feat: support github provider for oidc wasm plugin (#1639)

2026-03-06 01:20:51 +08:00 · 2025-01-02 10:01:54 +08:00
parent 2d74c48e8a
commit 00be491d02
4 changed files with 103 additions and 3 deletions
--- a/plugins/wasm-go/extensions/oidc/README.md
+++ b/plugins/wasm-go/extensions/oidc/README.md
@@ -32,6 +32,7 @@ description: OIDC 认证插件配置参考
 | client_secret                 | string       | the OAuth Client Secret                                      |                   |
 | provider                      | string       | OAuth provider                                               | oidc              |
 | pass_authorization_header     | bool         | pass OIDC IDToken to upstream via Authorization Bearer header | true              |
+| pass_access_token             | bool         | pass OIDC Access Token to upstream via X-Forwarded-Access-Token header. | False             |
 | oidc_issuer_url               | string       | the OpenID Connect issuer URL, e.g. `"https://dev-o43xb1mz7ya7ach4.us.auth0.com"` |                   |
 | oidc_verifier_request_timeout | uint32       | OIDC verifier discovery request timeout                      | 2000(ms)          |
 | scope                         | string       | OAuth scope specification                                    |                   |
@@ -296,6 +297,55 @@ match_list:

 ![aliyun_result](https://gw.alicdn.com/imgextra/i3/O1CN015pGvi51eakt3pFS8Y_!!6000000003888-0-tps-3840-2160.jpg)

+### Github 配置示例
+
+#### Step 1: 配置 Github OAuth应用
+
+通过 https://github.com/settings/developers 创建OAuthApp
+
+#### Step 2: Higress 配置服务来源
+
+* 创建DNS类型服务来源地址为github.com
+* 创建DNS类型服务来源地址为api.github.com（用于验证OIDC流程中的access_token）
+
+![github_service](https://www.helloimg.com/i/2024/12/31/677398a2b34be.png)
+
+#### Step 3: OIDC 服务 HTTPS 配置
+
+参考Auth0的Step3对创建的两个DNS服务配置Ingress
+
+#### Step 4: Wasm 插件配置
+
+```yaml
+redirect_url: 'http://foo.bar.com/oauth2/callback'
+provider: github
+oidc_issuer_url: 'https://github.com/'
+pass_access_token: true
+client_id: 'XXXXXXXXXXXXXXXX'
+client_secret: 'XXXXXXXXXXXXXXXX'
+scope: 'user repo'
+cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
+service_name: 'github.dns'
+service_port: 443
+validate_service_name: 'api.dns'
+validate_service_port: 443
+match_type: 'whitelist'
+match_list:
+    - match_rule_domain: '*.bar.com'
+      match_rule_path: '/headers'
+      match_rule_type: 'prefix'
+```
+
+#### 访问服务页面，未登陆的话进行跳转
+
+![github_login](https://www.helloimg.com/i/2024/12/31/6773983f64b3c.png)
+
+#### 登陆成功跳转到服务页面
+
+配置了`pass_access_token=true`后会在`X-Forwarded-Access-Token`header头中携带access_token
+
+![github_result](https://www.helloimg.com/i/2024/12/31/677398de64872.png)
+
 ### OIDC 流程图

