apache
feat: support OIDC claim validator (#8772)
Description
Fixes #8772
Checklist
- [x] I have explained the need for this PR and the problem it solves
- [x] I have explained the changes or the new features added to this PR
- [x] I have added tests corresponding to this change
- [x] I have updated the documentation to reflect this change
- [x] I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @beardnick, do you have time to continue working on this PR?
Sorry, I'm busy last few days. I'll continue work on it tomorrow.
@Baoyuantop I took a more detailed look at the code. Seems this pr(https://github.com/apache/apisix/pull/11987) did something similar to my pr. Do you think my pr is still necessary?
@Baoyuantop I took a more detailed look at the code. Seems this pr(#11987) did something similar to my pr. Do you think my pr is still necessary?
I'm not an apisix-developer but a user so I can't say anything about the implementation details. But I am looking to your PR to have the ability to configure the plugin to only allow requests through if the user has a "roles" claim containing one or more specific roles.
The PR you are referencing seems similar but geared towards checking the 'aud' claim only, which is nice but does not cover my use case.
@Baoyuantop I took a more detailed look at the code. Seems this pr(#11987) did something similar to my pr. Do you think my pr is still necessary?
I will check it
Hi @beardnick, I don't see this PR as conflicting with #11987, but rather as complementary features, with #11987 providing specific audience validation (in line with the OIDC specification) and #11824 providing a more generalized validation approach. cc @bzp2010
Hi @beardnick, I don't see this PR as conflicting with #11987, but rather as complementary features, with #11987 providing specific audience validation (in line with the OIDC specification) and #11824 providing a more generalized validation approach. cc @bzp2010
Hi @Baoyuantop. Thank you for your help. My concern was that the APISIX team might not want to expose a flexible claim validator, like JSON Schema, to users. Since there is no design issue regarding this, I will continue working on this PR. I have updated the documentation.
Hi @Baoyuantop, it seems that the failed tests are not caused by my code. Could you please help me run them again?
Already rerun, please make sure you have merged the latest master branch
Already rerun, please make sure you have merged the latest master branch
Hi @Baoyuantop, I've already merged the latest master. However, some tests still failed. Could you please help me rerun the failed tests?
@Baoyuantop Could you please help to rerun the failed tests?
Done
Please review this PR again.