-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add forward-auth plugin #6037
Changes from 16 commits
98d9671
da4c5ef
8525a76
868fced
1060fcb
1a14ab1
5952350
ea6d529
24882f8
eeaf575
bf5ade0
e31e6da
4209f5a
c2257c4
7ce1bac
e9d1fa6
18db978
211c37f
8a853d3
a84ddf9
67b1a7e
a4b05d9
6c73cbd
3df3ba5
63811b5
ac3ae02
8fef52c
07eb935
4fb97f7
868fa43
01f33f2
53f736b
6c6304c
96a23ba
ba64f8f
9565348
beea582
c49890f
a83e2b9
8d11c22
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,145 @@ | ||||||||||||||||||||||||||||||||||||||||
-- | ||||||||||||||||||||||||||||||||||||||||
-- Licensed to the Apache Software Foundation (ASF) under one or more | ||||||||||||||||||||||||||||||||||||||||
-- contributor license agreements. See the NOTICE file distributed with | ||||||||||||||||||||||||||||||||||||||||
-- this work for additional information regarding copyright ownership. | ||||||||||||||||||||||||||||||||||||||||
-- The ASF licenses this file to You under the Apache License, Version 2.0 | ||||||||||||||||||||||||||||||||||||||||
-- (the "License"); you may not use this file except in compliance with | ||||||||||||||||||||||||||||||||||||||||
-- the License. You may obtain a copy of the License at | ||||||||||||||||||||||||||||||||||||||||
-- | ||||||||||||||||||||||||||||||||||||||||
-- http://www.apache.org/licenses/LICENSE-2.0 | ||||||||||||||||||||||||||||||||||||||||
-- | ||||||||||||||||||||||||||||||||||||||||
-- Unless required by applicable law or agreed to in writing, software | ||||||||||||||||||||||||||||||||||||||||
-- distributed under the License is distributed on an "AS IS" BASIS, | ||||||||||||||||||||||||||||||||||||||||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||||||||||||||||||||||||||||||||||||||
-- See the License for the specific language governing permissions and | ||||||||||||||||||||||||||||||||||||||||
-- limitations under the License. | ||||||||||||||||||||||||||||||||||||||||
-- | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
local ipairs = ipairs | ||||||||||||||||||||||||||||||||||||||||
local core = require("apisix.core") | ||||||||||||||||||||||||||||||||||||||||
local http = require("resty.http") | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
local schema = { | ||||||||||||||||||||||||||||||||||||||||
type = "object", | ||||||||||||||||||||||||||||||||||||||||
properties = { | ||||||||||||||||||||||||||||||||||||||||
host = {type = "string"}, | ||||||||||||||||||||||||||||||||||||||||
ssl_verify = { | ||||||||||||||||||||||||||||||||||||||||
type = "boolean", | ||||||||||||||||||||||||||||||||||||||||
default = true, | ||||||||||||||||||||||||||||||||||||||||
}, | ||||||||||||||||||||||||||||||||||||||||
request_headers = { | ||||||||||||||||||||||||||||||||||||||||
type = "array", | ||||||||||||||||||||||||||||||||||||||||
default = {}, | ||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Look like we can't support forward no headers from the client? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it's rightfully so, and that's an oversight on my part. I have reversed the meaning of |
||||||||||||||||||||||||||||||||||||||||
items = {type = "string"}, | ||||||||||||||||||||||||||||||||||||||||
description = "client request header that will be sent to the authorization" | ||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. changed |
||||||||||||||||||||||||||||||||||||||||
}, | ||||||||||||||||||||||||||||||||||||||||
upstream_headers = { | ||||||||||||||||||||||||||||||||||||||||
type = "array", | ||||||||||||||||||||||||||||||||||||||||
default = {}, | ||||||||||||||||||||||||||||||||||||||||
items = {type = "string"}, | ||||||||||||||||||||||||||||||||||||||||
description = "authorization response header that will be sent to the upstream" | ||||||||||||||||||||||||||||||||||||||||
}, | ||||||||||||||||||||||||||||||||||||||||
client_headers = { | ||||||||||||||||||||||||||||||||||||||||
type = "array", | ||||||||||||||||||||||||||||||||||||||||
default = {}, | ||||||||||||||||||||||||||||||||||||||||
items = {type = "string"}, | ||||||||||||||||||||||||||||||||||||||||
description = "authorization response header that will be sent to" | ||||||||||||||||||||||||||||||||||||||||
.. "the client when authorize failure" | ||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. changed |
||||||||||||||||||||||||||||||||||||||||
}, | ||||||||||||||||||||||||||||||||||||||||
timeout = { | ||||||||||||||||||||||||||||||||||||||||
type = "integer", | ||||||||||||||||||||||||||||||||||||||||
minimum = 1, | ||||||||||||||||||||||||||||||||||||||||
maximum = 60000, | ||||||||||||||||||||||||||||||||||||||||
default = 3000, | ||||||||||||||||||||||||||||||||||||||||
description = "timeout in milliseconds", | ||||||||||||||||||||||||||||||||||||||||
}, | ||||||||||||||||||||||||||||||||||||||||
keepalive = {type = "boolean", default = true}, | ||||||||||||||||||||||||||||||||||||||||
keepalive_timeout = {type = "integer", minimum = 1000, default = 60000}, | ||||||||||||||||||||||||||||||||||||||||
