apisix icon indicating copy to clipboard operation
apisix copied to clipboard

Published 20 hours ago verified publisher icon apache

help request: Plugin openid-connect: How to inject the enc_id_token (original ID-token) to upstream?

Open chrbo opened this issue 1 year ago • 4 comments

Description

Hello APISIX Community,

First of all, a big thank you for providing this open source API gateway solution!

Apparently there is no configuration setting with which the original ID-token can be injected into the authorization header of the upstream request.

Many modern identity providers offer a JWT as an access token (this can be set via the “access_token_in_authorization_header” setting), but in my opinion this is not the standard according to the OpenID Connect specification. The standard is still to get the JWT in the id_token.

Currently, only the validated content of the ID token can be accessed via the X-ID token header in the upstream request. But not the full ID-token.

In migration scenarios (the ID-token verification is moved from the services to the API gateway in a large infrastructure) or when a service is used that expects a full ID token, the ability to inject a full ID token would be required.

  1. Question: Did we miss a way to inject a full ID-token into the authorization header?

  2. Question: If not, does the community consider such a configuration option to be useful and accept a pull request for it?

Environment

  • APISIX version (run apisix version):
apisix@apisix:/usr/local/apisix$ apisix version
/usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua version
3.5.0
  • Operating system (run uname -a):
apisix@apisix:/usr/local/apisix$ uname -a
Linux apisix 5.4.0-109-generic #123-Ubuntu SMP Fri Apr 8 09:10:54 UTC 2022 x86_64 GNU/Linux
  • OpenResty / Nginx version (run openresty -V or nginx -V):
apisix@apisix:/usr/local/apisix$ openresty -V
nginx version: openresty/1.21.4.2
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
built with OpenSSL 1.1.1s  1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.21.4.2.0 -DNGX_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_HTTP_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.13 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../ngx_multi_upstream_module-1.1.1 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../apisix-nginx-module-1.14.0 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../apisix-nginx-module-1.14.0/src/stream --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../apisix-nginx-module-1.14.0/src/meta --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../wasm-nginx-module-0.6.5 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../grpc-client-nginx-module-v0.4.3 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
  • etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):

No etcd configured due to config_provider "yaml"

chrbo avatar Sep 28 '23 07:09 chrbo