From ba40e020f80f39707ec8d2b5c69111719f3429a6 Mon Sep 17 00:00:00 2001 From: Amirhossein Rajabi Date: Tue, 8 Oct 2024 15:53:55 +0330 Subject: [PATCH 1/2] feat: use custome auth header name --- apisix/plugins/openid-connect.lua | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index c4388abbfc6c..d88ce9944a82 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -269,6 +269,7 @@ local schema = { pattern = "^[^:]+$" } }, + auth_accept_token_as_header_name = { type = "string", default = "Authorization" }, required_scopes = { description = "List of scopes that are required to be granted to the access token", type = "array", @@ -319,19 +320,11 @@ function _M.check_schema(conf) end -local function get_bearer_access_token(ctx) +local function get_bearer_access_token(ctx, conf) -- Get Authorization header, maybe. - local auth_header = core.request.header(ctx, "Authorization") + local auth_header = core.request.header(ctx, conf.auth_accept_token_as_header_name) if not auth_header then - -- No Authorization header, get X-Access-Token header, maybe. - local access_token_header = core.request.header(ctx, "X-Access-Token") - if not access_token_header then - -- No X-Access-Token header neither. - return false, nil, nil - end - - -- Return extracted header value. - return true, access_token_header, nil + return false, nil, nil end -- Check format of Authorization header. @@ -356,7 +349,7 @@ end local function introspect(ctx, conf) -- Extract token, maybe. - local has_token, token, err = get_bearer_access_token(ctx) + local has_token, token, err = get_bearer_access_token(ctx, conf) if err then return ngx.HTTP_BAD_REQUEST, err, nil, nil From 901cf0f76e372fc33f7249c8c610e8f4534fd26b Mon Sep 17 00:00:00 2001 From: Amirhosein Rajabi Date: Sun, 23 Feb 2025 12:41:37 +0330 Subject: [PATCH 2/2] docs: add description for auth_accept_token_as_header_name in openid-connect plugin --- docs/en/latest/plugins/openid-connect.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md index 4483abd656dd..cf0c03692f29 100644 --- a/docs/en/latest/plugins/openid-connect.md +++ b/docs/en/latest/plugins/openid-connect.md @@ -90,6 +90,7 @@ description: OpenID Connect allows the client to obtain user information from th | introspection_interval | integer | False | 0 | | TTL of the cached and introspected access token in seconds. | | introspection_expiry_claim | string | False | | | Name of the expiry claim, which controls the TTL of the cached and introspected access token. The default value is 0, which means this option is not used and the plugin defaults to use the TTL passed by expiry claim defined in `introspection_expiry_claim`. If `introspection_interval` is larger than 0 and less than the TTL passed by expiry claim defined in `introspection_expiry_claim`, use `introspection_interval`. | | introspection_addon_headers | string[] | False | | | Array of strings. Used to append additional header values to the introspection HTTP request. If the specified header does not exist in origin request, value will not be appended. | +| auth_accept_token_as_header_name | string | False | "Authorization" | | Name of the request header from which to accept the access token. Defaults to `Authorization`. | NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields).