feat: support github provider for oidc wasm plugin (#1639)

2026-06-09 20:57:32 +08:00 · 2025-01-02 10:01:54 +08:00
parent 2d74c48e8a
commit 00be491d02
4 changed files with 103 additions and 3 deletions
--- a/plugins/wasm-go/extensions/oidc/README.md
+++ b/plugins/wasm-go/extensions/oidc/README.md
@@ -32,6 +32,7 @@ description: OIDC 认证插件配置参考
 | client_secret                 | string       | the OAuth Client Secret                                      |                   |
 | provider                      | string       | OAuth provider                                               | oidc              |
 | pass_authorization_header     | bool         | pass OIDC IDToken to upstream via Authorization Bearer header | true              |
 | pass_access_token             | bool         | pass OIDC Access Token to upstream via X-Forwarded-Access-Token header. | False             |
 | oidc_issuer_url               | string       | the OpenID Connect issuer URL, e.g. `"https://dev-o43xb1mz7ya7ach4.us.auth0.com"` |                   |
 | oidc_verifier_request_timeout | uint32       | OIDC verifier discovery request timeout                      | 2000(ms)          |
 | scope                         | string       | OAuth scope specification                                    |                   |
@@ -296,6 +297,55 @@ match_list:
 ![aliyun_result](https://gw.alicdn.com/imgextra/i3/O1CN015pGvi51eakt3pFS8Y_!!6000000003888-0-tps-3840-2160.jpg)
 ### Github 配置示例
 #### Step 1: 配置 Github OAuth应用
 通过 https://github.com/settings/developers 创建OAuthApp
 #### Step 2: Higress 配置服务来源
 * 创建DNS类型服务来源地址为github.com
 * 创建DNS类型服务来源地址为api.github.com（用于验证OIDC流程中的access_token）
 ![github_service](https://www.helloimg.com/i/2024/12/31/677398a2b34be.png)
 #### Step 3: OIDC 服务 HTTPS 配置
 参考Auth0的Step3对创建的两个DNS服务配置Ingress
 #### Step 4: Wasm 插件配置
 ```yaml
 redirect_url: 'http://foo.bar.com/oauth2/callback'
 provider: github
 oidc_issuer_url: 'https://github.com/'
 pass_access_token: true
 client_id: 'XXXXXXXXXXXXXXXX'
 client_secret: 'XXXXXXXXXXXXXXXX'
 scope: 'user repo'
 cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
 service_name: 'github.dns'
 service_port: 443
 validate_service_name: 'api.dns'
 validate_service_port: 443
 match_type: 'whitelist'
 match_list:
    - match_rule_domain: '*.bar.com'
      match_rule_path: '/headers'
      match_rule_type: 'prefix'
 ```
 #### 访问服务页面，未登陆的话进行跳转
 ![github_login](https://www.helloimg.com/i/2024/12/31/6773983f64b3c.png)
 #### 登陆成功跳转到服务页面
 配置了`pass_access_token=true`后会在`X-Forwarded-Access-Token`header头中携带access_token
 ![github_result](https://www.helloimg.com/i/2024/12/31/677398de64872.png)
 ### OIDC 流程图
 <p align="center">
@@ -423,4 +473,3 @@ curl -X POST \
 4. 携带 Authorization 的标头对应 access_token 访问对应 API
 5. 后端服务根据 access_token 获取用户授权信息并返回对应的 HTTP 响应
--- a/plugins/wasm-go/extensions/oidc/README_EN.md
+++ b/plugins/wasm-go/extensions/oidc/README_EN.md
@@ -29,6 +29,7 @@ Plugin execution priority: `350`
 | client_secret                 | string       | The OAuth Client Secret                                      |                   |
 | provider                      | string       | OAuth provider                                               | oidc              |
 | pass_authorization_header     | bool         | Pass OIDC IDToken to upstream via Authorization Bearer header | true              |
 | pass_access_token             | bool         | pass OIDC Access Token to upstream via X-Forwarded-Access-Token header. | False             |
 | oidc_issuer_url               | string       | The OpenID Connect issuer URL, e.g. `"https://dev-o43xb1mz7ya7ach4.us.auth0.com"` |                   |
 | oidc_verifier_request_timeout | uint32       | OIDC verifier discovery request timeout                      | 2000(ms)          |
 | scope                         | string       | OAuth scope specification                                    |                   |
@@ -254,6 +255,54 @@ Directly login using a RAM user or click the main account login.
