Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add "valid_issuers" field in openidc plugin #12002

Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

feat: add "valid_issuers" field in openidc plugin #12002

wants to merge 13 commits into from
+471 −11

Conversation

Revolyssup
Copy link
Contributor

@Revolyssup Revolyssup commented Feb 27, 2025
edited
Loading

Description

Adds a field valid_issuer when jwks is used to verify the issuer of jwt.
Whitelist the vetted issuers of the jwt.
When not passed by the user, the issuer returned by discovery endpoint will be used.
In case both are missing, the issuer will not be validated.

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Feb 27, 2025
@Revolyssup Revolyssup marked this pull request as draft February 27, 2025 08:20
@dosubot dosubot bot added the enhancement New feature or request label Feb 27, 2025
@Revolyssup Revolyssup marked this pull request as ready for review February 27, 2025 10:03
nic-chen
nic-chen reviewed Feb 28, 2025
View reviewed changes
Copy link
Member

@nic-chen nic-chen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add test cases for verifying the issuer returned by discovery endpoint

nic-6443
nic-6443 previously approved these changes Feb 28, 2025
View reviewed changes
Copy link
Member

@nic-6443 nic-6443 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Revolyssup
Copy link
Contributor Author

please add test cases for verifying the issuer returned by discovery endpoint

Added. Please review again.

@Revolyssup
Copy link
Contributor Author

@nic-chen Okay I think the last test can be done without the mock server. I have removed that and now the token verification happens as well. You can review

nic-chen
nic-chen previously approved these changes Feb 28, 2025
View reviewed changes
nic-6443
nic-6443 previously approved these changes Feb 28, 2025
View reviewed changes
AlinsRan
AlinsRan reviewed Feb 28, 2025
View reviewed changes
apisix/plugins/openid-connect.lua Outdated
if valid_issuers then
opts.valid_issuers = valid_issuers
end
end
if conf.public_key or conf.use_jwks then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If public_key is specified, it will not verify issuers. Are you sure this is expected?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are right, we should verify issuer when use public_key too.

bzp2010
bzp2010 requested changes Feb 28, 2025
View reviewed changes
apisix/plugins/openid-connect.lua
Comment on lines +279 to +287
valid_issuers = {
description = [[Whitelist the vetted issuers of the jwt.
When not passed by the user, the issuer returned by discovery endpoint will be used.
In case both are missing, the issuer will not be validated.]],
type = "array",
items = {
type = "string"
}
},
Copy link
Contributor

@bzp2010 bzp2010 Feb 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has already had another implementation that was approved and we have to decide which one is better.

#11987

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your PR adds audience validation and my PR adds issuer validation.
Audience validation matches "aud" in the JWT with "client_id"
Issuer validation matches "issuer" in the JWT with discovery.issuer/or passed by user.

If the problem that I am trying to solve is this "I want to reject a request because customer passed a JWT with unrecognised issuer."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bzp2010

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Revolyssup 🙌

I certainly know what I did, and know what you did, and I mentioned that we have to choose one of the better configuration schema designs, while accommodating design that are similar in use but so different is unacceptable.
Specifically, if they are tiled, then this and all subsequent validator configuration items need to be tiled, otherwise it's going to be structured like that PR #11987.

That's exactly why that PR hasn't merged yet, it's waiting for some feedback.

@Revolyssup Revolyssup dismissed stale reviews from nic-6443 and nic-chen via 580a515 February 28, 2025 05:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bzp2010 bzp2010 bzp2010 requested changes

@nic-6443 nic-6443 nic-6443 left review comments

@AlinsRan AlinsRan AlinsRan left review comments

@nic-chen nic-chen nic-chen left review comments

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request size:L This PR changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Revolyssup @bzp2010 @nic-6443 @nic-chen @AlinsRan