From 1deabd0bdcdce52e9be79e05b26268c92ee07509 Mon Sep 17 00:00:00 2001 From: Aron Parsons Date: Thu, 8 Aug 2019 14:39:00 -0400 Subject: [PATCH] set ngx.ctx.authenticated_groups if groups claim is present enables the use of Kong authorization plugins, such as the bundled "acl plugin Signed-off-by: Aron Parsons --- README.md | 5 +++++ kong/plugins/oidc/handler.lua | 1 + kong/plugins/oidc/schema.lua | 3 ++- kong/plugins/oidc/utils.lua | 7 +++++++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 82a65bf2..fc7ba856 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,10 @@ ngx.ctx.authenticated_consumer = { } ``` +The plugin will try to retrieve the user's groups from a field in the token (default `groups`) +and set `ngx.ctx.authenticated_groups` so that Kong authorization plugins can make decisions +based on the user's group membership. + ## Dependencies @@ -82,6 +86,7 @@ You also need to set the `KONG_PLUGINS` environment variable | `config.bearer_only` | no | false | Only introspect tokens without redirecting | | `config.realm` | kong | false | Realm used in WWW-Authenticate response header | | `config.logout_path` | /logout | false | Absolute path used to logout from the OIDC RP | +| `config.groups_claim` | groups | false | Name of the claim in the token to get groups from | ### Enabling diff --git a/kong/plugins/oidc/handler.lua b/kong/plugins/oidc/handler.lua index 07f05af5..763781be 100644 --- a/kong/plugins/oidc/handler.lua +++ b/kong/plugins/oidc/handler.lua @@ -39,6 +39,7 @@ function handle(oidcConfig) if response then if (response.user) then utils.injectUser(response.user) + utils.injectGroups(response.user, oidcConfig.groups_claim) end if (response.access_token) then utils.injectAccessToken(response.access_token) diff --git a/kong/plugins/oidc/schema.lua b/kong/plugins/oidc/schema.lua index ffb55b37..61d85766 100644 --- a/kong/plugins/oidc/schema.lua +++ b/kong/plugins/oidc/schema.lua @@ -18,6 +18,7 @@ return { recovery_page_path = { type = "string" }, logout_path = { type = "string", required = false, default = '/logout' }, redirect_after_logout_uri = { type = "string", required = false, default = '/' }, - filters = { type = "string" } + filters = { type = "string" }, + groups_claim = { type = "string", required = false, default = "groups" } } } diff --git a/kong/plugins/oidc/utils.lua b/kong/plugins/oidc/utils.lua index 3686bbf6..4f187849 100644 --- a/kong/plugins/oidc/utils.lua +++ b/kong/plugins/oidc/utils.lua @@ -58,6 +58,7 @@ function M.get_options(config, ngx) filters = parseFilters(config.filters), logout_path = config.logout_path, redirect_after_logout_uri = config.redirect_after_logout_uri, + groups_claim = config.groups_claim, } end @@ -85,6 +86,12 @@ function M.injectUser(user) ngx.req.set_header("X-Userinfo", ngx.encode_base64(userinfo)) end +function M.injectGroups(user, claim) + if user[claim] ~= nil then + ngx.ctx.authenticated_groups = user[claim] + end +end + function M.has_bearer_access_token() local header = ngx.req.get_headers()['Authorization'] if header and header:find(" ") then