 #### Successful Login Redirects to Service Page
 ![aliyun_result](https://gw.alicdn.com/imgextra/i3/O1CN015pGvi51eakt3pFS8Y_!!6000000003888-0-tps-3840-2160.jpg)
 ### Github Configuration Example
 #### Step 1: Configure Github OAuth App
 Create a new OAuth App: https://github.com/settings/developers
 #### Step 2: Higress Configure Service Source
 * Create a DNS service with the source address set to github.com.
 * Create a DNS service with the source address set to api.github.com (used to validate the access token in the OIDC flow).
 ![github_service](https://www.helloimg.com/i/2024/12/31/677398a2b34be.png)
 #### Step 3: OIDC Service HTTPS Protocol
 Configure Ingress for the two created DNS services by referring to Step 3 of Auth0.
 #### Step 4: Wasm Plugin Configuration
 ```yaml
 redirect_url: 'http://foo.bar.com/oauth2/callback'
 provider: github
 oidc_issuer_url: 'https://github.com/'
 pass_access_token: true
 client_id: 'XXXXXXXXXXXXXXXX'
 client_secret: 'XXXXXXXXXXXXXXXX'
 scope: 'user repo'
 cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
 service_name: 'github.dns'
 service_port: 443
 validate_service_name: 'api.dns'
 validate_service_port: 443
 match_type: 'whitelist'
 match_list:
    - match_rule_domain: '*.bar.com'
      match_rule_path: '/headers'
      match_rule_type: 'prefix'
 ```
 #### Access Service Page; Redirect if Not Logged In
 ![github_login](https://www.helloimg.com/i/2024/12/31/6773983f64b3c.png)
 #### Successful Login Redirects to Service Page
 With pass_access_token=true configured, the access_token will be included in the X-Forwarded-Access-Token header.
 ![github_result](https://www.helloimg.com/i/2024/12/31/677398de64872.png)
 ### OIDC Flow Diagram
 <p align="center">
  <img src="https://gw.alicdn.com/imgextra/i3/O1CN01TJSh9c1VwR61Q2nek_!!6000000002717-55-tps-1807-2098.svg" alt="oidc_process" width="600" />
--- a/plugins/wasm-go/extensions/oidc/go.mod
+++ b/plugins/wasm-go/extensions/oidc/go.mod
@@ -8,7 +8,7 @@ replace github.com/alibaba/higress/plugins/wasm-go => ../..
 require (
 	github.com/alibaba/higress/plugins/wasm-go v1.3.6-0.20240531060402-2807ddfbb79e
-	github.com/higress-group/oauth2-proxy v1.0.1-0.20241112053537-6731cf68d467
+	github.com/higress-group/oauth2-proxy v1.0.1-0.20241227095721-c1a05d79c2a3
 	github.com/higress-group/proxy-wasm-go-sdk v1.0.0
 	github.com/tidwall/gjson v1.17.3
 )
--- a/plugins/wasm-go/extensions/oidc/go.sum
+++ b/plugins/wasm-go/extensions/oidc/go.sum
@@ -15,6 +15,8 @@ github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520 h1:IHDghbG
 github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520/go.mod h1:Nz8ORLaFiLWotg6GeKlJMhv8cci8mM43uEnLA5t8iew=
 github.com/higress-group/oauth2-proxy v1.0.1-0.20241112053537-6731cf68d467 h1:A/29Au8/Eoys+2oXRWnY2draLKCZ7Yg4gbg2cWi57lE=
 github.com/higress-group/oauth2-proxy v1.0.1-0.20241112053537-6731cf68d467/go.mod h1:UOXEF1DEkmLIfVO0p+gP5ceGPuWHI4IKMmQGt8aUTrw=
 github.com/higress-group/oauth2-proxy v1.0.1-0.20241227095721-c1a05d79c2a3 h1:wy/whwuL2rJ1BVhysgjGJ3cZ8kPxmX+2YP72fbvVZ9U=
 github.com/higress-group/oauth2-proxy v1.0.1-0.20241227095721-c1a05d79c2a3/go.mod h1:UOXEF1DEkmLIfVO0p+gP5ceGPuWHI4IKMmQGt8aUTrw=
 github.com/higress-group/proxy-wasm-go-sdk v1.0.0 h1:BZRNf4R7jr9hwRivg/E29nkVaKEak5MWjBDhWjuHijU=
 github.com/higress-group/proxy-wasm-go-sdk v1.0.0/go.mod h1:iiSyFbo+rAtbtGt/bsefv8GU57h9CCLYGJA74/tF5/0=
 github.com/justinas/alice v1.2.0 h1:+MHSA/vccVCF4Uq37S42jwlkvI2Xzl7zTPCN5BnZNVo=