keepalive_pool = {type = "integer", minimum = 1, default = 5}, | ||||||||||||||||||||||||||||||||||||||||
}, | ||||||||||||||||||||||||||||||||||||||||
required = {"host"} | ||||||||||||||||||||||||||||||||||||||||
} | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
local _M = { | ||||||||||||||||||||||||||||||||||||||||
version = 0.1, | ||||||||||||||||||||||||||||||||||||||||
priority = 2002, | ||||||||||||||||||||||||||||||||||||||||
name = "forward-auth", | ||||||||||||||||||||||||||||||||||||||||
schema = schema, | ||||||||||||||||||||||||||||||||||||||||
} | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
function _M.check_schema(conf) | ||||||||||||||||||||||||||||||||||||||||
return core.schema.check(schema, conf) | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
function _M.access(conf, ctx) | ||||||||||||||||||||||||||||||||||||||||
local auth_headers = { | ||||||||||||||||||||||||||||||||||||||||
["X-Forwarded-Proto"] = core.request.get_scheme(ctx), | ||||||||||||||||||||||||||||||||||||||||
["X-Forwarded-Method"] = core.request.get_method(), | ||||||||||||||||||||||||||||||||||||||||
["X-Forwarded-Host"] = core.request.get_host(ctx), | ||||||||||||||||||||||||||||||||||||||||
["X-Forwarded-Uri"] = core.request.get_uri(ctx), | ||||||||||||||||||||||||||||||||||||||||
["X-Forwarded-For"] = core.request.get_remote_client_ip(ctx), | ||||||||||||||||||||||||||||||||||||||||
} | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
-- append headers that need to be get from the client request header | ||||||||||||||||||||||||||||||||||||||||
if #conf.request_headers > 0 then | ||||||||||||||||||||||||||||||||||||||||
for _, header in ipairs(conf.request_headers) do | ||||||||||||||||||||||||||||||||||||||||
auth_headers[header] = core.request.header(ctx, header) | ||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Better not trust the client's There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. fixed, because apisix/apisix/plugins/forward-auth.lua Lines 78 to 93 in 8a853d3
|
||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
else | ||||||||||||||||||||||||||||||||||||||||
auth_headers = core.table.merge(core.request.headers(), auth_headers) | ||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ditto There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Because, merge the list of defined headers into the client request header, any key headers passed in by the client are overwritten, so I implement the untrusted client header. |
||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
local params = { | ||||||||||||||||||||||||||||||||||||||||
method = "GET", | ||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should the request method be mapped to the client request method? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think it's needed unless we provide other special features for this, the implementation in other software is the same. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In our or other forward-auth plugins, authentication-related data is sent via fixed requests, not POST data, so I think that's enough too. ping @shuaijinchao There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK, use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Oh, I get it. Modify will be made later. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. removed |
||||||||||||||||||||||||||||||||||||||||
headers = auth_headers, | ||||||||||||||||||||||||||||||||||||||||
keepalive = conf.keepalive, | ||||||||||||||||||||||||||||||||||||||||
ssl_verify = conf.ssl_verify | ||||||||||||||||||||||||||||||||||||||||
} | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
if conf.keepalive then | ||||||||||||||||||||||||||||||||||||||||
params.keepalive_timeout = conf.keepalive_timeout | ||||||||||||||||||||||||||||||||||||||||
params.keepalive_pool = conf.keepalive_pool | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
local httpc = http.new() | ||||||||||||||||||||||||||||||||||||||||
httpc:set_timeout(conf.timeout) | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
local res, err = httpc:request_uri(conf.host, params) | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
-- block by default when authorization service is unavailable | ||||||||||||||||||||||||||||||||||||||||
if not res or err then | ||||||||||||||||||||||||||||||||||||||||
core.log.error("failed to process forward auth, err: ", err) | ||||||||||||||||||||||||||||||||||||||||
return 403 | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Would it be better to judge this way? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't understand how to do it really right, I noticed that in other plugin implementations there are those that use apisix/apisix/plugins/authz-keycloak.lua Lines 251 to 254 in 58fec8f
apisix/apisix/plugins/serverless/generic-upstream.lua Lines 110 to 113 in 58fec8f
apisix/apisix/plugins/wolf-rbac.lua Lines 145 to 147 in 58fec8f
