fix: openid-connect plugin check token request against granted scopes #9127
Conversation
whatvn
changed the title
|
@starsz @spacewander please take a look, thank! |
Hi, @whatvn I don't see any doc to introduce that we can add scope in the request body of the introspection request. Can you give me some information about this? Thanks very much. |
|
@starsz according to rfc7662 https://www.rfc-editor.org/rfc/rfc7662#section-2.1 Client can also provide additional parameter in order to let authorization server to optimize search query. That's why in oidc resty module which we are using, it allows us to add scope to introspect the token. With your question, I think I may also add another check, to check in case authorization (other than Ory Hydra that I am testing) does not support for scope in request, we still can be able to check granted scope. What do you think? |
|
Thanks for providing the RFC docs. I agree with you. |
|
@starsz I add options to control this change, also update doc (en) to clarify new options and behaviour. Please take a look, thank! |
|
@starsz let me try again, I tried to run current test cases on my dev machine followed document to setup test but it failed everytime. |
What's the error that your dev machine report? |
|
@starsz please find output of command in attached file. prove -I. -I../test-nginx/inc -I../test-nginx/lib -r t/plugin/openid-connect.t >t.log 2>&1Also there's error about random seed in error log |
|
@starsz I built and run test again on different clean dev machine, still got this error. Any idea? |
Look strange, can you merge the master branch and try again? |
|
@starsz I run the test on master, not my branch. Just merge master again with updates and test is still fail |
|
@starsz question, how do we setup keycloak to perform the test? Do we have document on how to setup test for openid-connect? Thank |
Hi, @whatvn. As you can see in the workflow:
APISIX will start keycloak by docker-compose.
We have a blog of Getting Started with APISIX Test. |
|
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions. |
|
Maybe this PR is less relevant now that #10493 has been merged? |
|
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions. |
|
closing in favour of #10493 |
Description
Current openid connect plugin does not check for access token scope permission. For example, a client-id clientX has been granted for scope-a, apisix with openid connect has 2 routes set up with scope-a and scope-b for different client-id.
ClientX then use client-id and client-secret to get access-token to request for service defined with scope-a, this access token can still be used to access service defined with scope-b since this plugin does not check for scope when doing oidc introspect.
For example, a client request with token ory_at_l3PFHHNGOrGKGaM8t0arZFCV4_UFZv5630Zn60E-6JQ.O7eE2aLhB4bkGgJ8QbeHamc2sDJj3aTYKtUpkiCSgsM with following configuration, accessing route with defined scope default-nginx-page-3
{ "set_access_token_header": true, "client_secret": "apisix-secret", "access_token_in_authorization_header": false, "scope": "default-nginx-page-3", "set_id_token_header": true, "unauth_action": "auth", "bearer_only": false, "set_userinfo_header": true, "set_refresh_token_header": false, "ssl_verify": "no", "timeout": 3000, "realm": "master", "logout_path": "/logout", "introspection_endpoint_auth_method": "client_secret_basic", "redirect_uri": "https://httpbin.org/get", "discovery": "http://127.0.0.1:4444/.well-known/openid-configuration", "client_id": "apisix-id", "introspection_endpoint": "http://127.0.0.1:4445/admin/oauth2/introspect", "use_pkce": false, "session": { "secret": "Qt1Wx+r8sl6GnFMzqfyZyzbpPHkbhN1b4wjkU451L7Q=" } }Route configuration is as following
{ "modifiedIndex": 87, "key": "/apisix/routes/2", "value": { "create_time": 1679369373, "upstream_id": "3", "methods": [ "GET" ], "priority": 0, "id": "2", "update_time": 1679375413, "status": 1, "uri": "/index3.html", "name": "Route with OIDC plugin", "plugins": { "openid-connect": { "set_access_token_header": true, "client_secret": "apisix-secret", "access_token_in_authorization_header": false, "scope": "default-nginx-page-3", "set_id_token_header": true, "unauth_action": "auth", "bearer_only": false, "set_userinfo_header": true, "set_refresh_token_header": false, "ssl_verify": false, "timeout": 3, "realm": "master", "logout_path": "/logout", "introspection_endpoint_auth_method": "client_secret_basic", "redirect_uri": "https://httpbin.org/get", "discovery": "http://127.0.0.1:4444/.well-known/openid-configuration", "client_id": "apisix-id", "introspection_endpoint": "http://127.0.0.1:4445/admin/oauth2/introspect", "use_pkce": false, "session": { "secret": "Qt1Wx+r8sl6GnFMzqfyZyzbpPHkbhN1b4wjkU451L7Q=" } } } }, "createdIndex": 19 }While client-id who owns this access token does not have scope default-nginx-page-3 granted.
Since it can access route which defined with scope default-nginx-page and default-nginx-page-2, it also can access route configured with other scope.
This fixes issue mentioned above by also checking allowed scope of access token with granted scope in oidc. With this applied, above request will return 401
Checklist