Description
This is a follow up to Bishnup1995's question regarding creating consumers from the openid-connect plugin
I've created a plugin that parses the oidc identity token from the X-ID-Token header that the openid-connect plugin adds after succesfull authentication. The plugin configuration allows me to specify oidc role -> consumer mappings for the route, i.e.
uris:
- /hello
plugins:
oidc-consumer:
consumers:
- id: read-only-user
oidc-roles:
- standard-user
- id: admin-user
oidc-roles:
- super-userIf a token role matches, the relevant consumer is attached to the request by calling the following function:
-- Attach an ephemeral consumer to the request context
-- https://github.com/apache/apisix/issues/11015#issuecomment-2994693291
--
-- Note: Consumer groups cannot added in this way, as they must be registered
-- via the consumer_groups module, which is system-wide, not request-scoped.
--
local consumer_mod = require("apisix.consumer")
local function attach_consumer(ctx, consumer_id, username)
local apisix_consumer_conf = {
conf_version = "oidc-tmp-consumer"
}
local apisix_consumer = {
-- Properties required by plugin.lua's _M.merge_consumer_route
id = consumer_id,
modifiedIndex = 0,
consumer_name = consumer_id,
-- Optional value for request header X-Credential-Identifier
credential_id = consumer_id,
-- Optional value for request header X-Consumer-Username
username = username,
}
consumer_mod.attach_consumer(ctx, apisix_consumer, apisix_consumer_conf)
endIs this a valid approach?
Should this be handled differently?
Thanks!
Environment
- APISIX version (run
apisix version): 3.14.1
- Operating system (run
uname -a): Linux apisix-cc56488df-kzmnn 6.12.55-74.119.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMIC
- OpenResty / Nginx version (run
openresty -V or nginx -V): openresty/1.27.1.2
- etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run
luarocks --version):
Description
This is a follow up to Bishnup1995's question regarding creating consumers from the openid-connect plugin
I've created a plugin that parses the oidc identity token from the X-ID-Token header that the openid-connect plugin adds after succesfull authentication. The plugin configuration allows me to specify oidc role -> consumer mappings for the route, i.e.
If a token role matches, the relevant consumer is attached to the request by calling the following function:
Is this a valid approach?
Should this be handled differently?
Thanks!
Environment
apisix version):3.14.1uname -a):Linux apisix-cc56488df-kzmnn 6.12.55-74.119.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMICopenresty -Vornginx -V):openresty/1.27.1.2curl http://127.0.0.1:9090/v1/server_info):luarocks --version):