domain and port of the proxy server,like" .. - "{" .. - "http_proxy: http://your-proxy.com:your-proxy-port," .. - "https_proxy: http://your-proxy.com:your-proxy-port" .. - "}", + description = "access via openid server via a proxy server ", type = "object", + properties = { + http_proxy = { + type = "string", + description = "http proxy: http://proxy-server:80", + }, + https_proxy = { + type = "string", + description = "https proxy: https://proxy-server:80", + }, + http_proxy_authorization = { + type = "string", + description = "Basic [base64 username:password]", + }, + https_proxy_authorization = { + type = "string", + description = "Basic [base64 username:password]", + }, + }, default = {} } }, diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index da9b0a400ca7..515319248c9b 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -1303,44 +1303,3 @@ passed } --- response_body_like x-userinfo: ey.* - -=== TEST 34: Set up new route access the auth server via http proxy ---- ONLY ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/1', - ngx.HTTP_PUT, - [[{ - "plugins": { - "openid-connect": { - "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", - "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", - "discovery": "http://127.0.0.1:1980/.well-known/openid-configuration", - "redirect_uri": "https://iresty.com", - "ssl_verify": false, - "timeout": 10, - "scope": "apisix", - "proxy_opts": "http://username:password@127.0.0.1:8080", - "use_pkce": false - } - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/hello" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed diff --git a/t/plugin/openid-connect3.t b/t/plugin/openid-connect3.t new file mode 100644 index 000000000000..84eb7c26de2b --- /dev/null +++ b/t/plugin/openid-connect3.t @@ -0,0 +1,111 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +log_level('debug'); +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); + +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } +}); + +run_tests(); + +__DATA__ + +=== TEST 1: Set up new route access the auth server via http proxy +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "openid-connect": { + "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", + "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", + "discovery": "https://samples.auth0.com/.well-known/openid-configuration", + "redirect_uri": "https://iresty.com", + "ssl_verify": false, + "timeout": 10, + "scope": "apisix", + "proxy_opts": { + "http_proxy": "http://127.0.0.1:8080", + "http_proxy_authorization": "Basic dXNlcm5hbWU6cGFzc3dvcmQK" + }, + "use_pkce": false + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + + } + } +--- response_body +passed + + + +=== TEST 2: Access route w/o bearer token. Should redirect to authentication endpoint of ID provider. +--- config + location /t { + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello" + local res, err = httpc:request_uri(uri, {method = "GET"}) + ngx.status = res.status + local location = res.headers['Location'] + if location and string.find(location, 'https://samples.auth0.com/authorize') ~= -1 and + string.find(location, 'scope=apisix') ~= -1 and + string.find(location, 'client_id=kbyuFDidLLm280LIwVFiazOqjO3ty8KH') ~= -1 and + string.find(location, 'response_type=code') ~= -1 and + string.find(location, 'redirect_uri=https://iresty.com') ~= -1 then + ngx.say(true) + end + } + } +--- timeout: 10s +--- response_body +true +--- error_code: 302 +--- error_log +use http proxy From a3a9456bf09dd776f84cef1683b198541fd86a91 Mon Sep 17 00:00:00 2001 From: Sn0rt Date: Thu, 3 Aug 2023 11:28:03 +0800 Subject: [PATCH 05/11] fix: update openid-connect doc by autocorrect Signed-off-by: Sn0rt --- docs/en/latest/plugins/openid-connect.md | 2 +- docs/zh/latest/plugins/openid-connect.