add auth_type to get properties from the oidc issuer setting

Author: y-tabata

CHANGELOG.md

@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - `APICAST_ACCESS_LOG_FILE` env to make the access log location configurable [THREESCALE-743](https://github.com/3scale/apicast/pull/743)
 - ENV variables to make APIcast listen on HTTPS port [PR #622](https://github.com/3scale/apicast/pull/622) 
 - New `ssl_certificate` phase allows policies to provide certificate to terminate HTTPS connection [PR #622](https://github.com/3scale/apicast/pull/622).
+- Configurable `auth_type` for the token introspection policy [PR #755](https://github.com/3scale/apicast/pull/755)
 
 ### Changed
 

examples/policies/token_introspection_configuration.lua

@@ -1,6 +1,7 @@
 local policy_chain = require('apicast.policy_chain').default()
 
 local token_policy = require('apicast.policy.token_introspection').new({
+        auth_type = "client_id+client_secret",
         introspection_url = "http://localhost:8080/auth/realms/3scale/protocol/openid-connect/token/introspect",
         client_id = "YOUR_CLIENT_ID",
         client_secret = "YOUR_CLIENT_SECRET"

gateway/src/apicast/policy/token_introspection/apicast-policy.json

@@ -2,24 +2,17 @@
   "$schema": "http://apicast.io/poolicy-v1/schema#manifest#",
   "name": "OAuth 2.0 Token Introspection",
   "summary": "Configures OAuth 2.0 Token Introspection.",
-  "description": 
-  ["This policy executes OAuth 2.0 Token Introspection ",
-   "(https://tools.ietf.org/html/rfc7662) for every API call."],
+  "description": ["This policy executes OAuth 2.0 Token Introspection ",
+    "(https://tools.ietf.org/html/rfc7662) for every API call."
+  ],
   "version": "builtin",
   "configuration": {
     "type": "object",
     "properties": {
-      "introspection_url": {
-        "description": "Introspection Endpoint URL",
-        "type": "string"
-      },
-      "client_id": {
-        "description": "Client ID for the Token Introspection Endpoint",
-        "type": "string"
-      },
-      "client_secret": {
-        "description": "Client Secret for the Token Introspection Endpoint",
-        "type": "string"
+      "auth_type": {
+        "type": "string",
+        "enum": ["use_3scale_oidc_issuer_endpoint", "client_id+client_secret"],
+        "default": "client_id+client_secret"
       },
       "max_ttl_tokens": {
         "description": "Max TTL for cached tokens",
@@ -33,6 +26,43 @@
         "minimum": 0,
         "maximum": 10000
       }
+    },
+    "required": [
+      "auth_type"
+    ],
+    "dependencies": {
+      "auth_type": {
+        "oneOf": [{
+          "properties": {
+            "auth_type": {
+              "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.",
+              "enum": ["use_3scale_oidc_issuer_endpoint"]
+            }
+          }
+        }, {
+          "properties": {
+            "auth_type": {
+              "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.",
+              "enum": ["client_id+client_secret"]
+            },
+            "client_id": {
+              "description": "Client ID for the Token Introspection Endpoint",
+              "type": "string"
+            },
+            "client_secret": {
+              "description": "Client Secret for the Token Introspection Endpoint",
+              "type": "string"
+            },
+            "introspection_url": {
+              "description": "Introspection Endpoint URL",
+              "type": "string"
+            }
+          },
+          "required": [
+            "client_id", "client_secret", "introspection_url"
+          ]
+        }]
+      }
     }
   }
 }

gateway/src/apicast/policy/token_introspection/token_introspection.lua

@@ -6,6 +6,7 @@ local http_authorization = require 'resty.http_authorization'
 local http_ng = require 'resty.http_ng'
 local user_agent = require 'apicast.user_agent'
 local resty_env = require('resty.env')
+local resty_url = require('resty.url')
 
 local tokens_cache = require('tokens_cache')
 
@@ -16,19 +17,25 @@ local new = _M.new
 local noop = function() end
 local noop_cache = { get = noop, set = noop }
 
