Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(openid-connect): the default 'redirect_uri' (#2426) #7690

Merged
merged 9 commits into from
Dec 22, 2023
Merged

fix(openid-connect): the default 'redirect_uri' (#2426) #7690

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
674b85e
fix(openid-connect): Fix the default 'redirect_uri' (#2426)
liweitianux Aug 16, 2022
4af8303
Merge branch 'master' into openid-connect/redirect-uri
kayx23 Nov 28, 2023
75abdd0
fix for doc CI
kayx23 Nov 28, 2023
02b0707
add test cases
luoluoyuyu Dec 4, 2023
d4f158a
fix test case
luoluoyuyu Dec 4, 2023
9d11f55
fix test style
luoluoyuyu Dec 4, 2023
46ecafd
re-add test cases
luoluoyuyu Dec 20, 2023
af8d34b
add error_code test
luoluoyuyu Dec 20, 2023
b375f9c
add redirect_uri description information
luoluoyuyu Dec 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions apisix/plugins/openid-connect.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ local schema = {
},
redirect_uri = {
type = "string",
description = "use ngx.var.request_uri if not configured"
description = "auto append '.apisix/redirect' if not configured"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it cannot make sure the new URI will be matched by the same route, it actually adds an implicit condition that the route match type is prefix instead of exact.

Copy link
Contributor Author

@liweitianux liweitianux Aug 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well. If the route is of type exact, then it cannot actually use this openid-connect plugin, because the redirect_uri must be different from the request URI, as required by lua-resty-openidc.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liweitianux Could you write some hints about this in the OpenID Connect doc?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. I'll update the doc later.

},
post_logout_redirect_uri = {
type = "string",
Expand Down Expand Up @@ -357,7 +357,22 @@ function _M.rewrite(plugin_conf, ctx)
end

if not conf.redirect_uri then
conf.redirect_uri = ctx.var.request_uri
-- NOTE: 'lua-resty-openidc' requires that 'redirect_uri' be
-- different from 'uri'. So default to append the
-- '.apisix/redirect' suffix if not configured.
local suffix = "/.apisix/redirect"
local uri = ctx.var.uri
if core.string.has_suffix(uri, suffix) then
-- This is the redirection response from the OIDC provider.
conf.redirect_uri = uri
else
if string.sub(uri, -1, -1) == "/" then
conf.redirect_uri = string.sub(uri, 1, -2) .. suffix
else
conf.redirect_uri = uri .. suffix
end
end
core.log.debug("auto set redirect_uri: ", conf.redirect_uri)
Comment on lines +360 to +375
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When there is no conf.redirect_uri, it looks like we generate redirect_uri for each request(except for the real redirect from IdP).

Can we inject a default value for redirect_uri when we add the openid-connect plugin.

For example:

  1. we require that the match condition for a road has to be a prefix match, like /openid/*, then redirect_uri defaults to /openid/.apisix/redirect.

Listen to what others say.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liweitianux any thoughts about this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we can set a proper default value for redirect_uri, because a plugin can be configured globally, per-route, and per-service. An exception is that the openid-connect plugin is configured for a specific route, so we can determine a redirect_uri that's covered by the route.

Please correct me if I'm mistaken.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with you.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a test case to show that not providing redirect_uri works fine.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed the job this year, and I haven't been working with APISIX for more than one year now. I'm unfamiliar with the test framework, and that was the main reason that this PR was lacking a test case. It would be great if you can rejuvenate this PR. Thanks.

end

if not conf.ssl_verify then
Expand Down
3 changes: 2 additions & 1 deletion docs/en/latest/plugins/openid-connect.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ description: OpenID Connect allows the client to obtain user information from th
| bearer_only | boolean | False | false | | When set to `true`, APISIX will only check if the authorization header in the request matches a bearer token. |
| logout_path | string | False | "/logout" | | Path for logging out. |
| post_logout_redirect_uri | string | False | | | URL to redirect to after logging out. |
| redirect_uri | string | False | "ngx.var.request_uri" | | URI to which the identity provider redirects back to. |
| redirect_uri | string | False | | | URI to which the identity provider redirects back to. If not configured, APISIX will append the `.apisix/redirect` suffix to determine the default `redirect_uri`. Note that the provider should be properly configured to allow such `redirect_uri` values. |
| timeout | integer | False | 3 | [1,...] | Request timeout time in seconds. |
| ssl_verify | boolean | False | false | | When set to true, verifies the identity provider's SSL certificates. |
| introspection_endpoint | string | False | | | URL of the token verification endpoint of the identity server. |
Expand Down Expand Up @@ -211,3 +211,4 @@ In this example, the Plugin can enforce that the access token, the ID token, and

- `redirect_uri` needs to be captured by the route where the current APISIX is located. For example, the `uri` of the current route is `/api/v1/*`, `redirect_uri` can be filled in as `/api/v1/callback`;
- `scheme` and `host` of `redirect_uri` (`scheme:host`) are the values required to access APISIX from the perspective of the identity provider.
- See also [this GitHub issue](https://github.com/apache/apisix/issues/2426), especially these comments: [@starsz](https://github.com/apache/apisix/issues/2426#issuecomment-1091021687), [@david-woelfle](https://github.com/apache/apisix/issues/2426#issuecomment-1090675455), [@liweitianux (1)](https://github.com/apache/apisix/issues/2426#issuecomment-1206107085), [@liweitianux (2)](https://github.com/apache/apisix/issues/2426#issuecomment-1207423283)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you write the conclusion in a short sentence, instead of multiple reference links?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- See also [this GitHub issue](https://github.com/apache/apisix/issues/2426), especially these comments: [@starsz](https://github.com/apache/apisix/issues/2426#issuecomment-1091021687), [@david-woelfle](https://github.com/apache/apisix/issues/2426#issuecomment-1090675455), [@liweitianux (1)](https://github.com/apache/apisix/issues/2426#issuecomment-1206107085), [@liweitianux (2)](https://github.com/apache/apisix/issues/2426#issuecomment-1207423283)
- `redirect_uri` should not be the same as the URI of the route. This is because when a user initiates a request to visit the protected resource, the request directly hits the redirection URI with no session cookie in the request, which leads to the `no session state found` error.

3 changes: 2 additions & 1 deletion docs/zh/latest/plugins/openid-connect.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议
| bearer_only | boolean | 否 | false | | 当设置为 `true` 时,将仅检查请求头中的令牌(Token)。 |
| logout_path | string | 否 | "/logout" | | 登出路径。 |
| post_logout_redirect_uri | string | 否 | | | 调用登出接口后想要跳转的 URL。 |
| redirect_uri | string | 否 | "ngx.var.request_uri" | | 身份提供者重定向返回的 URI。 |
| redirect_uri | string | 否 | | | 身份提供者重定向返回的 URI。如果缺失,则 APISIX 将在当前 URI 之后追加 `.apisix/redirect` 作为默认的 `redirect_uri`。注意,OP 也需要适当配置以允许这种形式的 `redirect_uri`。 |
| timeout | integer | 否 | 3 | [1,...] | 请求超时时间,单位为秒 |
| ssl_verify | boolean | 否 | false | [true, false] | 当设置为 `true` 时,验证身份提供者的 SSL 证书。 |
| introspection_endpoint | string | 否 | | | 用于内省访问令牌的身份提供者的令牌内省端点的 URL。如果未设置,则使用发现文档中提供的内省端点[作为后备](https://github.com/zmartzone/lua-resty-openidc/commit/cdaf824996d2b499de4c72852c91733872137c9c)。 |
Expand Down Expand Up @@ -208,3 +208,4 @@ curl http://127.0.0.1:9180/apisix/admin/routes/1 \

- `redirect_uri` 需要能被当前 APISIX 所在路由捕获,比如当前路由的 `uri` 是 `/api/v1/*`, `redirect_uri` 可以填写为 `/api/v1/callback`;
- `redirect_uri`(`scheme:host`)的 `scheme` 和 `host` 是身份认证服务视角下访问 APISIX 所需的值。
- 另请参考[此 GitHub 问题](https://github.com/apache/apisix/issues/2426), 尤其是下述评论: [@starsz](https://github.com/apache/apisix/issues/2426#issuecomment-1091021687), [@david-woelfle](https://github.com/apache/apisix/issues/2426#issuecomment-1090675455), [@liweitianux (1)](https://github.com/apache/apisix/issues/2426#issuecomment-1206107085), [@liweitianux (2)](https://github.com/apache/apisix/issues/2426#issuecomment-1207423283)