diff --git a/README.md b/README.md index 9b2d8690..b289a370 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,9 @@ It can be used as a reverse proxy terminating OAuth/OpenID Connect in front of a the origin server/services can be protected with the relevant standards without implementing those on the server itself. +Introspection functionality add capability for already authenticated users and/or applications that +already posses acces token to go through kong. The actual token verification is then done by Resource Server. + ## Dependencies **kong-oidc** depends on the following package: diff --git a/kong-oidc-1.0.2-0.rockspec b/kong-oidc-1.0.3-0.rockspec similarity index 97% rename from kong-oidc-1.0.2-0.rockspec rename to kong-oidc-1.0.3-0.rockspec index c9e6b5a7..5b917724 100644 --- a/kong-oidc-1.0.2-0.rockspec +++ b/kong-oidc-1.0.3-0.rockspec @@ -1,8 +1,8 @@ package = "kong-oidc" -version = "1.0.2-0" +version = "1.0.3-0" source = { url = "git://github.com/nokia/kong-oidc", - tag = "v1.0.2", + tag = "v1.0.3", dir = "kong-oidc" } description = { diff --git a/kong/plugins/oidc/handler.lua b/kong/plugins/oidc/handler.lua index 41a47fa3..b9fc42a7 100644 --- a/kong/plugins/oidc/handler.lua +++ b/kong/plugins/oidc/handler.lua @@ -29,6 +29,26 @@ function CustomHandler:access(config) session.configure(config) + doAuthentication(oidcConfig) + + else + ngx.log(ngx.DEBUG, "In plugin CustomHandler:access NOT calling authenticate, requested path: " .. ngx.var.request_uri) + end + + ngx.log(ngx.DEBUG, "In plugin CustomHandler:access Done") +end + +function doAuthentication(oidcConfig) + + res = tryIntrospect(oidcConfig) + if res then + + ngx.log(ngx.DEBUG, "In plugin CustomHandler:Valid access token detected, passing connection, requested path: " .. ngx.var.request_uri) + + utils.injectUser({sub = res.sub}) + + else + local res, err = require("resty.openidc").authenticate(oidcConfig) if err then @@ -43,11 +63,25 @@ function CustomHandler:access(config) utils.injectUser(res.user) ngx.req.set_header("X-Userinfo", require("cjson").encode(res.user)) end - else - ngx.log(ngx.DEBUG, "In plugin CustomHandler:access NOT calling authenticate, requested path: " .. ngx.var.request_uri) + end - ngx.log(ngx.DEBUG, "In plugin CustomHandler:access Done") +end + +function tryIntrospect(oidcConfig) + + -- If introspection endpoint is not set, the functionallity is considered as disabled + if not oidcConfig.introspection_endpoint then + return nil + end + + local res, err = require("resty.openidc").introspect(oidcConfig) + if err then + return nil + end + + return res + end -- This module needs to return the created table, so that Kong diff --git a/kong/plugins/oidc/schema.lua b/kong/plugins/oidc/schema.lua index f5bc2472..55f3de70 100644 --- a/kong/plugins/oidc/schema.lua +++ b/kong/plugins/oidc/schema.lua @@ -4,6 +4,7 @@ return { client_id = { type = "string", required = true }, client_secret = { type = "string", required = true }, discovery = { type = "string", required = true, default = "https://.well-known/openid-configuration" }, + introspection_endpoint = { type = "string", required = false }, redirect_uri_path = { type = "string" }, scope = { type = "string", required = true, default = "openid" }, response_type = { type = "string", required = true, default = "code" }, diff --git a/kong/plugins/oidc/utils.lua b/kong/plugins/oidc/utils.lua index 18d0b27c..1913af46 100644 --- a/kong/plugins/oidc/utils.lua +++ b/kong/plugins/oidc/utils.lua @@ -42,6 +42,7 @@ function M.get_options(config, ngx) client_id = config.client_id, client_secret = config.client_secret, discovery = config.discovery, + introspection_endpoint = config.introspection_endpoint, redirect_uri_path = M.get_redirect_uri_path(ngx), scope = config.scope, response_type = config.response_type,