feat: add support for password grant in authz-keycloak plugin

[azilentech]

Support of password grant type for token generation (#6574)

Committing changes after adding new feature for generating token based on user id/password and also taking support of grant type password

feat: #6574

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• Have you added corresponding test cases?
• Have you modified the corresponding document?
• Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

[soulbird]

you should sing the CLA first

[soulbird]

Missing unit tests

[azilentech]

Hi,

I will need little guidance for the CLA signing process from your side.

In PR, I have made the following changes.

• Added test cases. As these test cases require keycloak installation, I tested with my local environment by adjusting parameters and configuration settings. Please let me know If I need to perform further steps.
• I updated code by using better configuration setting "password_grant_token_generation_incoming_uri" instead of using "token_generation_endpoint" which can be confusing with "token_endpoint".
• I updated the documentation by following contribution guidelines.
• I also ran "make lint" and followed all the suggestions.

Please let me know the next actions for me.

[spacewander]

I will need little guidance for the CLA signing process from your side.

There is no CLA file for APISIX :)

Added test cases. As these test cases require keycloak installation, I tested with my local environment by adjusting parameters and configuration settings. Please let me know If I need to perform further steps.

As the keycloak environment is set up by @sshniro,
@sshniro
Could you provide some help for @azilentech to test this feature? Thanks!

[niketrk]

@sshniro

I checked the logs of above test runs.
error is: "status=401, body={"error":"invalid_grant","error_description":"Invalid user credentials"}"

I have used following settings in my test scenario:
"client_id": "course_management"
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5"
username = "teacher@gmail.com"
password = "123456"
grant_type = "password"

I took the above settings from other Keycloak test cases.
I am doubting that these settings are not proper for the test Keycloak instance. In my local environment, I put my Keycloak settings and then run test scenario via
TEST_NGINX_BINARY=/usr/local/bin/openresty prove -Itest-nginx/lib -r t/plugin/authz-keycloak.t

And it worked properly.

---

Another issue is reported as: "ERROR: apisix/plugins/authz-keycloak.lua: line 719: getting the Lua global "string""

For which I made fix "local str_find = string.find", so it should be fixed now.

[starsz]

Why should we use warn level ?

[azilentech]

Agree... it should be debug level log. I changed it.

[starsz]

You can use core.request.get_body() instead.

[azilentech]

Done. I changed it.

[starsz]

Suggested change

	return res.status, res.body
	return res.status, res.body

[azilentech]

Done.

[starsz]

Use and would be better.

[azilentech]

Good Suggestion and changed it to use and for all three conditions.

[starsz]

Why the username, password in the request body and use & to concat.

[azilentech]

As url encoded parameters were coming, they were automatically appended using '&'. Having said that, your comment helped me to utilize "ngx.decode_args" which makes code much cleaner. Thanks!

[sshniro]

scenario

Hi, are you getting the same error when you run the docker image instance (sshniro/keycloak-apisix:latest) locally?

[azilentech]

@sshniro
I didn't test that way earlier, but just now, I did that and it is working. Also when I see the above checks, that test case is starting to pass now.

I have got the idea what things might cause that. Earlier I was using '&' to split the incoming parameters. but now I am using "ngx.decode_args" ( #6586 (comment) ).

Because of that earlier, username (which is email) wouldn't parse properly.
That should be the root cause of the same.

[starsz]

ctx.curr_req_matched["_method"]:upper() looks strange.
I think you can use core.req.get_method instead.

[starsz]

redundant line ?

[starsz]

Suggested change

	If you want to generate a token using `password` grant, you can set value of `password_grant_token_generation_incoming_uri`.
	If you want to generate a token using `password` grant, you can set the value of `password_grant_token_generation_incoming_uri`.

[starsz]

Suggested change

	Incoming request URI will be matched with this value and if matched, it will generate token using `Token Endpoint`.
	Incoming request URI will be matched with this value and if matched, it will generate a token using `Token Endpoint`.

[starsz]

Suggested change

	It will also check, if REST method is `POST`.
	It will also check if the request method is `POST`.

[spacewander]

Suggested change

	body = ngx.encode_args({
	body = ngx.encode_args({

[azilentech]

done and also incorporated this in the same file at other places.

[spacewander]

Suggested change

	return 500, err
	return 503, err

New feature is encouraged to avoid 500

[azilentech]

Valid point. I updated it. I didn't update at other places because there can be backward compatibility issues and there should be separate PR for the same.

[spacewander]

We should also check the "Content-Type"?

[azilentech]

Yes. it was missed. I introduced that now.

[spacewander]

Is it required to compare case-insensitive?
Also, the var.request_uri will contain ?argument=part, is it desirable?

[azilentech]

URL should be case sensitive so removed that "upper" from code.
For the part of request_uri, I believe, as we are checking uri, method, and header, all three parts, this should be fine.
Basically for the operation of token generation, exact uri matching will be helpful.
Your thoughts?

[spacewander]

The request_uri will contain the query string part of the uri. For example,
With request /path?query=string
The ngx.var.request_uri will return /path?query=string, and ctx.var.uri will return /path. By looking at the doc of password_grant_token_generation_incoming_uri, I guess we can use ctx.var.uri so both /path?query=string and /path can match.

[azilentech]

@spacewander I understood your idea. I am curious, as to why we should treat both strings (/path?query=string or /path) the same way and proceed with token generation.

Token generation is a very specific use case, and shouldn't we say if and only if a specific URL will be submitted then we will generate token and submit result back.

if the request is made with /path?query=string, it shouldn't be assumed for token generation and it should be treated the same as any other request. (e.g. proceed to forward to upstream for further processing).

Please share your view. Accordingly, I can make changes, if needed.

[spacewander]

We need to remove the echo response data as #6545

[azilentech]

Alright. I removed it from this new test case.

[spacewander]

Approved except #6586 (comment)

[spacewander]

Suggested change

	ngx.var.request_uri == conf.password_grant_token_generation_incoming_uri and
	ctx.var.request_uri == conf.password_grant_token_generation_incoming_uri and

would be better, which provides a cache of the var.

[azilentech]

Done. Made the change.

[lijing-21]

Hi @azilentech , thank you for your contribution!

Here is the Contributor T-shirt form[1], if you're interested, kindly take a look :)

[1] https://github.com/apache/apisix/blob/master/CONTRIBUTING.md#contributor-t-shirt