-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose OIDC as standalone policy #904
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
return require('oidc_authentication') |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
-- OpenID Connect Authentication policy | ||
-- It will verify JWT signature against a list of public keys | ||
-- discovered through OIDC Discovery from the IDP. | ||
|
||
local lrucache = require('resty.lrucache') | ||
local OIDC = require('apicast.oauth.oidc') | ||
local oidc_discovery = require('resty.oidc.discovery') | ||
local http_authorization = require('resty.http_authorization') | ||
local resty_url = require('resty.url') | ||
local policy = require('apicast.policy') | ||
local _M = policy.new('oidc_authentication') | ||
|
||
local tostring = tostring | ||
|
||
_M.cache_size = 100 | ||
|
||
function _M.init() | ||
_M.cache = lrucache.new(_M.cache_size) | ||
end | ||
|
||
local function valid_issuer_endpoint(endpoint) | ||
return resty_url.parse(endpoint) and endpoint | ||
end | ||
|
||
local new = _M.new | ||
--- Initialize a oidc_authentication | ||
-- @tparam[opt] table config Policy configuration. | ||
function _M.new(config) | ||
local self = new(config) | ||
|
||
self.issuer_endpoint = valid_issuer_endpoint(config and config.issuer_endpoint) | ||
self.discovery = oidc_discovery.new(self.http_backend) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Isn't There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, unless you set it on the module level. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 |
||
|
||
self.oidc = (config and config.oidc) or OIDC.new(self.discovery:call(self.issuer_endpoint)) | ||
|
||
self.required = config and config.required | ||
|
||
return self | ||
end | ||
|
||
local function bearer_token() | ||
return http_authorization.new(ngx.var.http_authorization).token | ||
end | ||
|
||
function _M:rewrite(context) | ||
local access_token = bearer_token() | ||
|
||
if access_token or self.required then | ||
local jwt, err = self.oidc:parse(access_token) | ||
mikz marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
if jwt then | ||
context[self] = jwt | ||
context.jwt = jwt | ||
else | ||
ngx.log(ngx.WARN, 'failed to parse access token ', access_token, ' err: ', err) | ||
end | ||
end | ||
end | ||
|
||
local function exit_status(status) | ||
ngx.status = status | ||
-- TODO: implement content negotiation to generate proper content with an error | ||
return ngx.exit(status) | ||
end | ||
|
||
local function challenge_response() | ||
ngx.header.www_authenticate = 'Bearer' | ||
|
||
return exit_status(ngx.HTTP_UNAUTHORIZED) | ||
end | ||
|
||
function _M:access(context) | ||
local jwt = context[self] | ||
|
||
if not jwt or not jwt.token then | ||
if self.required then | ||
return challenge_response() | ||
else | ||
return | ||
end | ||
end | ||
|
||
local ok, err = self.oidc:verify(jwt) | ||
|
||
if not ok then | ||
ngx.log(ngx.INFO, 'JWT verification error: ', err, ' token: ', tostring(jwt)) | ||
|
||
return exit_status(ngx.HTTP_FORBIDDEN) | ||
end | ||
|
||
return ok | ||
end | ||
|
||
return _M |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if this should be exposed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other modules to this too. I think it is reasonable. If you want to you could write a policy that in the init phase bumps cache sizes of other policies.