Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

change(authz-keycloak): remove deprecated audience #7683

Merged
merged 3 commits into from
Aug 22, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 4 additions & 30 deletions apisix/plugins/authz-keycloak.lua
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,6 @@ local schema = {
token_endpoint = {type = "string", minLength = 1, maxLength = 4096},
resource_registration_endpoint = {type = "string", minLength = 1, maxLength = 4096},
client_id = {type = "string", minLength = 1, maxLength = 100},
audience = {type = "string", minLength = 1, maxLength = 100,
description = "Deprecated, use `client_id` instead."},
client_secret = {type = "string", minLength = 1, maxLength = 100},
grant_type = {
type = "string",
Expand Down Expand Up @@ -73,6 +71,7 @@ local schema = {
maxLength = 4096
},
},
required = {"client_id"},
allOf = {
-- Require discovery or token endpoint.
{
Expand All @@ -81,13 +80,6 @@ local schema = {
{required = {"token_endpoint"}}
}
},
-- Require client_id or audience.
{
anyOf = {
{required = {"client_id"}},
{required = {"audience"}}
}
},
-- If lazy_load_paths is true, require discovery or resource registration endpoint.
{
anyOf = {
Expand Down Expand Up @@ -120,28 +112,10 @@ local _M = {


function _M.check_schema(conf)
-- Check for deprecated audience attribute and emit warnings if used.
if conf.audience then
log.warn("Plugin attribute `audience` is deprecated, use `client_id` instead.")
if conf.client_id then
log.warn("Ignoring `audience` attribute in favor of `client_id`.")
end
end
return core.schema.check(schema, conf)
end


-- Return the configured client ID parameter.
local function authz_keycloak_get_client_id(conf)
if conf.client_id then
-- Prefer client_id, if given.
return conf.client_id
end

return conf.audience
end


-- Some auxiliary functions below heavily inspired by the excellent
-- lua-resty-openidc module; see https://github.com/zmartzone/lua-resty-openidc

Expand Down Expand Up @@ -339,7 +313,7 @@ end

-- Ensure a valid service account access token is available for the configured client.
local function authz_keycloak_ensure_sa_access_token(conf)
local client_id = authz_keycloak_get_client_id(conf)
local client_id = conf.client_id
local ttl = conf.cache_ttl_seconds
local token_endpoint = authz_keycloak_get_token_endpoint(conf)

Expand Down Expand Up @@ -648,7 +622,7 @@ local function evaluate_permissions(conf, ctx, token)
method = "POST",
body = ngx.encode_args({
grant_type = conf.grant_type,
audience = authz_keycloak_get_client_id(conf),
audience = conf.client_id,
response_mode = "decision",
permission = permission
}),
Expand Down Expand Up @@ -732,7 +706,7 @@ local function generate_token_using_password_grant(conf,ctx)
return 422, {message = err}
end

local client_id = authz_keycloak_get_client_id(conf)
local client_id = conf.client_id

local token_endpoint = authz_keycloak_get_token_endpoint(conf)

Expand Down
9 changes: 3 additions & 6 deletions docs/en/latest/plugins/authz-keycloak.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,7 @@ Refer to [Authorization Services Guide](https://www.keycloak.org/docs/latest/aut
| discovery | string | False | | https://host.domain/auth/realms/foo/.well-known/uma2-configuration | URL to [discovery document](https://www.keycloak.org/docs/14.0/authorization_services/#_service_authorization_api) of Keycloak Authorization Services. |
| token_endpoint | string | False | | https://host.domain/auth/realms/foo/protocol/openid-connect/token | An OAuth2-compliant token endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type. If provided, overrides the value from discovery. |
| resource_registration_endpoint | string | False | | https://host.domain/auth/realms/foo/authz/protection/resource_set | A UMA-compliant resource registration endpoint. If provided, overrides the value from discovery. |
| client_id | string | False | | | The identifier of the resource server to which the client is seeking access. Either `client_id` or `audience` is required. |
| audience | string | False | | | Legacy parameter now replaced by `client_id` kept for backwards compatibility. Either `client_id` or `audience` is required. |
| client_id | string | True | | | The identifier of the resource server to which the client is seeking access. |
| client_secret | string | False | | | The client secret, if required. |
| grant_type | string | False | "urn:ietf:params:oauth:grant-type:uma-ticket" | ["urn:ietf:params:oauth:grant-type:uma-ticket"] | |
| policy_enforcement_mode | string | False | "ENFORCING" | ["ENFORCING", "PERMISSIVE"] | |
Expand Down Expand Up @@ -75,9 +74,7 @@ If set, the `token_endpoint` and `resource_registration_endpoint` will override

### Client ID and secret

The Plugin needs the `client_id` or `audience` (for backwards compatibility) attribute for identification and to specify the context in which to evaluate permissions when interacting with Keycloak.

