Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Openid-connect plugin use_jwks breaks Authorization headers when bearer_only is true #10669

Closed
jesse-r-s-hines opened this issue Dec 19, 2023 · 0 comments · Fixed by #10670
Closed

bug: Openid-connect plugin use_jwks breaks Authorization headers when bearer_only is true #10669

jesse-r-s-hines opened this issue Dec 19, 2023 · 0 comments · Fixed by #10670
Labels
bug Something isn't working

Comments

@jesse-r-s-hines
Copy link
Contributor

jesse-r-s-hines commented Dec 19, 2023
edited
Loading

Current Behavior

When using the openid-connect plugin with bearer_only as false, the plugin will normally authenticate both requests with the session cookie and requests with an explicit Authorization: Bearer header. This is very useful to allow both browser based and programmatic access to some resource.
E.g.

plugins:
    openid-connect:
      client_id: ...
      client_secret: ...
      discovery: ...
      scope: "openid profile"
      bearer_only: false
      realm: ...
      public_key: ...

However, if you use jwks instead of explicitly setting the public key, requests with a proper Authorization: Bearer header still get the 302 Found response.

Expected Behavior

Authorization headers should get checked the same way whether you are manually setting a public key or using jwks.

Error Logs

No response

Steps to Reproduce

Create a route with an openid-connect configuration like so

plugins:
    openid-connect:
      client_id: ...
      client_secret: ...
      discovery: ...
      scope: "openid profile"
      bearer_only: false
      realm: ...
      use_jwks: true
curl https://example.com -H "Authorization: Bearer $TOKEN"

will return a an HTML 302 error page.

I believe the issue is caused by not checking for use_jwks on this line

Environment

  • APISIX version (run apisix version): 3.7.0
  • Operating system (run uname -a): Linux
  • OpenResty / Nginx version (run openresty -V or nginx -V): openresty/1.21.4.2
  • etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info): N/A (standalone mode)
  • APISIX Dashboard version, if relevant: N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Apache APISIX backlog
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(openid-connect): use_jwks breaking authentication header jesse-r-s-hines/apisix
3 participants
@monkeyDluffy6017 @jesse-r-s-hines @shreemaan-abhishek