How to best handle oidc providers that do not support introspection endpoints?

[fbartels]

Hi,

I an trying to configure openid auth for a RestAPI and we are using https://github.com/libregraph/lico as the oidc provider. Currently lico does not support introspection endpoints, so before starting to implement it I looked at it together with a developer and found that

apisix/apisix/plugins/openid-connect.lua

Line 182 in 042ce5c

if conf.public_key then

is the culprit for us.

I am configuring the route in the following way:

curl "http://127.0.0.1:9080/apisix/admin/routes/1" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PUT -d '
{
  "uri": "/api/v1/*",
  "name": "Manage API",
  "plugins": {
    "openid-connect": {
      "client_id": "manage-api",
      "client_secret": "unconfigured",
      "discovery": "https://our-backend.local/.well-known/openid-configuration",
      "access_token_in_authorization_header": true,
      "bearer_only": true,
      "use_jwks": true
    }
  },
  "upstream_id": "1"
}'

Tracing the lua script showed that the function in

apisix/apisix/plugins/openid-connect.lua

Lines 182 to 214 in 042ce5c

	if conf.public_key then
	-- Validate token against public key.
	-- TODO: In the called method, the openidc module will try to extract
	-- the token by itself again -- from a request header or session cookie.
	-- It is inefficient that we also need to extract it (just from headers)
	-- so we can add it in the configured header. Find a way to use openidc
	-- module's internal methods to extract the token.
	local res, err = openidc.bearer_jwt_verify(conf)
	if err then
	-- Error while validating or token invalid.
	ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. conf.realm ..
	'", error="invalid_token", error_description="' .. err .. '"'
	return ngx.HTTP_UNAUTHORIZED, err, nil, nil
	end
	-- Token successfully validated.
	return res, err, token, nil
	else
	-- Validate token against introspection endpoint.
	-- TODO: Same as above for public key validation.
	local res, err = openidc.introspect(conf)
	if err then
	ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. conf.realm ..
	'", error="invalid_token", error_description="' .. err .. '"'
	return ngx.HTTP_UNAUTHORIZED, err, nil, nil
	end
	-- Token successfully validated and response from the introspection
	-- endpoint contains the userinfo.
	return res, err, token, res
	end

is setting the right headers for us, but we did not want to specify the public key in the config. Looking at the upstream library our jwks document should provide enough information to make the login succeed to we extended the if clause like this if conf.use_jwks or conf.public_key then along with setting "use_jwks": true in our route configuration. This made the login succeed for us.

The question is now:

• do you see a better way to handle this, or should I open a pull request with our modification?

I am not the biggest developer myself and hope that I have made my case clear enough. If not please let me know.

[juzhiyuan]

Hi @tzssangglass, could you please have a look at this question? 😄

[tzssangglass]

I don't know much about the openid-connect plugin process, do you need to verify the validity of the JWT in APISIX?

[tzssangglass]

may help you this:#2347 (comment)?

[fbartels]

No, not exactly. We can validate our token based on the https://our-deployment.local/konnect/v1/jwks.json and don't need to have an introspection endpoint or hardcode the public key within the configuration. The upstream library supports this use case, but the way I understood our developer this is currently not exposed through the apisix plugin (hence the small modification that I showed in my opening post).

[tzssangglass]

well, I studied about jwks, then I may got it. I think this is a feature for the opened-connect plugin. PR is welcome!