If both are configured, `client_id` is preferred.
The Plugin needs the `client_id` attribute for identification and to specify the context in which to evaluate permissions when interacting with Keycloak.

If the `lazy_load_paths` attribute is set to true, then the Plugin additionally needs to obtain an access token for itself from Keycloak. In such cases, if the client access to Keycloak is confidential, you need to configure the `client_secret` attribute.

Expand Down Expand Up @@ -155,7 +152,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f13
"authz-keycloak": {
"token_endpoint": "http://127.0.0.1:8090/auth/realms/${realm}/protocol/openid-connect/token",
"permissions": ["resource name#scope name"],
"audience": "Client ID"
"client_id": "Client ID"
}
},
"upstream": {
Expand Down
7 changes: 3 additions & 4 deletions docs/zh/latest/plugins/authz-keycloak.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,7 @@ description: 本文介绍了关于 Apache APISIX `authz-keycloak` 插件的基
| discovery | string | 否 | | https://host.domain/auth/realms/foo/.well-known/uma2-configuration | Keycloak 授权服务的 [discovery document](https://www.keycloak.org/docs/14.0/authorization_services/#_service_authorization_api) 的 URL。 |
| token_endpoint | string | 否 | | https://host.domain/auth/realms/foo/protocol/openid-connect/token | 接受 OAuth2 兼容 token 的接口,需要支持 `urn:ietf:params:oauth:grant-type:uma-ticket` 授权类型。 |
| resource_registration_endpoint | string | 否 | | https://host.domain/auth/realms/foo/authz/protection/resource_set | 符合 UMA 的资源注册端点。如果提供,则覆盖发现中的值。 |
| client_id | string | 否 | | | 客户端正在寻求访问的资源服务器的标识符。需要 `client_id` 或 `audience`。 |
| audience | string | 否 | | | 遗留参数。现在被 `client_id` 替换,以保持向后兼容性。需要 `client_id` 或 `audience`。 |
| client_id | string | 是 | | | 客户端正在寻求访问的资源服务器的标识符。 |
| client_secret | string | 否 | | | 客户端密码(如果需要)。 |
| grant_type | string | 否 | "urn:ietf:params:oauth:grant-type:uma-ticket" | ["urn:ietf:params:oauth:grant-type:uma-ticket"] | |
| policy_enforcement_mode | string | 否 | "ENFORCING" | ["ENFORCING", "PERMISSIVE"] | |
Expand All @@ -73,7 +72,7 @@ description: 本文介绍了关于 Apache APISIX `authz-keycloak` 插件的基
- 使用 `discovery` 属性后,`authz-keycloak` 插件就可以从其 URL 中发现 Keycloak API 的端点。该 URL 指向 Keyloak 针对相应领域授权服务的发现文档。
- 如果发现文档可用,则插件将根据该文档确定令牌端点 URL。如果 URL 存在,则 `token_endpoint` 和 `resource_registration_endpoint` 的值将被其覆盖。
- Client ID and secret
- 该插件需配置 `client_id` 或 `audience`(用于向后兼容)属性来标识自身,如果两者都已经配置,则 `client_id` 优先级更高
- 该插件需配置 `client_id` 属性来标识自身。
- 如果 `lazy_load_paths` 属性被设置为 `true`,那么该插件还需要从 Keycloak 中获得一个自身访问令牌。在这种情况下,如果客户端对 Keycloak 的访问是加密的,就需要配置 `client_secret` 属性。
- Policy enforcement mode
- `policy_enforcement_mode` 属性指定了在处理发送到服务器的授权请求时,该插件如何执行策略。
Expand Down Expand Up @@ -138,7 +137,7 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 \
"authz-keycloak": {
"token_endpoint": "http://127.0.0.1:8090/auth/realms/${realm}/protocol/openid-connect/token",
"permissions": ["resource name#scope name"],
"audience": "Client ID"
"client_id": "Client ID"
}
},
"upstream": {
Expand Down
62 changes: 18 additions & 44 deletions t/plugin/authz-keycloak.t
Original file line number Diff line number Diff line change
Expand Up @@ -74,32 +74,7 @@ done



=== TEST 3: minimal valid configuration with audience
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.authz-keycloak")
local ok, err = plugin.check_schema({
audience = "foo",
tzssangglass marked this conversation as resolved.
Show resolved Hide resolved
discovery = "https://host.domain/auth/realms/foo/.well-known/uma2-configuration"
})
if not ok then
ngx.say(err)
end

ngx.say("done")
}
}
--- request
GET /t
--- response_body
done
--- no_error_log
[error]



