search

apache / apisix

The Cloud-Native API Gateway
https://apisix.apache.org/blog/
Apache License 2.0
14.01k stars 2.46k forks source link

help request: Consumer and Oauth 2.0 with Openid-connect #9583

Open benatbermejo opened 1 year ago

benatbermejo commented 1 year ago

Description

I want to define traffic control restrictions for different consumers using Oauth 2.0 protocol.

Is there a way to do it?

I have defined Openid-connect pluging on routes with a instrospect endpoint to validate the tokens. The introspect service response contains the user-id and is saved on X-Userinfo header. But there is no way to define a consumer with Openid-connect pluging. Would be nice to do that to avoid complex workflows on routes.

Environment

starsz commented 1 year ago

Is there a way to do it?

Yes, now we don't support enabling Openid-connect plugin with consumers. But we can use openid-connect plugin and another auth plugin like key-auth to restrict the client.

It Would be nice to do that to avoid complex workflows on routes.

I think it's a good idea.Let's hear from others

poostwoud commented 6 months ago

Using openid to identify the consumer would be a great feature. Why not use the client id and secret in the openid configuration for this? This would be similar to setting for example a key using key-auth right?

cortex35 commented 4 months ago

Hello, thank you for your fantastic work.

We would like to use apisix, but we are stuck on one point. We want to utilize our identity provider with OpenID Connect and manage access restrictions through apisix.

I dont understand how use key-auth plugin with openid-connect, we have to add a consumer api key to header in addition of access token ?

Initially, I thought of using openid-connect plugins along with consumer related plugins like consumer-restriction or limit-*. However, based on my understanding from the issue and documentations I’ve found, it seems this is not currently possible. Did i miss something ?

Is there a specific limitation preventing this feature ?

Could the openid-connect plugin check, for exemple, the "sub" in the access token and associate it with an apisix consumer ?

Thanks

coffee-coder99 commented 3 months ago

I'm not sure where this feature stands, but we are looking to do the same. In the past I have requested a feature, and even offered to do the work myself with a PR. I still have not heard back on whether that would be welcome for that feature. Would it be welcome by the maintainers for this feature as well?