+local function create_credential(client_id, client_secret)
+  return 'Basic ' .. ngx.encode_base64(table.concat({ client_id, client_secret }, ':'))
+end
+
 function _M.new(config)
   local self = new(config)
   self.config = config or {}
+  self.auth_type = config.auth_type or "client_id+client_secret"
   --- authorization for the token introspection endpoint.
   -- https://tools.ietf.org/html/rfc7662#section-2.2
-  local credential = 'Basic ' .. ngx.encode_base64(table.concat({ self.config.client_id or '', self.config.client_secret or '' }, ':'))
-  self.introspection_url = config.introspection_url
+  if self.auth_type == "client_id+client_secret" then
+    self.credential = create_credential(self.config.client_id or '', self.config.client_secret or '')
+    self.introspection_url = config.introspection_url
+  end
   self.http_client = http_ng.new{
     backend = config.client,
     options = {
       headers = {
-        ['User-Agent'] = user_agent(),
-        ['Authorization'] = credential
+        ['User-Agent'] = user_agent()
       },
       ssl = { verify = resty_env.enabled('OPENSSL_VERIFY') }
     }
@@ -55,7 +62,8 @@ local function introspect_token(self, token)
 
   --- Parameters for the token introspection endpoint.
   -- https://tools.ietf.org/html/rfc7662#section-2.1
-  local res, err = self.http_client.post(self.introspection_url , { token = token, token_type_hint = 'access_token'})
+  local res, err = self.http_client.post{self.introspection_url , { token = token, token_type_hint = 'access_token'},
+    headers = {['Authorization'] = self.credential}}
   if err then
     ngx.log(ngx.WARN, 'token introspection error: ', err, ' url: ', self.introspection_url)
     return { active = false }
@@ -77,6 +85,18 @@ local function introspect_token(self, token)
 end
 
 function _M:access(context)
+  if self.auth_type == "use_3scale_oidc_issuer_endpoint" then
+    if not context.proxy.oauth then
+      ngx.status = context.service.auth_failed_status
+      ngx.say(context.service.error_auth_failed)
+      return ngx.exit(ngx.status)
+    end
+
+    local components = resty_url.parse(context.service.oidc.issuer_endpoint)
+    self.credential = create_credential(components.user, components.password)
+    self.introspection_url = context.proxy.oauth.config.openid.token_introspection_endpoint
+  end
+
   if self.introspection_url then
     local authorization = http_authorization.new(ngx.var.http_authorization)
     local access_token = authorization.token

spec/policy/token_introspection/token_introspection_spec.lua

@@ -33,6 +33,7 @@ describe("token introspection policy", function()
     it('success with valid token', function()
       local introspection_url = "http://example/token/introspection"
       local policy_config = {
+        auth_type = "client_id+client_secret",
         introspection_url = introspection_url,
         client_id = test_client_id,
         client_secret = test_client_secret
@@ -61,6 +62,7 @@ describe("token introspection policy", function()
     it('failed with invalid token', function()
       local introspection_url = "http://example/token/introspection"
       local policy_config = {
+        auth_type = "client_id+client_secret",
         introspection_url = introspection_url,
         client_id = "client",
         client_secret = "secret"
@@ -93,6 +95,7 @@ describe("token introspection policy", function()
     it('failed with bad status code', function()
       local introspection_url = "http://example/token/introspection"
       local policy_config = {
+        auth_type = "client_id+client_secret",
         introspection_url = introspection_url,
         client_id = "client",
         client_secret = "secret"
@@ -122,6 +125,7 @@ describe("token introspection policy", function()
     it('failed with null response', function()
       local introspection_url = "http://example/token/introspection"
       local policy_config = {
+        auth_type = "client_id+client_secret",
         introspection_url = introspection_url,
         client_id = "client",
         client_secret = "secret"
@@ -152,6 +156,7 @@ describe("token introspection policy", function()
     it('failed with bad contents type', function()
       local introspection_url = "http://example/token/introspection"
       local policy_config = {
+        auth_type = "client_id+client_secret",
         introspection_url = introspection_url,
         client_id = "client",
         client_secret = "secret"
@@ -182,6 +187,7 @@ describe("token introspection policy", function()
     describe('when caching is enabled', function()
       local introspection_url = "http://example/token/introspection"
       local policy_config = {
+        auth_type = "client_id+client_secret",
         introspection_url = introspection_url,
         client_id = test_client_id,
         client_secret = test_client_secret,
@@ -241,4 +247,3 @@ describe("token introspection policy", function()
     end)
   end)
 end)
-