search

revomatico / kong-oidc

OIDC plugin for Kong
Apache License 2.0
110 stars 75 forks source link

Adding support for JWKS-based token validation #4

Closed Starefossen closed 3 years ago

Starefossen commented 3 years ago

Adds support for JWKS-based token validation (nokia#150).

Related https://github.com/nokia/kong-oidc/pull/151 Related https://github.com/revomatico/kong-oidc/pull/1

zanitete commented 3 years ago

In my local env the unit test that was added by this PR is failing as follows:

$ ./bin/run-unit-tests.sh

+ docker build --build-arg KONG_BASE_TAG=:2.2.1-centos -t nokia/kong-oidc -f test/docker/unit/Dockerfile .
Sending build context to Docker daemon  877.1kB
Step 1/11 : ARG KONG_BASE_TAG
Step 2/11 : FROM kong${KONG_BASE_TAG}
 ---> 43a665d19b27
Step 3/11 : USER root
 ---> Using cache
 ---> 27e106f8e449
Step 4/11 : ENV LUA_PATH /usr/local/share/lua/5.1/?.lua;/usr/local/kong-oidc/?.lua
 ---> Using cache
 ---> 9439d5592379
Step 5/11 : ENV LUA_CPATH /usr/local/lib/lua/5.1/?.so
 ---> Using cache
 ---> beb72ccbc7c9
Step 6/11 : RUN echo "ip_resolve=4" >> /etc/yum.conf && yum install -y unzip gcc
 ---> Using cache
 ---> 0d362c81b50c
Step 7/11 : RUN luarocks install lua-resty-openidc 1.7.4-1
 ---> Using cache
 ---> 7f2865a7c694
Step 8/11 : RUN luarocks install luacov
 ---> Using cache
 ---> e5d9f85147cb
Step 9/11 : RUN luarocks install luaunit
 ---> Using cache
 ---> 33e2559b3ad9
Step 10/11 : WORKDIR /usr/local/kong-oidc
 ---> Using cache
 ---> 5e29bdc4804a
Step 11/11 : COPY . .
 ---> b40a7b9e1bbd
Successfully built b40a7b9e1bbd
Successfully tagged nokia/kong-oidc:latest
+ docker run -it --rm nokia/kong-oidc /bin/bash test/unit/run.sh
+ lua -lluacov test/unit/test_already_auth.lua -o TAP --failure
1..2
# Started on Thu Mar  4 14:11:54 2021
# Starting class: TestHandler
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler ignoring already auth request: /
ok     1        TestHandler.test_skip_already_auth_has_cred
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug OidcHandler done
ok     2        TestHandler.test_skip_already_auth_has_no_cred
# Ran 2 tests in 0.000 seconds, 2 successes, 0 failures
+ lua -lluacov test/unit/test_bearer_jwt_auth.lua -o TAP --failure
1..2
# Started on Thu Mar  4 14:11:54 2021
# Starting class: TestHandler
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug OidcHandler done
ok     1        TestHandler.test_bearer_jwt_auth_fail
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug Injecting x-userinfo
ngx.log:        debug OidcHandler done
ok     2        TestHandler.test_bearer_jwt_auth_success
# Ran 2 tests in 0.010 seconds, 2 successes, 0 failures
+ lua -lluacov test/unit/test_filter.lua -o TAP --failure
1..5
# Started on Thu Mar  4 14:11:54 2021
# Starting class: TestFilter
ok     1        TestFilter.testIgnoreRequestWhenMatchingPattern1
ok     2        TestFilter.testIgnoreRequestWhenMatchingPattern2
ok     3        TestFilter.testProcessRequestWhenTheyAreNoFiltersEmpty
ok     4        TestFilter.testProcessRequestWhenTheyAreNoFiltersNil
ok     5        TestFilter.testProcesseRequestWhenNoMatch
# Ran 5 tests in 0.010 seconds, 5 successes, 0 failures
+ lua -lluacov test/unit/test_filters_advanced.lua -o TAP --failure
1..15
# Started on Thu Mar  4 14:11:54 2021
# Starting class: TestFilter
ok     1        TestFilter.testDigitAfterPrefix
ok     2        TestFilter.testHyphenAfterPrefix
ok     3        TestFilter.testIgnoreRequestBeingIdenticalToFilter
ok     4        TestFilter.testIgnoreRequestStartingWithFilterFollowedByPaths
ok     5        TestFilter.testIgnoreRequestStartingWithFilterFollowedByQuestionmark