 <p align="center">
@@ -422,5 +472,4 @@ curl -X POST \
 ```

 4. 携带 Authorization 的标头对应 access_token 访问对应 API
-5. 后端服务根据 access_token 获取用户授权信息并返回对应的 HTTP 响应
-
+5. 后端服务根据 access_token 获取用户授权信息并返回对应的 HTTP 响应
--- a/plugins/wasm-go/extensions/oidc/README_EN.md
+++ b/plugins/wasm-go/extensions/oidc/README_EN.md
@@ -29,6 +29,7 @@ Plugin execution priority: `350`
 | client_secret                 | string       | The OAuth Client Secret                                      |                   |
 | provider                      | string       | OAuth provider                                               | oidc              |
 | pass_authorization_header     | bool         | Pass OIDC IDToken to upstream via Authorization Bearer header | true              |
+| pass_access_token             | bool         | pass OIDC Access Token to upstream via X-Forwarded-Access-Token header. | False             |
 | oidc_issuer_url               | string       | The OpenID Connect issuer URL, e.g. `"https://dev-o43xb1mz7ya7ach4.us.auth0.com"` |                   |
 | oidc_verifier_request_timeout | uint32       | OIDC verifier discovery request timeout                      | 2000(ms)          |
 | scope                         | string       | OAuth scope specification                                    |                   |
@@ -254,6 +255,54 @@ Directly login using a RAM user or click the main account login.
 #### Successful Login Redirects to Service Page
 ![aliyun_result](https://gw.alicdn.com/imgextra/i3/O1CN015pGvi51eakt3pFS8Y_!!6000000003888-0-tps-3840-2160.jpg)

+### Github Configuration Example
+
+#### Step 1: Configure Github OAuth App
+
+Create a new OAuth App: https://github.com/settings/developers
+
+#### Step 2: Higress Configure Service Source
+
+* Create a DNS service with the source address set to github.com.
+* Create a DNS service with the source address set to api.github.com (used to validate the access token in the OIDC flow).
+
+![github_service](https://www.helloimg.com/i/2024/12/31/677398a2b34be.png)
+
+#### Step 3: OIDC Service HTTPS Protocol
+Configure Ingress for the two created DNS services by referring to Step 3 of Auth0.
+
+#### Step 4: Wasm Plugin Configuration
+
+```yaml
+redirect_url: 'http://foo.bar.com/oauth2/callback'
+provider: github
+oidc_issuer_url: 'https://github.com/'
+pass_access_token: true
+client_id: 'XXXXXXXXXXXXXXXX'
+client_secret: 'XXXXXXXXXXXXXXXX'
+scope: 'user repo'
+cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
+service_name: 'github.dns'
+service_port: 443
+validate_service_name: 'api.dns'
+validate_service_port: 443
+match_type: 'whitelist'
+match_list:
+    - match_rule_domain: '*.bar.com'
+      match_rule_path: '/headers'
+      match_rule_type: 'prefix'
+```
+
+#### Access Service Page; Redirect if Not Logged In
+
+![github_login](https://www.helloimg.com/i/2024/12/31/6773983f64b3c.png)
+
+#### Successful Login Redirects to Service Page
+
+With pass_access_token=true configured, the access_token will be included in the X-Forwarded-Access-Token header.
+
+![github_result](https://www.helloimg.com/i/2024/12/31/677398de64872.png)
+
 ### OIDC Flow Diagram
 <p align="center">
  <img src="https://gw.alicdn.com/imgextra/i3/O1CN01TJSh9c1VwR61Q2nek_!!6000000002717-55-tps-1807-2098.svg" alt="oidc_process" width="600" />
--- a/plugins/wasm-go/extensions/oidc/go.mod
+++ b/plugins/wasm-go/extensions/oidc/go.mod
@@ -8,7 +8,7 @@ replace github.com/alibaba/higress/plugins/wasm-go => ../..

 require (
 	github.com/alibaba/higress/plugins/wasm-go v1.3.6-0.20240531060402-2807ddfbb79e
-	github.com/higress-group/oauth2-proxy v1.0.1-0.20241112053537-6731cf68d467
+	github.com/higress-group/oauth2-proxy v1.0.1-0.20241227095721-c1a05d79c2a3
 	github.com/higress-group/proxy-wasm-go-sdk v1.0.0
 	github.com/tidwall/gjson v1.17.3
 )
--- a/plugins/wasm-go/extensions/oidc/go.sum
+++ b/plugins/wasm-go/extensions/oidc/go.sum
@@ -15,6 +15,8 @@ github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520 h1:IHDghbG
 github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520/go.mod h1:Nz8ORLaFiLWotg6GeKlJMhv8cci8mM43uEnLA5t8iew=
 github.com/higress-group/oauth2-proxy v1.0.1-0.20241112053537-6731cf68d467 h1:A/29Au8/Eoys+2oXRWnY2draLKCZ7Yg4gbg2cWi57lE=
 github.com/higress-group/oauth2-proxy v1.0.1-0.20241112053537-6731cf68d467/go.mod h1:UOXEF1DEkmLIfVO0p+gP5ceGPuWHI4IKMmQGt8aUTrw=
+github.com/higress-group/oauth2-proxy v1.0.1-0.20241227095721-c1a05d79c2a3 h1:wy/whwuL2rJ1BVhysgjGJ3cZ8kPxmX+2YP72fbvVZ9U=
+github.com/higress-group/oauth2-proxy v1.0.1-0.20241227095721-c1a05d79c2a3/go.mod h1:UOXEF1DEkmLIfVO0p+gP5ceGPuWHI4IKMmQGt8aUTrw=
 github.com/higress-group/proxy-wasm-go-sdk v1.0.0 h1:BZRNf4R7jr9hwRivg/E29nkVaKEak5MWjBDhWjuHijU=
 github.com/higress-group/proxy-wasm-go-sdk v1.0.0/go.mod h1:iiSyFbo+rAtbtGt/bsefv8GU57h9CCLYGJA74/tF5/0=
 github.com/justinas/alice v1.2.0 h1:+MHSA/vccVCF4Uq37S42jwlkvI2Xzl7zTPCN5BnZNVo=