New to APISIX, need help with openid-connect plugin use case

[scrohde]

Hello,

I have an app where users login to the web frontend. Currently this authentication is handled by apisix openid-connect plugin. It's working great so far.

However, this app also exposes rest apis that clients can use. This rest api is really the same api that our web frontend uses as well. So currently those apis are authenticated as i described above - with openid-connect plugin.

However, tokens generated for users to use the website often have short lifespans. Tokens intended for rest api clients should have longer life spans.

So, I think I need two different kinds of tokens - one kind for users, and one kind for rest-api clients.

I'm not sure how to implement this use case with apisix and the openid-connect plugin.

My first thought was to just ask customer to configure their idP to have longer tokens for the 'client credentials' flow (machines) and shorter tokens for the 'authorization code' flow (users). However, I'm learning that not every idP supports this type of configuration, or they can support it by creating a new client in the idP - but the openid-connect plugin only supports one client.

I thought about using the 'multi-auth' plugin but that doesn't seem to be compatible with openid-connect plugin.

I then thought about creating an entirely new set of routes for machine use and a different set of routes for users use. I assume that the machine routes and the user routes will need to have different paths even though the backends will be the same. I can use the 'proxy-rewrite' plugin to make this work. I believe this solution will work for me, but I don't like having different set of paths.

Is there any other solution I haven't thought about yet?

Thanks for the help!

[dosubot[bot]]

Hey there, @scrohde! I'm here to assist you with any questions or issues you have. Let's tackle this together!

To implement two different kinds of tokens with different lifespans for users and REST API clients using the APISIX openid-connect plugin, you can configure the session.cookie.lifetime for user sessions and access_token_expires_in for REST API clients. Here is how you can set it up:

1. User Tokens: Configure the session cookie lifetime for user tokens.
2. REST API Client Tokens: Configure the access token expiration for REST API clients.

Here is an example configuration:

local user_token_config = {
    client_id = "your_client_id",
    client_secret = "your_client_secret",
    discovery = "https://your-identity-provider/.well-known/openid-configuration",
    session = {
        secret = "your_session_secret",
        cookie = {
            lifetime = 3600  -- User token lifespan in seconds (e.g., 1 hour)
        }
    },
    -- other necessary configurations
}

local api_client_token_config = {
    client_id = "your_client_id",
    client_secret = "your_client_secret",
    discovery = "https://your-identity-provider/.well-known/openid-configuration",
    access_token_expires_in = 7200,  -- API client token lifespan in seconds (e.g., 2 hours)
    -- other necessary configurations
}

In the above configuration:

• user_token_config sets the session cookie lifetime to 1 hour for user tokens.
• api_client_token_config sets the access token expiration to 2 hours for REST API clients.

You can then apply these configurations appropriately based on the type of client (user or API client) making the request.

For more details, refer to the APISIX openid-connect plugin documentation ^[1][2].

To continue talking to Dosu, mention @dosu.

[scrohde]

I'm not sure the dosubot answer is what I'm looking for, but I'll experiment with it to see if the behavior works for me or not.