I hope to get your guidance. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I read through each branch of https://github.com/api7/lua-resty-http/blob/b63a9bbf2a3361836b2322e3c689d6d7fd83ec55/lib/resty/http.lua#L900, look like there are only two cases:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Referring to the way it is usually used, I will check if if err then
xxx
end There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. changed There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also, I think there needs to make a rules that developers should follow to handle error checking (at least on the http client), the mix of different usages is confusing. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Currently, we have to enforce it with code review. Maybe we can invest in linter in the future. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it should be used if res then
err
end instead of if err then
err
end this way of writing may be more suitable for languages such as the common exception function return in OpenResty is There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. changed |
||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
if res.status >= 300 then | ||||||||||||||||||||||||||||||||||||||||
local client_headers = {} | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
if #conf.client_headers > 0 then | ||||||||||||||||||||||||||||||||||||||||
for _, header in ipairs(conf.client_headers) do | ||||||||||||||||||||||||||||||||||||||||
client_headers[header] = res.headers[header] | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
else | ||||||||||||||||||||||||||||||||||||||||
for header, value in ipairs(res.headers) do | ||||||||||||||||||||||||||||||||||||||||
client_headers[header] = value | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
core.response.set_header(client_headers) | ||||||||||||||||||||||||||||||||||||||||
return res.status, res.body | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
-- append headers that need to be get from the auth response header | ||||||||||||||||||||||||||||||||||||||||
for _, header in ipairs(conf.upstream_headers) do | ||||||||||||||||||||||||||||||||||||||||
local header_value = res.headers[header] | ||||||||||||||||||||||||||||||||||||||||
if header_value then | ||||||||||||||||||||||||||||||||||||||||
core.request.set_header(ctx, header, header_value) | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
end | ||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||
return _M |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,135 @@ | ||||||
--- | ||||||
title: forward-auth | ||||||
--- | ||||||
|
||||||
<!-- | ||||||
# | ||||||
# Licensed to the Apache Software Foundation (ASF) under one or more | ||||||
# contributor license agreements. See the NOTICE file distributed with | ||||||
# this work for additional information regarding copyright ownership. | ||||||
# The ASF licenses this file to You under the Apache License, Version 2.0 | ||||||
# (the "License"); you may not use this file except in compliance with | ||||||
# the License. You may obtain a copy of the License at | ||||||
# | ||||||
# http://www.apache.org/licenses/LICENSE-2.0 | ||||||
# | ||||||
# Unless required by applicable law or agreed to in writing, software | ||||||
# distributed under the License is distributed on an "AS IS" BASIS, | ||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||||
# See the License for the specific language governing permissions and | ||||||
# limitations under the License. | ||||||
# | ||||||
--> | ||||||
|
||||||
## Summary | ||||||
|
||||||
- [**Description**](#description) | ||||||
- [**Attributes**](#attributes) | ||||||
- [**Example**](#example) | ||||||
|
||||||
## Description | ||||||
|
||||||
The `forward-auth` plugin implement a classic external authentication model. We can implement a custom error return or user redirection to the authentication page if the authentication fails. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. changed |
||||||
|
||||||
Forward Auth cleverly moves the authentication and authorization logic to a dedicated external service, where the gateway forwards the user's request to the authentication service and blocks the original request and replaces the result when the authentication service responds with a non-20x status. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. changed |
||||||
|
||||||
## Attributes | ||||||
|
||||||
| Name | Type | Requirement | Default | Valid | Description | | ||||||
| -- | -- | -- | -- | -- | -- | | ||||||
| host | string | required | | | Authorization service host (eg. https://localhost:9188) | | ||||||
| ssl_verify | boolean | optional | true | | Whether to verify the certificate | | ||||||
| request_headers | array[string] | optional | | | `client` request header that will be sent to the `authorization` service | | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's doc the behavior when this field is empty There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. added |
||||||
| upstream_headers | array[string] | optional | | | `authorization` service response header that will be sent to the `upstream` | | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ditto There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. added |
