Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[THREESCALE-10708] JWT Parser Policy #1536

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[THREESCALE-10708] JWT Parser Policy #1536

wants to merge 3 commits into from
+392 −152

Conversation

tkan145
Copy link
Contributor

@tkan145 tkan145 commented Feb 17, 2025
edited
Loading

What

Fix https://issues.redhat.com/browse/THREESCALE-10708

This is mostly a rename of oidc_authentication policy with an extra bit a logic on top to handle potential conflict with existing service configured with OIDC.

See #904 (comment)

Verification steps

  1. Check out this branch and build a new runtime-image
make runtime-image IMAGE_NAME=apicast-test
  1. Move into dev-environments
cd dev-environments/keycloak-env
  1. Modify apicast-config.json as follow
diff --git a/dev-environments/keycloak-env/apicast-config.json b/dev-environments/keycloak-env/apicast-config.json 
index 071296cd..d5ca17ca 100644                                                                                    
--- a/dev-environments/keycloak-env/apicast-config.json                                                            
+++ b/dev-environments/keycloak-env/apicast-config.json                                                            
@@ -84,10 +84,10 @@                                                                                                
         },                                                                                                        
         "policy_chain": [                                                                                         
           {                                                                                                       
-            "name": "token_introspection",                                                                        
-            "version": "builtin",                                                                                 
+            "name": "apicast.policy.jwt_parser",                                                                  
             "configuration": {                                                                                    
-              "auth_type": "use_3scale_oidc_issuer_endpoint"                                                      
+              "issuer_endpoint": "http://keycloak:8080/realms/basic",                                             
+              "required": true                                                                                    
             }                                                                                                     
           },                                                                                                      
           {
  1. Start gateway
make gateway IMAGE_NAME=apicast-test
  1. In another terminal seed keycloak-data
make keycloak-data
  1. Send request
export ACCESS_TOKEN=$(make token)

curl -v --resolve stg.example.com:8080:127.0.0.1 -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://stg.example.com:8080"
  1. Check APIcast log for the following message
[warn] 19#19: *2 jwt_parser.lua:49: check_compatible(): jwt_parser is incompatible with OIDC authentication mode, requestID=10c3fa9952859b03221ee7085fcaa6b3, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "stg.example.com:8080"
  1. Stop the gateway
CTRL-C
  1. Edit apicast-config.json
diff --git a/dev-environments/keycloak-env/apicast-config.json b/dev-environments/keycloak-env/apicast-config.json                          
index 071296cd..ec3d6532 100644                                                                                                             
--- a/dev-environments/keycloak-env/apicast-config.json                                                                                     
+++ b/dev-environments/keycloak-env/apicast-config.json                                                                                     
@@ -2,7 +2,7 @@                                                                                                                             
   "services": [                                                                                                                            
     {                                                                                                                                      
       "id": 2,                                                                                                                             
-      "backend_version": "oauth",                                                                                                          
+      "backend_version": "1",                                                                                                              
       "account_id": 2,                                                                                                                     
       "name": "API",                                                                                                                       
       "description": null,                                                                                                                 
@@ -63,7 +63,7 @@                                                                                                                           
         "apicast_configuration_driven": true,                                                                                              
         "oidc_issuer_endpoint": "http://oidc-issuer-for-3scale:oidc-issuer-for-3scale-secret@keycloak:8080/realms/basic",                  
         "lock_version": 4,                                                                                                                 
-        "authentication_method": "oidc",                                                                                                   
+        "authentication_method": "1",                                                                                                      
         "oidc_issuer_type": "keycloak",                                                                                                    
         "error_headers_limits_exceeded": "text/plain; charset=us-ascii",                                                                   
         "error_status_limits_exceeded": 429,                                                                                               
@@ -84,10 +84,23 @@                                                                                                                         
         },                                                                                                                                 
         "policy_chain": [                                                                                                                  
           {                                                                                                                                
-            "name": "token_introspection",                                                                                                 
-            "version": "builtin",                                                                                                          
+            "name": "apicast.policy.jwt_parser",                                                                                           
+            "configuration": {                                                                                                             
+              "issuer_endpoint": "http://keycloak:8080/realms/basic",                                                                      
+              "required": true                                                                                                             
+            }                                                                                                                              
+          },                                                                                                                               
+          {                                                                                                                                
+            "name": "apicast.policy.jwt_claim_check",                                                                                      
             "configuration": {                                                                                                             
-              "auth_type": "use_3scale_oidc_issuer_endpoint"                                                                               
+              "rules" : [{                                                                                                                 
+                  "operations": [                                                                                                          
+                    {"op": "==", "jwt_claim": "{{realm_access.roles| first}}", "jwt_claim_type": "liquid", "value": "default-roles-basic"} 
+                  ],                                                                                                                       
+                  "combine_op": "and",                                                                                                     
+                  "methods": ["GET"],                                                                                                      
+                  "resource": "/"                                                                                                          
+              }]                                                                                                                           
             }                                                                                                                              
           },                                                                                                                               
           {
  1. Send a request without Authorization header. You should see 403 Forbidden
curl -v --resolve stg.example.com:8080:127.0.0.1  "http://stg.example.com:8080/?user_key=foo"
  1. Retrieve access token and send another request
export ACCESS_TOKEN=$(make token)

curl -v --resolve stg.example.com:8080:127.0.0.1 -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://stg.example.com:8080/?user_key=foo"

You should now see HTTP/1.1 200 OK

@tkan145 tkan145 requested a review from a team as a code owner February 17, 2025 04:52
@tkan145 tkan145 force-pushed the THREESCALE-10708-jwt-parser branch 2 times, most recently from 2886431 to 642d57e Compare February 20, 2025 03:57
@tkan145 tkan145 force-pushed the THREESCALE-10708-jwt-parser branch from 642d57e to f0499f0 Compare February 23, 2025 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tkan145