Can you add other session configuration parameters of openid-connect?

illidan33 commented 8 months ago

Description

I want to set the session expiration time, but the documentation only supports 'secret'. The document only provides the secret parameter for configuring a session. Can you add support for other session configuration parameters.

The document's url is https://apisix.apache.org/zh/docs/apisix/plugins/openid-connect/

"openid-connect": { "_meta": { "disable": false }, "access_token_in_authorization_header": true, "refresh_session_interval": 3600, "scope": "", "session": { "secret": "" }, "timeout": 3, "use_pkce": true }

Openid-connect uses the lua-resty-sesseion package, which provides session configuration. Its address is https://github.com/bungle/lua-resty-session

Environment

APISIX version (run apisix version): /usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua version 3.7.0
Operating system (run uname -a): Linux apisix-apisix-6d996f8c4f-tzjt8 4.19.91-26.6.al7.x86_64
OpenResty / Nginx version (run openresty -V or nginx -V): nginx version: openresty/1.21.4.2 built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 1.1.1s 1 Nov 2022 (running with OpenSSL 1.1.1w 11 Sep 2023) TLS SNI support enabled configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_RUNTIME_VER=1.0.1 -DNGX_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_HTTP_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.13 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../ngx_multi_upstream_module-1.1.1 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../apisix-nginx-module-1.15.0 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../apisix-nginx-module-1.15.0/src/stream --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../apisix-nginx-module-1.15.0/src/meta --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../wasm-nginx-module-0.6.5 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.gLDkH7DPEH/openresty-1.21.4.2/../grpc-client-nginx-module-v0.4.4 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
APISIX Dashboard version, if relevant: dashboard_version | 3.0.1

kayx23 commented 8 months ago

I thought session expiry is something one could configure on the IdP side?

illidan33 commented 8 months ago

I thought session expiry is something one could configure on the IdP side?

The session is set by plugin openid-connect when i use apisix. So it has nothing to do with idp, which does not control the session set by openid-connect.

kayx23 commented 8 months ago

@lakshya8066 @Vacant2333 Please help with this question if you can, thanks.

Vacant2333 commented 8 months ago

hello @illidan33 looks like we can add this parameter to the APISIX plugin

illidan33 commented 8 months ago

hello @illidan33 looks like we can add this parameter to the APISIX plugin

@Vacant2333 Thank you! Can you add an extra field ‘rolling_timeout’?

Vacant2333 commented 8 months ago

hello @illidan33 looks like we can add this parameter to the APISIX plugin

Thank you! Can you add an extra field ‘rolling_time’?

yes, can u help me list the parameters that which we need add to the plugin, and i will check and try to do that

illidan33 commented 8 months ago

hello @illidan33 looks like we can add this parameter to the APISIX plugin

Thank you! Can you add an extra field ‘rolling_time’?

yes, can u help me list the parameters that which we need add to the plugin, and i will check and try to do that

Of course.

illidan33 commented 8 months ago

hello @illidan33 looks like we can add this parameter to the APISIX plugin

Thank you! Can you add an extra field ‘rolling_time’?

yes, can u help me list the parameters that which we need add to the plugin, and i will check and try to do that

Of course.

@Vacant2333 The following are common session configuration fields, please add them to the plugin, thank you.

cookie_name
cookie_path
cookie_http_only
cookie_secure
cookie_priority
cookie_same_site
cookie_same_party
remember
remember_safety
remember_cookie_name
stale_ttl
idling_timeout
rolling_timeout
absolute_timeout
remember_rolling_timeout
remember_absolute_timeout

Vacant2333 commented 8 months ago

hello @illidan33 looks like we can add this parameter to the APISIX plugin

Thank you! Can you add an extra field ‘rolling_time’?

yes, can u help me list the parameters that which we need add to the plugin, and i will check and try to do that

Of course.

@Vacant2333 The following are common session configuration fields, please add them to the plugin, thank you.

cookie_name

cookie_path

cookie_http_only

cookie_secure

cookie_priority

cookie_same_site

cookie_same_party

remember

remember_safety

remember_cookie_name

stale_ttl

idling_timeout

rolling_timeout

absolute_timeout

remember_rolling_timeout

remember_absolute_timeout

ok, i will need consider these was necessay, thanks!

Vacant2333 commented 8 months ago

@kayx23 how do u think about add these parameters, can u help assign this issue to me? cc @shreemaan-abhishek

illidan33 commented 8 months ago

@Vacant2333 Hi, will the update come online in the near future?

Revolyssup commented 8 months ago

@illidan33 Yes this is on the proposal stage currently so there is no fixed date but this task is on my plate

illidan33 commented 7 months ago

@Vacant2333 @Revolyssup hi, I solved the issue. Can you take a look. [https://github.com/apache/apisix/pull/10919](session configuration)

apache / apisix

Can you add other session configuration parameters of openid-connect? #10797

Description

Environment