apisix icon indicating copy to clipboard operation
apisix copied to clipboard

Published 20 hours ago verified publisher icon apache

Can you add other session configuration parameters of openid-connect?

Open illidan33 opened this issue 1 year ago • 13 comments

Description

I want to set the session expiration time, but the documentation only supports 'secret'. The document only provides the secret parameter for configuring a session. Can you add support for other session configuration parameters.

The document's url is https://apisix.apache.org/zh/docs/apisix/plugins/openid-connect/

image

"openid-connect": { "_meta": { "disable": false }, "access_token_in_authorization_header": true, "refresh_session_interval": 3600, "scope": "", "session": { "secret": "" }, "timeout": 3, "use_pkce": true }

Openid-connect uses the lua-resty-sesseion package, which provides session configuration. Its address is https://github.com/bungle/lua-resty-session

image

Environment

  • APISIX version (run apisix version): /usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua version 3.7.0
  • Operating system (run uname -a): Linux apisix-apisix-6d996f8c4f-tzjt8 4.19.91-26.6.al7.x86_64
  • OpenResty / Nginx version (run openresty -V or nginx -V): nginx version: openresty/1.21.4.2 built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 1.1.1s 1 Nov 2022 (running with OpenSSL 1.1.1w 11 Sep 2023) TLS SNI support enabled configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_RUNTIME_VER=1.0.1 -DNGX_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_HTTP_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.13 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../ngx_multi_upstream_module-1.1.1 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../apisix-nginx-module-1.15.0 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../apisix-nginx-module-1.15.0/src/stream --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../apisix-nginx-module-1.15.0/src/meta --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../wasm-nginx-module-0.6.5 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../grpc-client-nginx-module-v0.4.4 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
  • APISIX Dashboard version, if relevant: dashboard_version | 3.0.1

illidan33 avatar Jan 11 '24 02:01 illidan33

I thought session expiry is something one could configure on the IdP side?

kayx23 avatar Jan 11 '24 02:01 kayx23

I thought session expiry is something one could configure on the IdP side?

The session is set by plugin openid-connect when i use apisix. So it has nothing to do with idp, which does not control the session set by openid-connect.

illidan33 avatar Jan 11 '24 02:01 illidan33

@lakshya8066 @Vacant2333 Please help with this question if you can, thanks.

kayx23 avatar Jan 11 '24 22:01 kayx23

hello @illidan33 looks like we can add this parameter to the APISIX plugin image

Vacant2333 avatar Jan 12 '24 12:01 Vacant2333

hello @illidan33 looks like we can add this parameter to the APISIX plugin image

@Vacant2333 Thank you! Can you add an extra field ‘rolling_timeout’?

illidan33 avatar Jan 12 '24 13:01 illidan33

hello @illidan33 looks like we can add this parameter to the APISIX plugin image

Thank you! Can you add an extra field ‘rolling_time’?

yes, can u help me list the parameters that which we need add to the plugin, and i will check and try to do that

Vacant2333 avatar Jan 12 '24 13:01 Vacant2333

hello @illidan33 looks like we can add this parameter to the APISIX plugin image

Thank you! Can you add an extra field ‘rolling_time’?

yes, can u help me list the parameters that which we need add to the plugin, and i will check and try to do that

Of course.

illidan33 avatar Jan 12 '24 13:01 illidan33

hello @illidan33 looks like we can add this parameter to the APISIX plugin image

Thank you! Can you add an extra field ‘rolling_time’?

yes, can u help me list the parameters that which we need add to the plugin, and i will check and try to do that

Of course.

@Vacant2333 The following are common session configuration fields, please add them to the plugin, thank you.

  • cookie_name
  • cookie_path
  • cookie_http_only
  • cookie_secure
  • cookie_priority
  • cookie_same_site
  • cookie_same_party
  • remember
  • remember_safety
  • remember_cookie_name
  • stale_ttl
  • idling_timeout
  • rolling_timeout
  • absolute_timeout
  • remember_rolling_timeout
  • remember_absolute_timeout

illidan33 avatar Jan 12 '24 14:01 illidan33

hello @illidan33 looks like we can add this parameter to the APISIX plugin image

Thank you! Can you add an extra field ‘rolling_time’?

yes, can u help me list the parameters that which we need add to the plugin, and i will check and try to do that

Of course.

@Vacant2333 The following are common session configuration fields, please add them to the plugin, thank you.

  • cookie_name
  • cookie_path
  • cookie_http_only
  • cookie_secure
  • cookie_priority
  • cookie_same_site
  • cookie_same_party
  • remember
  • remember_safety
  • remember_cookie_name
  • stale_ttl
  • idling_timeout
  • rolling_timeout
  • absolute_timeout
  • remember_rolling_timeout
  • remember_absolute_timeout

ok, i will need consider these was necessay, thanks!

Vacant2333 avatar Jan 12 '24 14:01 Vacant2333

@kayx23 how do u think about add these parameters, can u help assign this issue to me? cc @shreemaan-abhishek

Vacant2333 avatar Jan 13 '24 09:01 Vacant2333

@Vacant2333 Hi, will the update come online in the near future?

illidan33 avatar Jan 29 '24 01:01 illidan33

@illidan33 Yes this is on the proposal stage currently so there is no fixed date but this task is on my plate

Revolyssup avatar Jan 29 '24 07:01 Revolyssup

@Vacant2333 @Revolyssup hi, I solved the issue. Can you take a look. [https://github.com/apache/apisix/pull/10919](session configuration)

illidan33 avatar Feb 06 '24 07:02 illidan33