Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC plugin doesn't work with Rate Limiting plugin #2

Closed
Trojan295 opened this issue Aug 17, 2017 · 2 comments
Closed

OIDC plugin doesn't work with Rate Limiting plugin #2

Trojan295 opened this issue Aug 17, 2017 · 2 comments

Comments

@Trojan295
Copy link
Contributor

Hello,

The currently plugin implementation doesn't work with the Rate Limiting plugin. If I configure the Rate Limiting to limit via user credential and use this plugin to determine the user, then it falls back to limiting via IP.

After my investigation I found out, that's it because the field ngx.ctx.authenticated_credential isn't set. Other authentication plugins set this field, so looks this is a missing implementation.

Br,
Damian

@tookko
Copy link

tookko commented Aug 18, 2017

Most authentication plugins assume that Kong is the authorization server, which is not the case in this plugin. However, if it's as simple to get compatibility with other plugins as setting that field, it would be a simple thing to do. We would also need to ensure that this plugin gets executed before other plugins potentially using the information. See Kong/kong#267

Would you like to do some testing on if it works better with the field enabled?

@Trojan295
Copy link
Contributor Author

Kong plugins have a priority mechanism. By default it's set to 0 (get executed as last), which is in case of this plugin also. Looking at other authentication plugins they have priority set to 1000. It's no biggie to change this also.

I already tried to modify this plugin to add injecting this ngx.ctx.authenticated_credential field. I also had to copy the authenticated_credential.sub field to authenticated_credential.id to make it work with Rate Limiting. Looks a bit like a hack, but it needs to be added to be compliant with other Kong authentication plugins and make it useful for other plugins.

I will push this to my forked repository next week.

thspinto pushed a commit to thspinto/kong-oidc that referenced this issue Feb 16, 2021
Starefossen pushed a commit to Starefossen/kong-oidc that referenced this issue Feb 17, 2021
Bearer JWT verify, auth/acl chaining, group/credential handling fixes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants