Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update openid-connect attributes description and sync CN doc attributes. #7371

Merged
merged 7 commits into from
Jul 5, 2022
Merged

docs: update openid-connect attributes description and sync CN doc attributes. #7371

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fdf6ccc
docs: update attributes's description
Jul 2, 2022
e426e70
docs: update openid-connect description
Jul 2, 2022
23a48d3
docs: update openid-connect description
Jul 2, 2022
1accefa
fix: update comment
Jul 4, 2022
29b4843
fix: update comment
Jul 4, 2022
e5c4ecb
fix: update comment
Jul 4, 2022
c35fe4d
docs: fix comment
Jul 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 23 additions & 23 deletions docs/en/latest/plugins/openid-connect.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,29 +33,29 @@ The `openid-connect` Plugin provides authentication and introspection capability

## Attributes

| Name | Type | Required | Default | Valid values | Description |
|--------------------------------------|---------|----------|-----------------------|--------------|--------------------------------------------------------------------------------------------------------------------|
| client_id | string | True | | | OAuth client ID. |
| client_secret | string | True | | | OAuth client secret. |
| discovery | string | True | | | Discovery endpoint URL of the identity server. |
| scope | string | False | "openid" | | Scope used for authentication. |
| realm | string | False | "apisix" | | Realm used for authentication. |
| bearer_only | boolean | False | false | | When set to true, the Plugin will check for if the authorization header in the request matches a bearer token. |
| logout_path | string | False | "/logout" | | Path for logging out. |
| post_logout_redirect_uri | string | False | | | URL to redirect to after logging out. |
| redirect_uri | string | False | "ngx.var.request_uri" | | URI to which the identity provider redirects back to. |
| timeout | integer | False | 3 | [1,...] | Request timeout time in seconds. |
| ssl_verify | boolean | False | false | | When set to true, verifies the identity provider's SSL certificates. |
| introspection_endpoint | string | False | | | URL of the token verification endpoint of the identity server. |
| introspection_endpoint_auth_method | string | False | "client_secret_basic" | | Authentication method name for token introspection. |
| public_key | string | False | | | Public key to verify the token. |
| use_jwks | boolean | False | | | When set to true, uses the JWKS endpoint of the identity server to verify the token. |
| token_signing_alg_values_expected | string | False | | | Algorithm used for signing the authentication token. |
| set_access_token_header | boolean | False | true | | When set to true, sets the access token in a request header. |
| access_token_in_authorization_header | boolean | False | false | | When set to true, sets the access token in the `Authorization` header. Otherwise, set the `X-Access-Token` header. |
| set_id_token_header | boolean | False | true | | When set to true and the ID token is available, sets the ID token in the `X-ID-Token` request header. |
| set_userinfo_header | boolean | False | true | | When set to true and the UserInfo object is available, sets it in the `X-Userinfo` request header. |
| set_refresh_token_header | boolean | False | false | | When set to true and a refresh token object is available, sets it in the `X-Refresh-Token` request header. |
| Name | Type | Required | Default | Valid values | Description |
|--------------------------------------|---------|----------|-----------------------|--------------|--------------------------------------------------------------------------------------------------------------------------|
| client_id | string | True | | | OAuth client ID. |
| client_secret | string | True | | | OAuth client secret. |
| discovery | string | True | | | Discovery endpoint URL of the identity server. |
| scope | string | False | "openid" | | Scope used for authentication. |
| realm | string | False | "apisix" | | Realm used for authentication. |
| bearer_only | boolean | False | false | | When set to true, the Plugin will check for if the authorization header in the request matches a bearer token. |
| logout_path | string | False | "/logout" | | Path for logging out. |
| post_logout_redirect_uri | string | False | | | URL to redirect to after logging out. |
| redirect_uri | string | False | "ngx.var.request_uri" | | URI to which the identity provider redirects back to. |
| timeout | integer | False | 3 | [1,...] | Request timeout time in seconds. |
| ssl_verify | boolean | False | false | | When set to true, verifies the identity provider's SSL certificates. |
| introspection_endpoint | string | False | | | URL of the token verification endpoint of the identity server. |
| introspection_endpoint_auth_method | string | False | | | Authentication method name for token introspection, If not specified, the default will use the first value in well_know. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not clear, cc @starsz to have a check 🙏

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.Let me have a check.

