diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index de0a9430e353..5cad27466c80 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -19,6 +19,7 @@ local core = require("apisix.core") local ngx_re = require("ngx.re") local openidc = require("resty.openidc") local random = require("resty.random") +local fetch_secrets = require("apisix.secret").fetch_secrets local string = string local ngx = ngx local ipairs = ipairs @@ -471,7 +472,8 @@ local function required_scopes_present(required_scopes, http_scopes) end function _M.rewrite(plugin_conf, ctx) - local conf = core.table.clone(plugin_conf) + local conf_clone = core.table.clone(plugin_conf) + local conf = fetch_secrets(conf_clone) -- Previously, we multiply conf.timeout before storing it in etcd. -- If the timeout is too large, we should not multiply it again. diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index 0ee7d7eb86b4..2fb50edcc743 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -93,6 +93,15 @@ description: OpenID Connect allows the client to obtain user information from th NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). +In addition, you can use Environment Variables or APISIX secret to store and reference plugin attributes. APISIX currently supports storing secrets in two ways - [Environment Variables and HashiCorp Vault](../terminology/secret.md). + +For example, use below command to set environment variable +`export keycloak_secret=abc` + +and use it in plugin conf like below + +`"client_secret": "$ENV://keycloak_secret"` + ## Scenarios :::tip diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 427e439ad628..b8ea34f6cc50 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -34,6 +34,11 @@ add_block_preprocessor(sub { } }); +BEGIN { + $ENV{CLIENT_SECRET_ENV} = "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa"; + $ENV{VAULT_TOKEN} = "root"; +} + run_tests(); __DATA__ @@ -1550,3 +1555,95 @@ true qr/token validate successfully by \w+/ --- grep_error_log_out token validate successfully by jwks + +=== TEST 41: configure oidc plugin with small public key using environment variable +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ "plugins": { + "openid-connect": { + "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", + "client_secret": "$ENV://CLIENT_SECRET_ENV", + "discovery": "https://samples.auth0.com/.well-known/openid-configuration", + "redirect_uri": "https://iresty.com", + "ssl_verify": false, + "timeout": 10, + "bearer_only": true, + "scope": "apisix", + "public_key": "-----BEGIN PUBLIC KEY-----\n]] .. + [[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] .. + [[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] .. + [[-----END PUBLIC KEY-----", + "token_signing_alg_values_expected": "RS256" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + +=== TEST 42: store secret into vault +--- exec +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/foo client_secret=60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa +--- response_body +Success! Data written to: kv/apisix/foo + +=== TEST 43: configure oidc plugin with small public key using vault +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ "plugins": { + "openid-connect": { + "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", + "client_secret": "$secret://vault/test1/foo/client_secret", + "discovery": "https://samples.auth0.com/.well-known/openid-configuration", + "redirect_uri": "https://iresty.com", + "ssl_verify": false, + "timeout": 10, + "bearer_only": true, + "scope": "apisix", + "public_key": "-----BEGIN PUBLIC KEY-----\n]] .. + [[MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANW16kX5SMrMa2t7F2R1w6Bk/qpjS4QQ\n]] .. + [[hnrbED3Dpsl9JXAx90MYsIWp51hBxJSE/EPVK8WF/sjHK1xQbEuDfEECAwEAAQ==\n]] .. + [[-----END PUBLIC KEY-----", + "token_signing_alg_values_expected": "RS256" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed