Merge pull request #12 from mkulikk/master

Introspection functionality. Fixes issues
#8
#3
#11

README.md

@@ -17,6 +17,9 @@ It can be used as a reverse proxy terminating OAuth/OpenID Connect in front of a
 the origin server/services can be protected with the relevant standards without implementing those on
 the server itself.
 
+Introspection functionality add capability for already authenticated users and/or applications that
+already posses acces token to go through kong. The actual token verification is then done by Resource Server.
+
 ## Dependencies
 
 **kong-oidc** depends on the following package:

kong-oidc-1.0.2-0.rockspec → kong-oidc-1.0.3-0.rockspec

@@ -1,8 +1,8 @@
 package = "kong-oidc"
-version = "1.0.2-0"
+version = "1.0.3-0"
 source = {
     url = "git://github.com/nokia/kong-oidc",
-    tag = "v1.0.2",
+    tag = "v1.0.3",
     dir = "kong-oidc"
 }
 description = {

kong/plugins/oidc/handler.lua

@@ -29,6 +29,26 @@ function CustomHandler:access(config)
 
     session.configure(config)
 
+    doAuthentication(oidcConfig)
+
+  else
+    ngx.log(ngx.DEBUG, "In plugin CustomHandler:access NOT calling authenticate, requested path: " .. ngx.var.request_uri)
+  end
+
+  ngx.log(ngx.DEBUG, "In plugin CustomHandler:access Done")
+end
+
+function doAuthentication(oidcConfig)
+
+  res = tryIntrospect(oidcConfig)
+  if res then
+
+    ngx.log(ngx.DEBUG, "In plugin CustomHandler:Valid access token detected, passing connection, requested path: " .. ngx.var.request_uri)
+
+    utils.injectUser({sub = res.sub})
+
+  else
+
     local res, err = require("resty.openidc").authenticate(oidcConfig)
 
     if err then
@@ -43,11 +63,25 @@ function CustomHandler:access(config)
       utils.injectUser(res.user)
       ngx.req.set_header("X-Userinfo", require("cjson").encode(res.user))
     end
-  else
-    ngx.log(ngx.DEBUG, "In plugin CustomHandler:access NOT calling authenticate, requested path: " .. ngx.var.request_uri)
+
   end
 
-  ngx.log(ngx.DEBUG, "In plugin CustomHandler:access Done")
+end
+
+function tryIntrospect(oidcConfig)
+
+  -- If introspection endpoint is not set, the functionallity is considered as disabled
+  if not oidcConfig.introspection_endpoint then
+    return nil
+  end
+
+  local res, err = require("resty.openidc").introspect(oidcConfig)
+  if err then
+    return nil
+  end
+
+  return res
+
 end
 
 -- This module needs to return the created table, so that Kong

kong/plugins/oidc/schema.lua

@@ -4,6 +4,7 @@ return {
     client_id = { type = "string", required = true },
     client_secret = { type = "string", required = true },
     discovery = { type = "string", required = true, default = "https://.well-known/openid-configuration" },
+    introspection_endpoint = { type = "string", required = false },
     redirect_uri_path = { type = "string" },
     scope = { type = "string", required = true, default = "openid" },
     response_type = { type = "string", required = true, default = "code" },

kong/plugins/oidc/utils.lua

@@ -42,6 +42,7 @@ function M.get_options(config, ngx)
     client_id = config.client_id,
     client_secret = config.client_secret,
     discovery = config.discovery,
+    introspection_endpoint = config.introspection_endpoint,
     redirect_uri_path = M.get_redirect_uri_path(ngx),
     scope = config.scope,
     response_type = config.response_type,