feat: add "valid_issuers" field in openidc plugin

Revolyssup · Revolyssup · commit 0208ad14dbab · 2025-02-27T13:49:19.000+05:30
diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
@@ -275,7 +275,14 @@ local schema = {
             items = {
                 type = "string"
             }
-        }
+        },
+        valid_issuers = {
+            description = "Whitelist the vetted issuers of the jwt",
+            type = "array",
+            items = {
+                type = "string"
+            }
+        },
     },
     encrypt_fields = {"client_secret", "client_rsa_private_key"},
     required = {"client_id", "client_secret", "discovery"}
@@ -384,8 +391,22 @@ local function introspect(ctx, conf)
         --  It is inefficient that we also need to extract it (just from headers)
         --  so we can add it in the configured header. Find a way to use openidc
         --  module's internal methods to extract the token.
-        local res, err = openidc.bearer_jwt_verify(conf)
-
+        local valid_issuers
+        local opts = {}
+        if conf.valid_issuers then
+            valid_issuers = conf.valid_issuers
+        else
+            local discovery, discovery_err = openidc.get_discovery_doc(conf)
+            if discovery_err then
+                core.log.warn("OIDC access discovery url failed : ", discovery_err)
+            else
+                valid_issuers = {discovery.issuer}
+            end
+        end
+        if valid_issuers then
+            opts.valid_issuers = valid_issuers
+        end
+        local res, err = openidc.bearer_jwt_verify(conf, opts)
         if err then
             -- Error while validating or token invalid.
             ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. conf.realm ..
diff --git a/t/plugin/openid-connect7.t b/t/plugin/openid-connect7.t
@@ -0,0 +1,175 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+log_level('debug');
+repeat_each(1);
+no_long_string();
+no_root_location();
+# no_shuffle();
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+        $block->set_value("no_error_log", "[error]");
+    }
+
+    if (!defined $block->request) {
+        $block->set_value("request", "GET /t");
+    }
+		my $http_config = $block->http_config // <<_EOC_;
+
+    server {
+        listen 8089;
+
+        location /realms/University/.well-known/openid-configuration {
+            content_by_lua_block {
+                ngx.say("{
+  "issuer": "https://securetoken.google.com/test-firebase-project",
+  "jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken\@system.gserviceaccount.com",
+  "response_types_supported": [
+    "id_token"
+  ],
+  "subject_types_supported": [
+    "public"
+  ],
+  "id_token_signing_alg_values_supported": [
+    "RS256"
+  ]
+}")
+            }
+        }
+    }
+_EOC_
+
+    $block->set_value("http_config", $http_config);
+});
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: Check configuration of cookie
+--- config
+    location /t {
+        content_by_lua_block {
+            local test_cases = {
+                {
+                    client_id = "course_management",
+                    client_secret = "tbsmDOpsHwdgIqYl2NltGRTKzjIzvEmT",
+                    discovery = "http://127.0.0.1:8089/realms/University/.well-known/openid-configuration",
+                    session = {
+                        secret = "6S8IO+Pydgb33LIor8T9ClER0T/sglFAjClFeAF3RsY=",
+                        cookie = {
+                            lifetime = 86400
+                        }
+                    }
+                },
+            }
+            local plugin = require("apisix.plugins.openid-connect")
+            for _, case in ipairs(test_cases) do
+                local ok, err = plugin.check_schema(case)
+                ngx.say(ok and "done" or err)
+            end
+        }
+    }
+--- response_body
+done
+
+
+
+=== TEST 2: Set up new route with wrong valid_issuers
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [[{
+                        "plugins": {
+                            "openid-connect": {
+                                "client_id": "dummy",
+                                "client_secret": "dummy",
+                                "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
+                                "ssl_verify": true,
+                                "timeout": 10,
+                                "bearer_only": true,
+                                "use_jwks": true,
+																"valid_issuers": 123
+                            }
+                        },
+                        "upstream": {
+                            "nodes": {
+                                "127.0.0.1:1980": 1
+                            },
+                            "type": "roundrobin"
+                        },
+                        "uri": "/*"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- error_code: 400
+--- response_body eval
+qr/\{"error_msg":"failed to check the configuration of plugin openid-connect err: property \\"valid_issuers\\" validation failed.*"\}/
+
+
+
+=== TEST 3: Set up new route with valid valid_issuers
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [[{
+                        "plugins": {
+                            "openid-connect": {
+                                "client_id": "dummy",
+                                "client_secret": "dummy",
+                                "discovery": "http://127.0.0.1:8080/realms/University/.well-known/openid-configuration",
+                                "ssl_verify": true,
+                                "timeout": 10,
+                                "bearer_only": true,
+                                "use_jwks": true,
+																"valid_issuers": ["https://securetoken.google.com/test-firebase-project"]
+                            }
+                        },
+                        "upstream": {
+                            "nodes": {
+                                "127.0.0.1:1980": 1
+                            },
+                            "type": "roundrobin"
+                        },
+                        "uri": "/*"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- response_body
+passed
