Skip to content

[THREESCALE-10708] JWT Parser Policy #1536

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tkan145 merged 3 commits into from
Feb 25, 2025
Merged

[THREESCALE-10708] JWT Parser Policy #1536

tkan145 merged 3 commits into from
Feb 25, 2025

Conversation

@tkan145
Copy link
Contributor

@tkan145 tkan145 commented Feb 17, 2025
edited
Loading

What

Fix https://issues.redhat.com/browse/THREESCALE-10708

This is mostly a rename of oidc_authentication policy with an extra bit a logic on top to handle potential conflict with existing service configured with OIDC.

See #904 (comment)

Verification steps

  1. Check out this branch and build a new runtime-image
make runtime-image IMAGE_NAME=apicast-test
  1. Move into dev-environments
cd dev-environments/keycloak-env
  1. Modify apicast-config.json as follow
diff --git a/dev-environments/keycloak-env/apicast-config.json b/dev-environments/keycloak-env/apicast-config.json 
index 071296cd..d5ca17ca 100644                                                                                    
--- a/dev-environments/keycloak-env/apicast-config.json                                                            
+++ b/dev-environments/keycloak-env/apicast-config.json                                                            
@@ -84,10 +84,10 @@                                                                                                
         },                                                                                                        
         "policy_chain": [                                                                                         
           {                                                                                                       
-            "name": "token_introspection",                                                                        
-            "version": "builtin",                                                                                 
+            "name": "apicast.policy.jwt_parser",                                                                  
             "configuration": {                                                                                    
-              "auth_type": "use_3scale_oidc_issuer_endpoint"                                                      
+              "issuer_endpoint": "http://keycloak:8080/realms/basic",                                             
+              "required": true                                                                                    
             }                                                                                                     
           },                                                                                                      
           {
  1. Start gateway
make gateway IMAGE_NAME=apicast-test
  1. In another terminal seed keycloak-data
make keycloak-data
  1. Send request
export ACCESS_TOKEN=$(make token)

curl -v --resolve stg.example.com:8080:127.0.0.1 -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://stg.example.com:8080"
  1. Check APIcast log for the following message
[warn] 19#19: *2 jwt_parser.lua:49: check_compatible(): jwt_parser is incompatible with OIDC authentication mode, requestID=10c3fa9952859b03221ee7085fcaa6b3, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "stg.example.com:8080"
  1. Stop the gateway
CTRL-C
  1. Edit apicast-config.json
diff --git a/dev-environments/keycloak-env/apicast-config.json b/dev-environments/keycloak-env/apicast-config.json                          
index 071296cd..ec3d6532 100644                                                                                                             
--- a/dev-environments/keycloak-env/apicast-config.json                                                                                     
+++ b/dev-environments/keycloak-env/apicast-config.json                                                                                     
@@ -2,7 +2,7 @@                                                                                                                             
   "services": [                                                                                                                            
     {                                                                                                                                      
       "id": 2,                                                                                                                             
-      "backend_version": "oauth",                                                                                                          
+      "backend_version": "1",                                                                                                              
       "account_id": 2,                                                                                                                     
       "name": "API",                                                                                                                       
       "description": null,                                                                                                                 
@@ -63,7 +63,7 @@                                                                                                                           
         "apicast_configuration_driven": true,                                                                                              
         "oidc_issuer_endpoint": "http://oidc-issuer-for-3scale:oidc-issuer-for-3scale-secret@keycloak:8080/realms/basic",                  
         "lock_version": 4,                                                                                                                 
-        "authentication_method": "oidc",                                                                                                   
+        "authentication_method": "1",                                                                                                      
         "oidc_issuer_type": "keycloak",                                                                                                    
         "error_headers_limits_exceeded": "text/plain; charset=us-ascii",                                                                   
         "error_status_limits_exceeded": 429,                                                                                               
@@ -84,10 +84,23 @@                                                                                                                         
         },                                                                                                                                 
         "policy_chain": [                                                                                                                  
           {                                                                                                                                
-            "name": "token_introspection",                                                                                                 
-            "version": "builtin",                                                                                                          
+            "name": "apicast.policy.jwt_parser",                                                                                           
+            "configuration": {                                                                                                             
+              "issuer_endpoint": "http://keycloak:8080/realms/basic",                                                                      
+              "required": true                                                                                                             
+            }                                                                                                                              
+          },                                                                                                                               
+          {                                                                                                                                
+            "name": "apicast.policy.jwt_claim_check",                                                                                      
             "configuration": {                                                                                                             
-              "auth_type": "use_3scale_oidc_issuer_endpoint"                                                                               
+              "rules" : [{                                                                                                                 
+                  "operations": [                                                                                                          
+                    {"op": "==", "jwt_claim": "{{realm_access.roles| first}}", "jwt_claim_type": "liquid", "value": "default-roles-basic"} 
+                  ],                                                                                                                       
+                  "combine_op": "and",                                                                                                     
+                  "methods": ["GET"],                                                                                                      
+                  "resource": "/"                                                                                                          
+              }]                                                                                                                           
             }                                                                                                                              
           },                                                                                                                               
           {
  1. Send a request without Authorization header. You should see 403 Forbidden
curl -v --resolve stg.example.com:8080:127.0.0.1  "http://stg.example.com:8080/?user_key=foo"
  1. Retrieve access token and send another request
export ACCESS_TOKEN=$(make token)

curl -v --resolve stg.example.com:8080:127.0.0.1 -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://stg.example.com:8080/?user_key=foo"

You should now see HTTP/1.1 200 OK

@tkan145 tkan145 requested a review from a team as a code owner February 17, 2025 04:52
@tkan145 tkan145 force-pushed the THREESCALE-10708-jwt-parser branch 3 times, most recently from 642d57e to f0499f0 Compare February 23, 2025 23:41
eguzki
eguzki approved these changes Feb 24, 2025
View reviewed changes
Copy link
Member

@eguzki eguzki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach looks good to me.

Verification steps working.

@tkan145 tkan145 force-pushed the THREESCALE-10708-jwt-parser branch from f0499f0 to 851808d Compare February 25, 2025 01:52
@tkan145 tkan145 merged commit a1331e7 into 3scale:master Feb 25, 2025
14 checks passed
@tkan145 tkan145 deleted the THREESCALE-10708-jwt-parser branch February 25, 2025 02:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eguzki eguzki eguzki approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tkan145 @eguzki