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index ea19a3127469..9a46499db931 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -61,7 +61,7 @@ description: OpenID Connect allows the client to obtain user information from th | session | object | False | | | When bearer_only is set to false, openid-connect will use Authorization Code flow to authenticate on the IDP, so you need to set the session-related configuration. | | session.secret | string | True | Automatic generation | 16 or more characters | The key used for session encrypt and HMAC operation. | | unauth_action | string | False | "auth" | | Specify the response type on unauthenticated requests. "auth" redirects to identity provider, "deny" results in a 401 response, "pass" will allow the request without authentication. | -| proxy_opts | object | False | | {
http_proxy: http://your-proxy.com:your-proxy-port,
https_proxy: http://your-proxy.com:your-proxy-port
} | domain and port of the proxy server | +| proxy_opts | object | False | | | Configure an HTTP proxy to be used with the openid-connect plugin. | NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md index 40fa9ac6274f..8053b25c7eda 100644 --- a/docs/zh/latest/plugins/openid-connect.md +++ b/docs/zh/latest/plugins/openid-connect.md @@ -60,7 +60,7 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议 | set_refresh_token_header | boolean | 否 | false | | 当设置为 `true` 并且刷新令牌可用时,则会将该属性设置在`X-Refresh-Token`请求头中。 | | session | object | 否 | | | 当设置 bearer_only 为 false 时,openid-connect 插件将使用 Authorization Code 在 IDP 上进行认证,因此你必须设置 session 相关设置。 | | session.secret | string | 是 | 自动生成 | 16 个以上字符 | 用于 session 加密和 HMAC 计算的密钥。 | -| proxy_opts | object | 否 | | {
http_proxy: http://your-proxy.com:your-proxy-port,
https_proxy: http://your-proxy.com:your-proxy-port
} | 用于设置代理服务器域名与端口 | +| proxy_opts | object | 否 | | | 给 openid-connect 插件配置一个 proxy。 | 注意:schema 中还定义了 `encrypt_fields = {"client_secret"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。 From f21c702456e349f7b61a7971e1c98b1348a8ca1f Mon Sep 17 00:00:00 2001 From: Sn0rt Date: Fri, 4 Aug 2023 14:17:14 +0800 Subject: [PATCH 06/11] fix: new response of the 24th test case of openid-connect.t Signed-off-by: Sn0rt --- t/plugin/openid-connect.t | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 515319248c9b..1e46f82f05f8 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -876,9 +876,7 @@ OIDC introspection failed: invalid token } } --- response_body -{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"unauth_action":"auth","use_pkce":false} - - +{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","proxy_opts":[],"realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"unauth_action":"auth","use_pkce":false} === TEST 25: Update plugin with ID provider jwks endpoint for token verification. --- config From 4f96e3e86a246ec8840e00c558dc5119ad31201f Mon Sep 17 00:00:00 2001 From: Sn0rt Date: Fri, 4 Aug 2023 14:32:53 +0800 Subject: [PATCH 07/11] fix: reindex: t/plugin/openid-connect.t Signed-off-by: Sn0rt --- apisix/plugins/openid-connect.lua | 1 - t/plugin/openid-connect.t | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 667003af7394..6dca8c103d5a 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -152,7 +152,6 @@ local schema = { description = "Basic [base64 username:password]", }, }, - default = {} } }, encrypt_fields = {"client_secret"}, diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 1e46f82f05f8..515319248c9b 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -876,7 +876,9 @@ OIDC introspection failed: invalid token } } --- response_body -{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","proxy_opts":[],"realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"unauth_action":"auth","use_pkce":false} +{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_header":true,"ssl_verify":false,"timeout":3,"unauth_action":"auth","use_pkce":false} + + === TEST 25: Update plugin with ID provider jwks endpoint for token verification. --- config From 41a4c86dac6ee3041207529709a1379d86af5646 Mon Sep 17 00:00:00 2001 From: darkSheep <49020899+darkSheep404@users.noreply.github.com> Date: Mon, 7 Aug 2023 13:45:46 +0800 Subject: [PATCH 08/11] feat(openid-connect): add proxy_opts attribute --- apisix/plugins/openid-connect.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 6dca8c103d5a..8d454cc0269b 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -132,7 +132,7 @@ local schema = { default = false }, proxy_opts = { - description = "access via openid server via a proxy server ", + description = "access openid server via a proxy server ", type = "object", properties = { http_proxy = { From 2bdeb21409caf544eab5f29f0cec29d003ebec6c Mon Sep 17 00:00:00 2001 From: darkSheep <49020899+darkSheep404@users.noreply.github.com> Date: Mon, 7 Aug 2023 15:28:52 +0800 Subject: [PATCH 09/11] feat: add proxy_opts attribute for openid-connect --- apisix/plugins/openid-connect.lua | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 8d454cc0269b..fcd5c163a674 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -137,20 +137,24 @@ local schema = { properties = { http_proxy = { type = "string", - description = "http proxy: http://proxy-server:80", + description = "Http proxy: http://proxy-server:80", }, https_proxy = { type = "string", - description = "https proxy: https://proxy-server:80", + description = "Https proxy: https://proxy-server:80", }, http_proxy_authorization = { type = "string", - description = "Basic [base64 username:password]", + description = "Basic [base64 username:password].", }, https_proxy_authorization = { type = "string", - description = "Basic [base64 username:password]", + description = "Basic [base64 username:password].", }, + no_proxy = { + type = "string", + description = "A comma separated list of hosts that should not be proxied.", + } }, } }, From b43a0c9c1a109d48e2ac3f792f0e626aec86c7ed Mon Sep 17 00:00:00 2001 From: darksheep404 Date: Wed, 9 Aug 2023 18:09:56 +0800 Subject: [PATCH 10/11] feat: add proxy_opts attribute for openid-connect --- apisix/plugins/openid-connect.lua | 8 ++++---- docs/en/latest/plugins/openid-connect.md | 7 ++++++- docs/zh/latest/plugins/openid-connect.md | 6 ++++++ 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index fcd5c163a674..927e4ddbd8aa 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -132,16 +132,16 @@ local schema = { default = false }, proxy_opts = { - description = "access openid server via a proxy server ", + description = "HTTP proxy server be used to access identity server.", type = "object", properties = { http_proxy = { type = "string", - description = "Http proxy: http://proxy-server:80", + description = "HTTP proxy like: http://proxy-server:80.", }, https_proxy = { type = "string", - description = "Https proxy: https://proxy-server:80", + description = "HTTPS proxy like: http://proxy-server:80.", }, http_proxy_authorization = { type = "string", @@ -153,7 +153,7 @@ local schema = { }, no_proxy = { type = "string", - description = "A comma separated list of hosts that should not be proxied.", + description = "Comma separated list of hosts that should not be proxied.", } }, } diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index 9a46499db931..493370240362 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -61,7 +61,12 @@ description: OpenID Connect allows the client to obtain user information from th | session | object | False | | | When bearer_only is set to false, openid-connect will use Authorization Code flow to authenticate on the IDP, so you need to set the session-related configuration. | | session.secret | string | True | Automatic generation | 16 or more characters | The key used for session encrypt and HMAC operation. | | unauth_action | string | False | "auth" | | Specify the response type on unauthenticated requests. "auth" redirects to identity provider, "deny" results in a 401 response, "pass" will allow the request without authentication. | -| proxy_opts | object | False | | | Configure an HTTP proxy to be used with the openid-connect plugin. | +| proxy_opts | object | False | | | HTTP proxy server be used to access identity server. | +| proxy_opts.proxy_opts.http_proxy | string | False | | http://proxy-server:port | HTTP proxy server address. | +| proxy_opts.proxy_opts.https_proxy | string | False | | http://proxy-server:port | HTTPS proxy server address. | +| proxy_opts.http_proxy_authorization | string | False | | Basic [base64 username:password] | Default `Proxy-Authorization` header value to be used with `http_proxy`. | +| proxy_opts.https_proxy_authorization | string | False | | Basic [base64 username:password] | As `http_proxy_authorization` but for use with `https_proxy` (since with HTTPS the authorisation is done when connecting, this one cannot be overridden by passing the `Proxy-Authorization` request header). | +| proxy_opts.no_proxy | string | False | | | Comma separated list of hosts that should not be proxied. | NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md index 8053b25c7eda..36edcc1d18a0 100644 --- a/docs/zh/latest/plugins/openid-connect.md +++ b/docs/zh/latest/plugins/openid-connect.md @@ -61,6 +61,12 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议 | session | object | 否 | | | 当设置 bearer_only 为 false 时,openid-connect 插件将使用 Authorization Code 在 IDP 上进行认证,因此你必须设置 session 相关设置。 | | session.secret | string | 是 | 自动生成 | 16 个以上字符 | 用于 session 加密和 HMAC 计算的密钥。 | | proxy_opts | object | 否 | | | 给 openid-connect 插件配置一个 proxy。 | +| proxy_opts | object | 否 | | | 用来访问身份认证服务器的代理服务器。 | +| proxy_opts.proxy_opts.http_proxy | string | 否 | | http://proxy-server:port | HTTP代理服务器地址。 | +| proxy_opts.proxy_opts.https_proxy | string | 否 | | http://proxy-server:port | HTTPS代理服务器地址。 | +| proxy_opts.http_proxy_authorization | string | 否 | | Basic [base64 username:password] | `http_proxy` 默认的 `Proxy-Authorization` 请求头参数值。 | +| proxy_opts.https_proxy_authorization | string | 否 | | Basic [base64 username:password] | 与`http_proxy_authorization`相同,但与`https_proxy`一起使用(因为使用HTTPS时,授权是在连接时完成的,因此不能通过传递Proxy-Authorization请求头来覆盖此授权)。 | +| proxy_opts.no_proxy | string | 否 | | | 不应被代理的主机的逗号分隔列表。 | 注意:schema 中还定义了 `encrypt_fields = {"client_secret"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。 From af65432dd19cbbd87184e5b2bfb1baeee1170852 Mon Sep 17 00:00:00 2001 From: monkeyDluffy6017 Date: Mon, 14 Aug 2023 11:25:06 +0800 Subject: [PATCH 11/11] fix: resolve doc lint --- docs/zh/latest/plugins/openid-connect.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md index 36edcc1d18a0..aececc4986e0 100644 --- a/docs/zh/latest/plugins/openid-connect.md +++ b/docs/zh/latest/plugins/openid-connect.md @@ -62,10 +62,10 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议 | session.secret | string | 是 | 自动生成 | 16 个以上字符 | 用于 session 加密和 HMAC 计算的密钥。 | | proxy_opts | object | 否 | | | 给 openid-connect 插件配置一个 proxy。 | | proxy_opts | object | 否 | | | 用来访问身份认证服务器的代理服务器。 | -| proxy_opts.proxy_opts.http_proxy | string | 否 | | http://proxy-server:port | HTTP代理服务器地址。 | -| proxy_opts.proxy_opts.https_proxy | string | 否 | | http://proxy-server:port | HTTPS代理服务器地址。 | +| proxy_opts.proxy_opts.http_proxy | string | 否 | | http://proxy-server:port | HTTP 代理服务器地址。 | +| proxy_opts.proxy_opts.https_proxy | string | 否 | | http://proxy-server:port | HTTPS 代理服务器地址。 | | proxy_opts.http_proxy_authorization | string | 否 | | Basic [base64 username:password] | `http_proxy` 默认的 `Proxy-Authorization` 请求头参数值。 | -| proxy_opts.https_proxy_authorization | string | 否 | | Basic [base64 username:password] | 与`http_proxy_authorization`相同,但与`https_proxy`一起使用(因为使用HTTPS时,授权是在连接时完成的,因此不能通过传递Proxy-Authorization请求头来覆盖此授权)。 | +| proxy_opts.https_proxy_authorization | string | 否 | | Basic [base64 username:password] | 与`http_proxy_authorization`相同,但与`https_proxy`一起使用(因为使用 HTTPS 时,授权是在连接时完成的,因此不能通过传递 Proxy-Authorization 请求头来覆盖此授权)。 | | proxy_opts.no_proxy | string | 否 | | | 不应被代理的主机的逗号分隔列表。 | 注意:schema 中还定义了 `encrypt_fields = {"client_secret"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。