-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
THREESCALE-10591 token instrospection field removed #1438
THREESCALE-10591 token instrospection field removed #1438
Conversation
return ngx.exit(ngx.status) | ||
if introspect_token(self, access_token).active == true then | ||
-- access granted | ||
return | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we also output an error when self.introspection_url
is nil? So in case self.introspection url
is nil then at least we know what happened just by checking the log instead of guessing why the APIcast returned 403 (context.service.error auth_failed)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added 👍
Log level in WARN, as I consider this as an edge case. When the introspection policy is added, the endpoint should be available
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, adding the log line here might be misleading, if self.introspection_url
is valid but introspect_token(self, access_token).active == false
then it will first log the token introspection for the token..
line then output token instropection cannot be performed....
. Perhaps wrap it in the else
statement?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch!
Fixed
1a0be6a
to
ed8ba2a
Compare
LGTM! |
What
Fix https://issues.redhat.com/browse/THREESCALE-10591
From RH-SSO 7.5 doc
The implementation is backward compatible with OIDC configuration services returning deprecated
token_introspection_endpoint
. When bothtoken_introspection_endpoint
andintrospection_endpoint
fields are in the response of the OIDC configuration service, the latter takes preference as it is the one defined by RFC-8414.[BREAKING CHANGE] When the introspection URL is not found for whatever reason, the request is rejected with
403 Forbidden
. Before this change, the request was allowed by the introspection policy. IMO. if the introspection policy is added to the chain, it is expected that the token is inspected. If checking the token is not done because the URL is missing, the request is rejected. There were some tests that were passing (IMO unexpectedly) because of this issue. I have fixed them as well.use_3scale_oidc_issuer_endpoint
auth type (they were never implemented)use_3scale_oidc_issuer_endpoint
auth type.Verification Steps
basic
, clients and usersintrospection_endpoint
(realmAnd the
token_introspection_endpoint
is gonebasic
and deployment type asAPIcast self-managed
App01
for product A. That will generateClient ID
andClient Secret
.GET /foo
auth_type
set touse_3scale_oidc_issuer_endpoint
basic
using client credentials from the applicationApp01
The response should be HTTP/1.1 200 OK
Go to Red Hat Single Sign-On admin application, and revoke the session (token) from the user menu. It's
Log out
in RH SSO site. Try to be fast so the token does not expire.Run the same request, it should get
403 Forbidden
.