fix(plugins): multiple auth fix in an OR scenario #2222
Conversation
The last auth plugin running would overritw the results of the previous ones. So if the first authenticates succesfully, and the second fails, then the second one would overwrite the consumer details with the details of the anonymous consumer WIP: 2 failing oauth2 tests Reason: the oauth2 endpoint is also authenticated by the configured plugins. Hence in the AND scenario, the key-auth plugin returns a 40x, which in turn makes the oauth2 fail
Tieske
added
the
pr/changes requested
Tieske
added
pr/status/needs review
and removed
pr/changes requested
|
The oauth2 has some peculiarities when used in an AND fashion. The token endpoints also fall within the api, hence when a token is requested, the other configured auth methods kick in. So to make this pass, the token endpoints also require credentials for the other auth methods. Discussed this with @thefosk and we agreed on this solution. |
…tipleauth Resolved merge conflicts and fixed linter errors
| @@ -4,7 +4,9 @@ local meta = require "kong.meta" | |||
| local utils = require "kong.tools.utils" | |||
|
|
|||
| describe("Plugin: basic-auth (access)", function() | |||
|
|
|||
There was a problem hiding this comment.
are these newlines necessary? we could fix style here in a separate commit. these changes are outside the scope of this PR, dirtying the commit history.
There was a problem hiding this comment.
will keep them separate next time
|
Only comment from me is that all the authentication plugins seems to share this: function _M.execute(conf)
if ngx.ctx.authenticated_credential and conf.anonymous ~= "" then
-- we're already authenticated, and we're configured for using anonymous,
-- hence we're in a logical OR between auth methods and we're already done.
return
end
local ok, err = do_authentication(conf)
if not ok then
if conf.anonymous ~= "" then
-- get anonymous user
local consumer, err = cache.get_or_set(cache.consumer_key(conf.anonymous),
nil, load_consumer_into_memory, conf.anonymous, true)
if err then
return responses.send_HTTP_INTERNAL_SERVER_ERROR(err)
end
set_consumer(consumer, nil)
else
return responses.send(err.status, err.message)
end
end
endSo I was thinking could we generalize this somewhere, e.g. Note: this is far from the only thing repeating, though. |
|
Another thing is the usablity:
If I'm correct? Pretty hard to wrap this in your head. But what this already does is better than we had, so LGTM. |
|
@bungle The long term plan is to rewrite the plugins runloop in such a way that:
imo, spending time getting rid of some code duplication we currently have would be a waste of time, due to this plugins runloop rewrite and the Public Lua API (that will have functions dedicated to Authentication plugins). |
| @@ -112,6 +112,9 @@ | |||
| - Relax multipart MIME type parsing. A space is allowed in between values | |||
| of the Content-Type header. | |||
| [#2215](https://github.com/Mashape/kong/pull/2215) | |||
| - Multiple auth plugins would overwrite eachothers results, causing | |||
| false negatives in an OR scenario. | |||
| [#2222](https://github.com/Mashape/kong/pull/2222) | |||
There was a problem hiding this comment.
This was not moved to the correct version this was merged against. Be extra wary when merging PRs.
The last auth plugin running would overwrite the results of the previous ones.
So if the first authenticates successfully, and the second fails, then the
second one would overwrite the consumer details with the details of the
anonymous consumer.
WIP: 2 failing oauth2 tests
Reason: the oauth2 endpoint is also authenticated by the configured
plugins. Hence in the AND scenario, the key-auth plugin returns a 40x, which
in turn makes the oauth2 fail