feat(openid-connect): make session_secret support configurable (apach…

…e#8068)

apisix/plugins/openid-connect.lua

@@ -14,11 +14,14 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
-local string = string
-local core = require("apisix.core")
-local ngx_re = require("ngx.re")
+
+local core    = require("apisix.core")
+local ngx_re  = require("ngx.re")
 local openidc = require("resty.openidc")
-local ngx = ngx
+local random  = require("resty.random")
+local string  = string
+local ngx     = ngx
+
 local ngx_encode_base64 = ngx.encode_base64
 
 local plugin_name = "openid-connect"
@@ -55,6 +58,18 @@ local schema = {
             type = "boolean",
             default = false,
         },
+        session = {
+            type = "object",
+            properties = {
+                secret = {
+                    type = "string",
+                    description = "the key used for the encrypt and HMAC calculation",
+                    minLength = 16,
+                },
+            },
+            required = {"secret"},
+            additionalProperties = false,
+        },
         realm = {
             type = "string",
             default = "apisix",
@@ -114,7 +129,7 @@ local schema = {
 
 
 local _M = {
-    version = 0.1,
+    version = 0.2,
     priority = 2599,
     name = plugin_name,
     schema = schema,
@@ -127,6 +142,15 @@ function _M.check_schema(conf)
         conf.ssl_verify = false
     end
 
+    if not conf.bearer_only and not conf.session then
+        core.log.warn("when bearer_only = false, " ..
+                       "you'd better complete the session configuration manually")
+        conf.session = {
+            -- generate a secret when bearer_only = false and no secret is configured
+            secret = ngx_encode_base64(random.bytes(32, true) or random.bytes(32))
+        }
+    end
+
     local ok, err = core.schema.check(schema, conf)
     if not ok then
         return false, err
@@ -309,7 +333,7 @@ function _M.rewrite(plugin_conf, ctx)
         -- provider's authorization endpoint to initiate the Relying Party flow.
         -- This code path also handles when the ID provider then redirects to
         -- the configured redirect URI after successful authentication.
-        response, err, _, session  = openidc.authenticate(conf)
+        response, err, _, session  = openidc.authenticate(conf, nil, nil, conf.session)
 
         if err then
             core.log.error("OIDC authentication failed: ", err)

docs/en/latest/plugins/openid-connect.md

@@ -58,6 +58,8 @@ description: OpenID Connect allows the client to obtain user information from th
 | set_id_token_header                  | boolean | False    | true                  |              | When set to true and the ID token is available, sets the ID token in the `X-ID-Token` request header.                    |
 | set_userinfo_header                  | boolean | False    | true                  |              | When set to true and the UserInfo object is available, sets it in the `X-Userinfo` request header.                       |
 | set_refresh_token_header             | boolean | False    | false                 |              | When set to true and a refresh token object is available, sets it in the `X-Refresh-Token` request header.               |
+| session                              | object  | False    |                       |              | When bearer_only is set to false, openid-connect will use Authorization Code flow to authenticate on the IDP, so you need to set the session-related configuration. |
+| session.secret                       | string  | True     | Automatic generation  | 16 or more characters | The key used for session encrypt and HMAC operation. |
 
 ## Scenarios
 
@@ -71,7 +73,7 @@ This plugin offers two scenorios:
 
 1. Authentication between Services: Set `bearer_only` to `true` and configure the `introspection_endpoint` or `public_key` attribute. In this scenario, APISIX will reject requests without a token or invalid token in the request header.
 
-2. Authentication between Browser and Identity Providers: Set `bearer_only` to `false.` After successful authentication, this plugin can obtain and manage the token in the cookie, and subsequent requests will use the token.
+2. Authentication between Browser and Identity Providers: Set `bearer_only` to `false.` After successful authentication, this plugin can obtain and manage the token in the cookie, and subsequent requests will use the token. In this mode, the user session will be stored in the browser as a cookie and this data is encrypted, so you have to set a key for encryption via `session.secret`.
 
 ### Token introspection
 

docs/zh/latest/plugins/openid-connect.md

@@ -58,6 +58,8 @@ description: OpenID Connect（OIDC）是基于 OAuth 2.0 的身份认证协议
 | set_id_token_header                  | boolean | 否     | true                  | [true, false] | 是否将 ID 令牌设置到请求头参数 `X-ID-Token`。                                                       |
 | set_userinfo_header                  | boolean | 否     | true                  | [true, false] | 是否将用户信息对象设置到请求头参数 `X-Userinfo`。                                                    |
 | set_refresh_token_header             | boolean | 否     | false                 |               | 当设置为 `true` 并且刷新令牌可用时，则会将该属性设置在`X-Refresh-Token`请求头中。                      |
+| session                              | object  | 否     |                       |               | 当设置 bearer_only 为 false 时，openid-connect 插件将使用 Authorization Code 在 IDP 上进行认证，因此你必须设置 session 相关设置。 |
+| session.secret                       | string  | 是     | 自动生成               | 16 个以上字符  | 用于 session 加密和 HMAC 计算的密钥。 |
 
 ## 使用场景
 
@@ -71,7 +73,7 @@ description: OpenID Connect（OIDC）是基于 OAuth 2.0 的身份认证协议
 
 1. 应用之间认证授权：将 `bearer_only` 设置为 `true`，并配置 `introspection_endpoint` 或 `public_key` 属性。该场景下，请求头（Header）中没有令牌或无效令牌的请求将被拒绝。
 
-2. 浏览器中认证授权：将 `bearer_only` 设置为 `false`。认证成功后，该插件可获得并管理 Cookie 中的令牌，后续请求将使用该令牌。
+2. 浏览器中认证授权：将 `bearer_only` 设置为 `false`。认证成功后，该插件可获得并管理 Cookie 中的令牌，后续请求将使用该令牌。在这种模式中，用户会话将作为 Cookie 存储在浏览器中，这些数据是加密的，因此你必须通过 `session.secret` 设置一个密钥用于加密。
 
 ### 令牌内省