ok     6        TestFilter.testIgnoreRequestStartingWithFilterFollowedBySlash
ok     7        TestFilter.testIgnoreRequestWhenUriIsArc
ok     8        TestFilter.testIgnoreRequestWhenUriIsAuth
ok     9        TestFilter.testLowercaseLetterAfterPrefix
ok     10       TestFilter.testPeriodAfterPrefix
ok     11       TestFilter.testPrefixNotAtTheStart
ok     12       TestFilter.testProcessRequestWhichAreAllowed
ok     13       TestFilter.testTildeAfterPrefix
ok     14       TestFilter.testUnderscoreAfterPrefix
ok     15       TestFilter.testUppercaseLetterLetterAfterPrefix
# Ran 15 tests in 0.000 seconds, 15 successes, 0 failures
+ lua -lluacov test/unit/test_handler_mocking_openidc.lua -o TAP --failure
1..14
# Started on Thu Mar  4 14:11:54 2021
# Starting class: TestHandler
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug OidcHandler done
ok     1        TestHandler.test_authenticate_nok_deny
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug OidcHandler done
ok     2        TestHandler.test_authenticate_nok_no_recovery
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug Redirecting to recovery page: x
ngx.log:        debug OidcHandler done
ok     3        TestHandler.test_authenticate_nok_with_recovery
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug OidcHandler done
ok     4        TestHandler.test_authenticate_ok_no_userinfo
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug Injecting X-Access-Token
ngx.log:        debug OidcHandler done
ok     5        TestHandler.test_authenticate_ok_with_accesstoken
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug Injecting X-ID-Token
ngx.log:        debug OidcHandler done
ok     6        TestHandler.test_authenticate_ok_with_idtoken
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug OidcHandler done
ok     7        TestHandler.test_authenticate_ok_with_no_accesstoken
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug OidcHandler done
ok     8        TestHandler.test_authenticate_ok_with_no_idtoken
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug Injecting X-Userinfo
ngx.log:        debug OidcHandler done
ok     9        TestHandler.test_authenticate_ok_with_userinfo
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler calling authenticate, requested path: /
ngx.log:        debug OidcHandler done
ok     10       TestHandler.test_bearer_only_with_bad_token
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler introspect succeeded, requested path: /
ngx.log:        debug Injecting X-Userinfo
ngx.log:        debug OidcHandler done
ok     11       TestHandler.test_bearer_only_with_good_token
ngx.log:        debug executing plugin " oidc ": access
ngx.log:        debug OidcHandler introspect succeeded, requested path: /
not ok 12       TestHandler.test_introspect_bearer_token_and_property_mapping
#   /usr/local/kong-oidc/kong/plugins/oidc/utils.lua:159: attempt to concatenate local 'headerName' (a nil value)

ERROR during LuaUnit test execution:
/usr/local/kong-oidc/kong/plugins/oidc/utils.lua:159: attempt to concatenate local 'headerName' (a nil value)
# Ran 12 tests in 0.040 seconds, 11 successes, 1 error
LuaUnit ABORTED (as requested by --error or --failure option)
Done

is it working for you? thank you!

hanlaur commented 3 years ago

@Starefossen: Question about this PR: Another PR https://github.com/revomatico/kong-oidc/pull/2 (commit https://github.com/revomatico/kong-oidc/pull/2/commits/3739291992720f4456f05a6e62aca4b5c0c3dba2) included JWKS based bearer JWT verification already, but with some additional validations & configurability. I am curious did it not cover your particular use case?