||||||
| client_headers | array[string] | optional | | | `authorization` response header that will be sent to the `client` when authorize failure | | ||||||
| timeout | integer | optional | 3000ms | [1, 60000]ms | Authorization service HTTP call timeout | | ||||||
| keepalive | boolean | optional | true | | HTTP keepalive | | ||||||
| keepalive_timeout | integer | optional | 60000ms | [1000, ...]ms | keepalive idle timeout | | ||||||
| keepalive_pool | integer | optional | 5 | [1, ...]ms | Connection pool limit | | ||||||
|
||||||
## Example | ||||||
|
||||||
First, you need to setup an external authorization service. Here is an example of using Apache APISIX's serverless plugin to mock. | ||||||
|
||||||
```shell | ||||||
$ curl -X PUT 'http://127.0.0.1:9080/apisix/admin/routes/auth' \ | ||||||
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \ | ||||||
-H 'Content-Type: application/json' \ | ||||||
-d '{ | ||||||
"uri": "/auth", | ||||||
"plugins": { | ||||||
"serverless-pre-function": { | ||||||
"phase": "rewrite", | ||||||
"functions": [ | ||||||
"return function (conf, ctx) local core = require(\"apisix.core\"); local authorization = core.request.header(ctx, \"Authorization\"); if authorization == \"123\" then core.response.exit(200); elseif authorization == \"321\" then core.response.set_header(\"X-User-ID\", \"i-am-user\"); core.response.exit(200); else core.response.set_header(\"Location\", \"http://example.com/auth\"); core.response.exit(403); end end" | ||||||
] | ||||||
} | ||||||
}, | ||||||
"upstream": { | ||||||
"nodes": {}, | ||||||
"scheme": "https", | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's remove useless field There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. removed |
||||||
"type": "roundrobin" | ||||||
} | ||||||
}' | ||||||
``` | ||||||
|
||||||
Next, we create a route for testing. | ||||||
|
||||||
```shell | ||||||
$ curl -X PUT http://127.0.0.1:9080/apisix/admin/routes/1 | ||||||
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' | ||||||
-d '{ | ||||||
"uri": "/headers", | ||||||
"plugins": { | ||||||
"forward-auth": { | ||||||
"host": "http://127.0.0.1:9080/auth", | ||||||
"request_headers": ["Authorization"], | ||||||
"upstream_headers": ["X-User-ID"], | ||||||
"client_headers": ["Location"] | ||||||
} | ||||||
}, | ||||||
"upstream": { | ||||||
"nodes": { | ||||||
"httpbin.org:80": 1 | ||||||
}, | ||||||
"type": "roundrobin" | ||||||
} | ||||||
}' | ||||||
``` | ||||||
|
||||||
We can perform the following three tests. | ||||||
|
||||||
1. **request_headers** Send Authorization header from `client` to `authorization` service | ||||||
|
||||||
```shell | ||||||
$ curl http://127.0.0.1:9080/headers -H 'Authorization: 123' | ||||||
{ | ||||||
"headers": { | ||||||
"Authorization": "123", | ||||||
"Next": "More-headers" | ||||||
} | ||||||
} | ||||||
``` | ||||||
|
||||||
2. **upstream_headers** Send `authorization` service response header to the `upstream` | ||||||
|
||||||
```shell | ||||||
$ curl http://127.0.0.1:9080/headers -H 'Authorization: 321' | ||||||
{ | ||||||
"headers": { | ||||||
"Authorization": "321", | ||||||
"X-User-ID": "i-am-user", | ||||||
"Next": "More-headers" | ||||||
} | ||||||
} | ||||||
``` | ||||||
|
||||||
3. **client_headers** Send `authorization` service response header to `client` when authorize failure | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. changed |
||||||
|
||||||
```shell | ||||||
$ curl -i http://127.0.0.1:9080/headers | ||||||
HTTP/1.1 403 Forbidden | ||||||
Location: http://example.com/auth | ||||||
``` | ||||||
|
||||||
Finally, you can disable the `forward-auth` plugin by removing it from the route. |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -83,6 +83,7 @@ basic-auth | |
jwt-auth | ||
key-auth | ||
consumer-restriction | ||
forward-auth | ||
opa | ||
authz-keycloak | ||
proxy-mirror | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should not add a common method that is only used by a place. Actually, I think we should remove the
get_path
too.It is strange that
get_path
fetches$uri
butget_uri
fetches$request_uri
. Look like it is a premature optimization that brings inconsistent names.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I should just use ctx.var.request_uri instead of wrapping it? Can I merge the functionality of
get_path
intoget_uri
and add awith_args
parameter indicating whether or not I need to carry queries.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't make thing complex!
The name of request_uri and uri already show the difference. There is no need to wrap them into a function which is rarely used. Premature optimization is the source of evil.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can remove the
get_path
in the next PR. Better to get rid of it before the release, so that people won't ask why we useget_path
in one place but usectx.var.uri
in the most elsewhere.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed, I will remove
get_path
in a later PR.