search

revomatico / kong-oidc

OIDC plugin for Kong
Apache License 2.0
109 stars 75 forks source link

Websocket introspect support #18

Closed rashi-jaiswal-007 closed 2 years ago

rashi-jaiswal-007 commented 2 years ago

Websocket protocol does not allow to add headers like Authorization. Can we support checking for access_token even in query params? Something on below lines:

function M.has_bearer_access_token()
  local header = ngx.req.get_headers()['Authorization']
  if header and header:find(" ") then
    local divider = header:find(' ')
    if string.lower(header:sub(0, divider-1)) == string.lower("Bearer") then
      return true
    end
  end
  local args = ngx.req.get_uri_args()
  for key, val in pairs(args) do
    if key == "access_token" then
      local token = formatAsBearerToken(val)
      ngx.req.set_header('Authorization', token) // "resty.openidc".introspect - also does not allow query param usage
      return true
    end
  end
  return false
end
ruiengana commented 2 years ago

Websocket doesn’t have support for native Authorisation, therefore this is implemented by the Developer on top of the Websocket protocol. Most of Websocket libraries add this layer already.

In my opinion this is concern of the micro itself and not the API Gateway, which over Websocket acts purely as proxy.

On Sun, 4 Sep 2022 at 09:12, Rashi Jaiswal @.***> wrote:

Websocket protocol does not allow to add headers like Authorization. Can we add support to checking for access_token even in query params? Something on below lines:

function M.has_bearer_access_token() local header = ngx.req.get_headers()['Authorization'] if header and header:find(" ") then local divider = header:find(' ') if string.lower(header:sub(0, divider-1)) == string.lower("Bearer") then return true end end local args = ngx.req.get_uri_args() for key, val in pairs(args) do if key == "access_token" then local token = formatAsBearerToken(val) ngx.req.set_header('Authorization', token) return true end end return false end

— Reply to this email directly, view it on GitHub https://github.com/revomatico/kong-oidc/issues/18, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUVDT2UYA26C4YDTN4IB33V4RKYBANCNFSM6AAAAAAQEHFMMA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

rashi-jaiswal-007 commented 2 years ago

Most of Websocket libraries add this layer already

You mean something like auth or extraHeaders of socket.io? If yes, then are you suggesting that socket server should instead be responsible for introspecting the token passed via these (and kong-oidc plugin should be bypassed essentially) ?

ruiengana commented 2 years ago

Yes. You shouldn’t be applying REST fundamentals with Websockets. They are utterly different. Only thing they actually share is the HTTP as the transport layer.

REST is about avoid sessions by leveraging authorisation in stateless calls. With websocket you actually create a duplex session via the websocket.

On Sun, 4 Sep 2022 at 11:59, Rashi Jaiswal @.***> wrote:

Most of Websocket libraries add this layer already

You mean something like auth https://socket.io/docs/v3/client-initialization/#auth or extraHeaders https://socket.io/docs/v3/client-initialization/#extraHeaders of socket.io? If yes, then are you suggesting that socket server should instead be responsible for introspecting the token passed via these (and kong-oidc plugin should be bypassed essentially) ?

— Reply to this email directly, view it on GitHub https://github.com/revomatico/kong-oidc/issues/18#issuecomment-1236311762, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUVDT74BU656J5QH47YBNDV4R6J3ANCNFSM6AAAAAAQEHFMMA . You are receiving this because you commented.Message ID: @.***>

rashi-jaiswal-007 commented 2 years ago

Cool... sounds good