Copy link
Contributor

@starsz starsz Jul 4, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After digging it into.I found that:

  1. The default value of introspection_endpoint_auth_method is "client_secret_basic", sorry to @hf400159 .
  2. And the lua-resty-openidc will use another conf called "token_endpoint_auth_method".It doesn't introduce in the docs, but it can work well in "openid-connection" plugin.

The default value of "token_endpoint_auth_method" will fetch the first supported method specified by the OP.
refer https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L677

So in conclusion, I think we should keep the original doc, and add the new field of "token_endpoint_auth_method" to the docs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@starsz fixed. PTAL 😄

| public_key | string | False | | | Public key to verify the token. |
| use_jwks | boolean | False | | | When set to true, uses the JWKS endpoint of the identity server to verify the token. |
| token_signing_alg_values_expected | string | False | | | Algorithm used for signing the authentication token. |
| set_access_token_header | boolean | False | true | | When set to true, sets the access token in a request header. |
| access_token_in_authorization_header | boolean | False | false | | When set to true, sets the access token in the `Authorization` header. Otherwise, set the `X-Access-Token` header. |
| set_id_token_header | boolean | False | true | | When set to true and the ID token is available, sets the ID token in the `X-ID-Token` request header. |
| set_userinfo_header | boolean | False | true | | When set to true and the UserInfo object is available, sets it in the `X-Userinfo` request header. |
| set_refresh_token_header | boolean | False | false | | When set to true and a refresh token object is available, sets it in the `X-Refresh-Token` request header. |

## Modes of operation

Expand Down
8 changes: 5 additions & 3 deletions docs/zh/latest/plugins/openid-connect.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ description: 本文介绍了关于 Apache APISIX `openid-connect` 插件的基

## 属性

| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 |
| ------------------------------------ | ------- | ------ | --------------------- | ------- | ---------------------------------------------------------------------------------------------------- |
| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 |
| ------------------------------------ | ------- | ------ | --------------------- | ------------- | ------------------------------------------------------------------------------------------------ |
| client_id | string | 是 | | | OAuth 客户端 ID。 |
| client_secret | string | 是 | | | OAuth 客户端 secret。 |
| discovery | string | 是 | | | 身份服务器发现端点的 URL。 |
Expand All @@ -47,13 +47,15 @@ description: 本文介绍了关于 Apache APISIX `openid-connect` 插件的基
| timeout | integer | 否 | 3 | [1,...] | 请求超时时间,单位为秒 |
| ssl_verify | boolean | 否 | false | [true, false] | 当设置为 `true` 时,验证身份提供者的 SSL 证书。 |
| introspection_endpoint | string | 否 | | | 身份服务器的令牌验证端点的 URL。 |
| introspection_endpoint_auth_method | string | 否 | "client_secret_basic" | | 令牌自省的认证方法名称。 |
| introspection_endpoint_auth_method | string | 否 | | | 令牌自省的认证方法名称,如果未指定,则默认使用 well_know 中的第一个值。 |
| public_key | string | 否 | | | 验证令牌的公钥。 |
| use_jwks | boolean | 否 | | | 当设置为 `true` 时,则会使用身份认证服务器的 JWKS 端点来验证令牌。 |
guitu168 marked this conversation as resolved.
Show resolved Hide resolved
| token_signing_alg_values_expected | string | 否 | | | 用于对令牌进行签名的算法。 |
| set_access_token_header | boolean | 否 | true | [true, false] | 在请求头设置访问令牌。 |
| access_token_in_authorization_header | boolean | 否 | false | [true, false] | 当值为 `true` 时,将访问令牌设置在请求头参数 `Authorization`,否则将使用请求头参数 `X-Access-Token`。|
| set_id_token_header | boolean | 否 | true | [true, false] | 是否将 ID 令牌设置到请求头参数 `X-ID-Token`。 |
| set_userinfo_header | boolean | 否 | true | [true, false] | 是否将用户信息对象设置到请求头参数 `X-Userinfo`。 |
| set_refresh_token_header | boolean | 否 | false | | 当设置为 `true` 并且刷新令牌可用时,则会将该属性设置在`X-Refresh-Token`请求头中。 |

## 操作模式

Expand Down