=== TEST 4: minimal valid configuration w/o discovery when lazy_load_paths=true
=== TEST 3: minimal valid configuration w/o discovery when lazy_load_paths=true
--- config
location /t {
content_by_lua_block {
Expand All @@ -126,7 +101,7 @@ done



=== TEST 5: minimal valid configuration with discovery when lazy_load_paths=true
=== TEST 4: minimal valid configuration with discovery when lazy_load_paths=true
--- config
location /t {
content_by_lua_block {
Expand All @@ -152,7 +127,7 @@ done



=== TEST 6: full schema check
=== TEST 5: full schema check
--- config
location /t {
content_by_lua_block {
Expand All @@ -162,7 +137,6 @@ done
token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token",
resource_registration_endpoint = "https://host.domain/auth/realms/foo/authz/protection/resource_set",
client_id = "University",
audience = "University",
client_secret = "secret",
grant_type = "urn:ietf:params:oauth:grant-type:uma-ticket",
policy_enforcement_mode = "ENFORCING",
Expand Down Expand Up @@ -197,7 +171,7 @@ done



=== TEST 7: token_endpoint and discovery both missing
=== TEST 6: token_endpoint and discovery both missing
--- config
location /t {
content_by_lua_block {
Expand All @@ -220,7 +194,7 @@ done



=== TEST 8: client_id and audience both missing
=== TEST 7: client_id missing
--- config
location /t {
content_by_lua_block {
Expand All @@ -236,14 +210,14 @@ done
--- request
GET /t
--- response_body
allOf 2 failed: object matches none of the required: ["client_id"] or ["audience"]
property "client_id" is required
done
--- no_error_log
[error]



=== TEST 9: resource_registration_endpoint and discovery both missing and lazy_load_paths is true
=== TEST 8: resource_registration_endpoint and discovery both missing and lazy_load_paths is true
--- config
location /t {
content_by_lua_block {
Expand All @@ -263,14 +237,14 @@ done
--- request
GET /t
--- response_body
allOf 3 failed: object matches none of the required
allOf 2 failed: object matches none of the required
done
--- no_error_log
[error]



=== TEST 10: Add https endpoint with ssl_verify true (default)
=== TEST 9: Add https endpoint with ssl_verify true (default)
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -312,7 +286,7 @@ passed



=== TEST 11: TEST with fake token and https endpoint
=== TEST 10: TEST with fake token and https endpoint
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -345,7 +319,7 @@ Error while sending authz request to https://127.0.0.1:8443/auth/realms/Universi



=== TEST 12: Add https endpoint with ssl_verify false
=== TEST 11: Add https endpoint with ssl_verify false
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -388,7 +362,7 @@ passed



=== TEST 13: TEST for https based token verification with ssl_verify false
=== TEST 12: TEST for https based token verification with ssl_verify false
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -418,7 +392,7 @@ Request denied: HTTP 401 Unauthorized. Body: {"error":"HTTP 401 Unauthorized"}



=== TEST 14: set enforcement mode is "ENFORCING", lazy_load_paths and permissions use default values
=== TEST 13: set enforcement mode is "ENFORCING", lazy_load_paths and permissions use default values
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -460,7 +434,7 @@ passed



=== TEST 15: test for permission is empty and enforcement mode is "ENFORCING".
=== TEST 14: test for permission is empty and enforcement mode is "ENFORCING".
--- config
location /t {
content_by_lua_block {
Expand All @@ -485,7 +459,7 @@ GET /t



=== TEST 16: set enforcement mode is "ENFORCING", lazy_load_paths and permissions use default values , access_denied_redirect_uri is "http://127.0.0.1/test"
=== TEST 15: set enforcement mode is "ENFORCING", lazy_load_paths and permissions use default values , access_denied_redirect_uri is "http://127.0.0.1/test"
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -528,7 +502,7 @@ passed



=== TEST 17: test for permission is empty and enforcement mode is "ENFORCING" , access_denied_redirect_uri is "http://127.0.0.1/test".
=== TEST 16: test for permission is empty and enforcement mode is "ENFORCING" , access_denied_redirect_uri is "http://127.0.0.1/test".
--- config
location /t {
content_by_lua_block {
Expand All @@ -555,7 +529,7 @@ Location: http://127.0.0.1/test



=== TEST 18: Add https endpoint with password_grant_token_generation_incoming_uri
=== TEST 17: Add https endpoint with password_grant_token_generation_incoming_uri
--- config
location /t {
content_by_lua_block {
Expand Down Expand Up @@ -629,7 +603,7 @@ true



=== TEST 19: no username or password
=== TEST 18: no username or password
--- config
location /t {
content_by_lua_block {
Expand Down
Loading