fix(openid-connect): the default 'redirect_uri' (#2426) #7690
Conversation
Previously the `redirect_uri` was set to `ngx.var.request_uri` if not configured. However, it caused the underlying `lua-resty-openidc` module to raise this error: ``` request to the redirect_uri path but there's no session state found ``` because `lua-resty-openidc` would think it was the redirection response from OP when the `redirect_uri` equals `ngx.var.request_uri`. Although the OAuth 2.0 Security Best Current Practice [1] recommends that the `redirect_uri` should be explicitly specified to prevent malicious redirection attacks, it would also be handy for APISIX to properly determine a default one if `redirect_uri` not given. Therefore, append the `.apisix/redirect` suffix to the current request URI to determine the default `redirect_uri`. It makes `lua-resty-openidc` happy and it's almost unlikely to conflict with user's URIs. Also note that the OP should be properly configured to accept such auto-determined redirect URIs. Update the documentation accordingly. Fix apache#2426. [1] https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
| @@ -198,3 +198,4 @@ In this example, the Plugin can enforce that the access token, the ID token, and | |||
|
|
|||
| - `redirect_uri` needs to be captured by the route where the current APISIX is located. For example, the `uri` of the current route is `/api/v1/*`, `redirect_uri` can be filled in as `/api/v1/callback`; | |||
| - `scheme` and `host` of `redirect_uri` (`scheme:host`) are the values required to access APISIX from the perspective of the identity provider. | |||
| - See also [this GitHub issue](https://github.com/apache/apisix/issues/2426), especially these comments: [@starsz](https://github.com/apache/apisix/issues/2426#issuecomment-1091021687), [@david-woelfle](https://github.com/apache/apisix/issues/2426#issuecomment-1090675455), [@liweitianux (1)](https://github.com/apache/apisix/issues/2426#issuecomment-1206107085), [@liweitianux (2)](https://github.com/apache/apisix/issues/2426#issuecomment-1207423283) | |||
There was a problem hiding this comment.
Could you write the conclusion in a short sentence, instead of multiple reference links?
There was a problem hiding this comment.
| - See also [this GitHub issue](https://github.com/apache/apisix/issues/2426), especially these comments: [@starsz](https://github.com/apache/apisix/issues/2426#issuecomment-1091021687), [@david-woelfle](https://github.com/apache/apisix/issues/2426#issuecomment-1090675455), [@liweitianux (1)](https://github.com/apache/apisix/issues/2426#issuecomment-1206107085), [@liweitianux (2)](https://github.com/apache/apisix/issues/2426#issuecomment-1207423283) | |
| - `redirect_uri` should not be the same as the URI of the route. This is because when a user initiates a request to visit the protected resource, the request directly hits the redirection URI with no session cookie in the request, which leads to the `no session state found` error. |
apisix/plugins/openid-connect.lua
Outdated
| @@ -65,7 +65,7 @@ local schema = { | |||
| }, | |||
| redirect_uri = { | |||
| type = "string", | |||
| description = "use ngx.var.request_uri if not configured" | |||
| description = "auto append '.apisix/redirect' if not configured" | |||
There was a problem hiding this comment.
But it cannot make sure the new URI will be matched by the same route, it actually adds an implicit condition that the route match type is prefix instead of exact.
There was a problem hiding this comment.
Well. If the route is of type exact, then it cannot actually use this openid-connect plugin, because the redirect_uri must be different from the request URI, as required by lua-resty-openidc.
There was a problem hiding this comment.
@liweitianux Could you write some hints about this in the OpenID Connect doc?
There was a problem hiding this comment.
Sure. I'll update the doc later.
| -- NOTE: 'lua-resty-openidc' requires that 'redirect_uri' be | ||
| -- different from 'uri'. So default to append the | ||
| -- '.apisix/redirect' suffix if not configured. | ||
| local suffix = "/.apisix/redirect" | ||
| local uri = ctx.var.uri | ||
| if core.string.has_suffix(uri, suffix) then | ||
| -- This is the redirection response from the OIDC provider. | ||
| conf.redirect_uri = uri | ||
| else | ||
| if string.sub(uri, -1, -1) == "/" then | ||
| conf.redirect_uri = string.sub(uri, 1, -2) .. suffix | ||
| else | ||
| conf.redirect_uri = uri .. suffix | ||
| end | ||
| end | ||
| core.log.debug("auto set redirect_uri: ", conf.redirect_uri) |
There was a problem hiding this comment.
When there is no conf.redirect_uri, it looks like we generate redirect_uri for each request(except for the real redirect from IdP).
Can we inject a default value for redirect_uri when we add the openid-connect plugin.
For example:
- we require that the match condition for a road has to be a prefix match, like
/openid/*, then redirect_uri defaults to/openid/.apisix/redirect.
Listen to what others say.
There was a problem hiding this comment.
@liweitianux any thoughts about this?
There was a problem hiding this comment.
I don't think we can set a proper default value for redirect_uri, because a plugin can be configured globally, per-route, and per-service. An exception is that the openid-connect plugin is configured for a specific route, so we can determine a redirect_uri that's covered by the route.
Please correct me if I'm mistaken.
There was a problem hiding this comment.
I agree with you.
There was a problem hiding this comment.
We need a test case to show that not providing redirect_uri works fine.
There was a problem hiding this comment.
I changed the job this year, and I haven't been working with APISIX for more than one year now. I'm unfamiliar with the test framework, and that was the main reason that this PR was lacking a test case. It would be great if you can rejuvenate this PR. Thanks.
|
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions. |
|
This pull request/issue has been closed due to lack of activity. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time. |
|
Please resolve the conflicts and make the ci pass |
monkeyDluffy6017
changed the title
|
Hi @liweitianux @shreemaan-abhishek @monkeyDluffy6017 |
|
@luoluoyuyu sure. |
|
@shreemaan-abhishek |
|
@liweitianux could you invite @luoluoyuyu with access to your repo? |
Hi, @luoluoyuyu and @shreemaan-abhishek, I've invited both of you to my repo. Thank you. |
t/plugin/openid-connect2.t
Outdated
| local httpc = http.new() | ||
| local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello" | ||
| local res, err = httpc:request_uri(uri, {method = "GET"}) | ||
| ngx.say(res.status) |
t/plugin/openid-connect2.t
Outdated
| local res, err = httpc:request_uri(uri, {method = "GET"}) | ||
| ngx.say(res.status) | ||
| if res.status == 400 then | ||
| ngx.say(res.status) |
There was a problem hiding this comment.
the response_body was true
Description
Previously the
redirect_uriwas set tongx.var.request_uriif notconfigured. However, it caused the underlying
lua-resty-openidcmodule to raise this error:
because
lua-resty-openidcwould think it was the redirection responsefrom OP when the
redirect_uriequalsngx.var.request_uri.Although the OAuth 2.0 Security Best Current Practice [1] recommends
that the
redirect_urishould be explicitly specified to preventmalicious redirection attacks, it would also be handy for APISIX to
properly determine a default one if
redirect_urinot given.Therefore, append the
.apisix/redirectsuffix to the current requestURI to determine the default
redirect_uri. It makeslua-resty-openidchappy and it's almost unlikely to conflict withuser's URIs.
Also note that the OP should be properly configured to accept such
auto-determined redirect URIs.
Update the documentation accordingly.
Fix #2426.
[1] https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
Checklist