apisix icon indicating copy to clipboard operation
apisix copied to clipboard
verified publisher icon apache

feat: As a user, I want to be able to use the openid-connect plugin with a cookie instead of an authorization header

Open m-okm opened this issue 3 years ago • 1 comments

Description

As a user I wan to be able to use the openid-connect plugin with a jwt token stored in a cookie instead of the authorization header.

The actual implementation of the openId-connect plugin allows 3 was of operation. The first one is what I need: "The Plugin can be configured to just validate an access token that is expected to be present in a request header. In such cases, requests without a token or with an invalid token are rejected. This requires the bearer_only attribute to be set to true and either introspection_endpoint or public_key attribute to be configured. This mode of operation can be used for service-to-service communication where the requester can reasonably be expected to obtain and manage a valid token by itself." A part of, my token is not in the authorization section of the header, but in the cookie section. So my feature request is to allow the usage of a token stored in a cookie. The perfect implementation would be to specify a parameter for the cookieName. If this parameter is provided the check will use the data of the cookie

example: parameter is bearer_cookie_only: string (the name of the cookie), if set the token will be fetched from the cookie and handed over either to the introspection endpoint or will be validated against the public key.(based on configuration)

By the way The JWT-Auth plugin provides a similar functionality, as the token can be provided as authHeader, QueryParameter, or Cookie

see help request: https://github.com/apache/apisix/issues/7551

Thank you Oliver

m-okm avatar Jul 28 '22 08:07 m-okm

make: lua-resty-openid can get JWT form cookie, ref: https://github.com/zmartzone/lua-resty-openidc/blob/b07330120ffe54dd3fbeac247726b76d0f9dc793/lib/resty/openidc.lua#L1591-L1621

we need to make openid-connect plugin support auth_accept_token_as option.

tzssangglass avatar Jul 29 '22 02:07 tzssangglass

This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the [email protected] list. Thank you for your contributions.

github-actions[bot] avatar Jul 18 '23 10:07 github-actions[bot]

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.

github-actions[bot] avatar Aug 01 '23 10:08 github-actions[bot]

Hi, Is this feature implemented already?

sandeep1699 avatar Mar 30 '24 03:03 sandeep1699