Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: As a user, I want to set a validation on custom claims in oidc auth, so that I can restrict access to backend based on that rule #8772

Open
goblain opened this issue Feb 1, 2023 · 10 comments · May be fixed by #11824
Labels
good first issue Good for newcomers

Comments

@goblain
Copy link

goblain commented Feb 1, 2023

Description

ability to configure openid-connect with something like

claim_validators:
- claim: someclaim
  matches:
  - foo
  - bar

that would return 401 if failed to evaluate successfully

@spacewander spacewander added the good first issue Good for newcomers label Feb 2, 2023
@spacewander
Copy link
Member

LGTM

@ro4i7
Copy link

ro4i7 commented Mar 12, 2023

Hello @spacewander @goblain

if this issue is still open, please assign it to me,

possible solution:

To implement this feature, we can introduce a new configuration parameter in the OIDC auth plugin named claim_validators. This parameter will be a list of maps, each map representing a custom claim validator.

Each map will contain two keys: claim and matches. claim is a string representing the name of the custom claim that needs to be validated. matches is a list of strings representing the allowed values of the custom claim.

During the authentication process, the plugin will validate the custom claim against the allowed values specified in the claim_validators configuration. If the custom claim fails to match any of the allowed values, the plugin will return a 401 unauthorized response.

local function validate_custom_claim(claim_value, allowed_values)
    for _, v in ipairs(allowed_values) do
        if v == claim_value then
            return true
        end
    end

    return false
end

local function oidc_authenticate(conf, ...)
    -- ...
    local claim_validators = conf.claim_validators or {}

    for _, validator in ipairs(claim_validators) do
        local claim = validator.claim
        local matches = validator.matches or {}

        local claim_value = json.decode(claims[claim] or "{}")[1]
        if not validate_custom_claim(claim_value, matches) then
            return responses.send_HTTP_UNAUTHORIZED("Invalid custom claim")
        end
    end

    -- ...
end

With this implementation, the user can specify a list of custom claim validators in the claim_validators configuration. For example:

plugins:
- name: oidc
  config:
    client_id: YOUR_CLIENT_ID
    client_secret: YOUR_CLIENT_SECRET
    discovery: https://your-oidc-provider.com/.well-known/openid-configuration
    redirect_uri: http://your-redirect-uri.com
    claim_validators:
    - claim: someclaim
      matches:
      - foo
      - bar

This will ensure that the someclaim custom claim in the OIDC token matches either foo or bar. If it does not match any of these values, the plugin will return a 401 unauthorized response.

@spacewander
Copy link
Member

You could submit a PR with test added to it.

@ro4i7 ro4i7 mentioned this issue Mar 14, 2023
5 tasks
@ro4i7
Copy link

ro4i7 commented Mar 14, 2023

You could submit a PR with test added to it.

@spacewander please checkout #9068

@abs007
Copy link
Contributor

abs007 commented Apr 4, 2023

I'l like this issue to be assigned to me if possible, thanks.

@abs007
Copy link
Contributor

abs007 commented Apr 10, 2023

@monkeyDluffy6017

@Visserr2
Copy link

What is the status on this issue?

@shreemaan-abhishek
Copy link
Contributor

would you like to work on it @Visserr2 ?

@beardnick
Copy link

beardnick commented Nov 24, 2024

What is the status of this issue?@shreemaan-abhishek

beardnick added a commit to beardnick/apisix that referenced this issue Dec 12, 2024
@beardnick beardnick linked a pull request Dec 12, 2024 that will close this issue
5 tasks
@beardnick
Copy link

@shreemaan-abhishek cc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants