Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: As a user, I want to openid-connect support post check, so that I can do authz based on token #9735

Closed
wenerme opened this issue Jun 27, 2023 · 7 comments
Closed

feat: As a user, I want to openid-connect support post check, so that I can do authz based on token #9735

wenerme opened this issue Jun 27, 2023 · 7 comments
Assignees
@Revolyssup
Labels
feature-request

Comments

@wenerme
Copy link
Contributor

wenerme commented Jun 27, 2023

Description

As a user, I want to openid-connect support post check, so that I can do authz based on token.

  • authz-keycloak is complicated, don't support some features (e.g. check groups).
  • openid-connect is easy to setup

I hope I can post check the token to do authz, e.g.

post_check: |
  return local function(access_token,id_token,userinfo,conf,ctx)
   // check access_token.groups contains something
   return 401, '{}'
  end
@wenerme
Copy link
Contributor Author

wenerme commented Jun 27, 2023

xref #8772

@lingsamuel lingsamuel moved this to 📋 Backlog in Apache APISIX backlog Jun 28, 2023
@Revolyssup
Copy link
Contributor

@wenerme Similar to #8772, You want to further restrict access by matching claims right?

@Revolyssup
Copy link
Contributor

@lingsamuel Assign this to me

@wenerme
Copy link
Contributor Author

wenerme commented Jun 28, 2023

@Revolyssup yes, but I try to using opa now, opa can work with oidc, can share with other context. If apisix don't want to handle the random script, can tell other user to use opa too. I searched the issues, there are few related to this post check, by allowing passing script is the only way to match all these requests.

@Revolyssup
Copy link
Contributor

@Revolyssup yes, but I try to using opa now, opa can work with oidc, can share with other context. If apisix don't want to handle the random script, can tell other user to use opa too. I searched the issues, there are few related to this post check, by allowing passing script is the only way to match all these requests.

If OPA solved your use case, we can close this issue and continue tracking #8772

@moonming moonming moved this from 📋 Backlog to 🏗 In progress in Apache APISIX backlog Jun 28, 2023
@Revolyssup
Copy link
Contributor

@wenerme Any updates here?

@wenerme
Copy link
Contributor Author

wenerme commented Jul 27, 2023

@Revolyssup ok to close this.

@wenerme wenerme closed this as completed Jul 27, 2023
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in Apache APISIX backlog Jul 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Revolyssup Revolyssup

Labels
feature-request
Projects
Apache APISIX backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wenerme @lingsamuel @Revolyssup