search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
454 stars 320 forks source link

Support for token revocations on logout #74

Open jerneyio opened 5 years ago

jerneyio commented 5 years ago

lua-resty-openidc supports revocation of the access and refresh tokens as long as a revocation endpoint is exposed and contained in the discovery URL (see: https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L1142), so it should be easy enough to extend that support to this project. I'd be happy to submit a PR for this, but testing will be a problem because:

  1. Keycloak (used in the docker-compose.yml for testing) does not yet support a revocation endpoint (see: https://issues.jboss.org/browse/KEYCLOAK-5325) and may never do so (see: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Revoking-an-OAuth-Token-td3041.html), and
  2. I'm not sure the testing infrastructure for this project is complete.

Feel free to correct me on that last point if I'm wrong. If not, I can open up an issue for this as well.

Trojan295 commented 5 years ago

Well, in Travis CI we aren't running any integration tests with any OIDC providers. There is a docker compose file in the test directory, which I use for testing the plugin with Keycloak. There's also a Python script, which configures the plugin on Kong and a OIDC client Keycloak. IMO it should be improved and added to Travis, but I hadn't time to add this.

To use this you would need to start Keycloak and Kong's db, wait till it's ready, run the db migration (uncomment the command in docker-compose.yml, start Kong and run setup.py. The source code in mounted into the container, so you need only to restart Kong's container to test your changes.

jerneyio commented 5 years ago

Good deal. So I'm not too familiar with Travis CI, but I have been using Docker Compose a lot lately. If I can get this:

To use this you would need to start Keycloak and Kong's db, wait till it's ready, run the db migration (uncomment the command in docker-compose.yml, start Kong and run setup.py. The source code in mounted into the container, so you need only to restart Kong's container to test your changes.

to a point where it's completely automated and kicked off by a single command, would you accept a PR for that? I'll have some free time coming up next week to look into it. I can open up a separate issue for this.

Trojan295 commented 5 years ago

@JoshTheGoldfish, that would be great! :) It would open a possibility to write Selenium/Robot tests and have some integration tests run in the CI. I could handle this afterwards.

jerneyio commented 5 years ago

@Trojan295 I've created and issue for that here: https://github.com/nokia/kong-oidc/issues/80