-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(key-auth): add missing www-authenticate headers #11794
fix(key-auth): add missing www-authenticate headers #11794
Conversation
How does this behave in |
Hey @bungle ! When I was thinking about it I came to the conclusion that it's not necessary to handle those scenarios or it's impossible to do them, but my understanding could be wrong. Basically when it comes to Now when it comes to |
cb5d571
to
0f90ce0
Compare
b767d7a
to
30c3868
Compare
30c3868
to
1cb2851
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved with a couple minor comments
1cb2851
to
e9b9882
Compare
e9b9882
to
296a965
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a small change req.
@nowNick there conflicts preventing us from merging this PR, can you check, please? |
296a965
to
5f84f96
Compare
6240940
to
42c4b99
Compare
dea7748
to
8e95a55
Compare
8e95a55
to
f771a18
Compare
35f2cbf
to
690c8ae
Compare
end | ||
|
||
set_consumer(consumer, credential) | ||
|
||
return true | ||
end | ||
|
||
local function set_anonymous_consumer(anonymous) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some small refactoring - I've extracted from KeyAuthHandler:access
function following funcs:
set_anonymous_consumer
logical_OR_authentication
logical_AND_authentication
836ac9e
to
adc0ede
Compare
adc0ede
to
e2f8178
Compare
It is possible at least in theory, but I agree it feels like a stretch. Not part of this PR. We would need to modify all auth plugins to add/append something in context. So lets skip it for now.
The other plugins (that come after) access phase will not be executed if one auth plugin terminates. But they are still collected, so their |
return { status = 500, message = message } | ||
end | ||
|
||
local function unauthorized(message, www_auth_content) | ||
return { status = 401, message = message, headers = { ["WWW-Authenticate"] = www_auth_content } } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original one had tables
preallocated, this will allocate some memory on each failure. I am not sure was the original intent to avoid creating tables. But this is so small thing that I am fine with this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved with a comment.
When serve returns 401 Unauthorized response it should return WWW-Authenticate header as well with proper challenge. Not all key-auth 401 responses had this header. This commit also adds an option to configure the realm for protected resource. By default it is empty therefore it is not displayed but it can be configured to be present in www_authenticate header. Fix: #7772 KAG-321
e2f8178
to
8c5d73d
Compare
Successfully created cherry-pick PR for |
Summary
When kong returns
401 Unauthorized
response it should returnWWW-Authenticate
header with proper challenge. Key auth was missing this header on some responses. This PR also adds a possibility to configure an optional parameter - realm (defaults tonull
).Related PRs:
RFCs & Materials
Checklist
changelog/unreleased/kong
orskip-changelog
label added on PR if changelog is unnecessary. README.mdThere is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HEREFull changelog
WWW-Authenticate
header to all key-auth 401 responseIssue reference