jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-05-27 22:27:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: update README.md and support semicolon in scope (#1279)

Browse Source
This commit is contained in:
Jingze
2024-09-04 15:05:12 +08:00
committed by GitHub
parent f03ce572be
commit ea862cfd4c
2 changed files with 61 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
plugins/wasm-go/extensions/oidc/README.md
View File

@@ -2,17 +2,19 @@
## 简介 ## 简介
本仓库提供了一个高度可集成的Wasm插件支持OpenID ConnectOIDC身份认证同时强化了对跨站请求伪造CSRF攻击的防御能力支持OpenID Connect协议中的Logout Endpoint。在过Wasm插件OIDC验证后的请求携带 `Authorization`的标头对应Access Token。 本仓库提供了一个高度可集成的Wasm插件,以支持OpenID ConnectOIDC身份认证同时,该插件强化了对跨站请求伪造CSRF攻击的防御能力支持OpenID Connect协议中的注销端点(Logout Endpoint以及刷新令牌Refresh Token机制。在过Wasm插件进行OIDC验证后的请求携带 `Authorization` 头部,包含相应的访问令牌(Access Token
### OIDC 流程图 ### OIDC 流程图
<p align="center"> <p align="center">
<img src="https://gw.alicdn.com/imgextra/i4/O1CN01TlwBDY280yPxwr4Di_!!6000000007871-2-tps-1807-1828.png" alt="oidc_process" style="zoom: 33%;" /> <img src="https://gw.alicdn.com/imgextra/i3/O1CN01TJSh9c1VwR61Q2nek_!!6000000002717-55-tps-1807-2098.svg" alt="oidc_process" width="600" />
</p> </p>
### OIDC 流程解析 ### OIDC 流程解析
1. 模拟用户访问对应服务api #### 用户未登录
1. 模拟用户访问对应服务 API
```shell ```shell
curl --url "foo.bar.com/headers" curl --url "foo.bar.com/headers"
@@ -31,11 +33,13 @@
--header "Set-Cookie: _oauth2_proxy_csrf=LPruATEDgcdmelr8zScD_ObhsbP4zSzvcgmPlcNDcJpFJ0OvhxP2hFotsU-kZnYxd5KsIjzeIXGTOjf8TKcbTHbDIt-aQoZORXI_0id3qeY0Jt78223DPeJ1xBqa8VO0UiEOUFOR53FGxirJOdKFxaAvxDFb1Ok=|1718962455|V1QGWyjQ4hMNOQ4Jtf17HeQJdVqHdt5d65uraFduMIU=; Path=/; Expires=Fri, 21 Jun 2024 08:06:20 GMT; HttpOnly" --header "Set-Cookie: _oauth2_proxy_csrf=LPruATEDgcdmelr8zScD_ObhsbP4zSzvcgmPlcNDcJpFJ0OvhxP2hFotsU-kZnYxd5KsIjzeIXGTOjf8TKcbTHbDIt-aQoZORXI_0id3qeY0Jt78223DPeJ1xBqa8VO0UiEOUFOR53FGxirJOdKFxaAvxDFb1Ok=|1718962455|V1QGWyjQ4hMNOQ4Jtf17HeQJdVqHdt5d65uraFduMIU=; Path=/; Expires=Fri, 21 Jun 2024 08:06:20 GMT; HttpOnly"
``` ```
3. 用户在登录页进行登录 3. 重定向到登录页
![keycloak_login](https://gw.alicdn.com/imgextra/i4/O1CN01HLcl7r1boXwwnzGqA_!!6000000003512-0-tps-3840-2160.jpg) ![keycloak_login](https://gw.alicdn.com/imgextra/i4/O1CN01HLcl7r1boXwwnzGqA_!!6000000003512-0-tps-3840-2160.jpg)
4. 携带授权重定向到Higress并携带了state参数用于验证CSRF Cookie授权code用于交换Token 4. 用户输入用户名密码登录完成
5. 携带授权重定向到 Higress 并携带了 state 参数用于验证 csrf cookie ,授权码用于交换 token
```shell ```shell
curl --url "http://foo.bar.com/oauth2/callback" \ curl --url "http://foo.bar.com/oauth2/callback" \
@@ -43,7 +47,9 @@
--url-query "code=0bdopoS2c2lx95u7iO0OH9kY1TvaEdJHo4lB6CT2_qVFm" --url-query "code=0bdopoS2c2lx95u7iO0OH9kY1TvaEdJHo4lB6CT2_qVFm"
``` ```
5. 利用授权交换id_token和access_token 6. 校验 csrf cookie 中加密存储的 state 值与 url 参数中的 state 值必须相同
7. 利用授权交换 id_token 和 access_token
```shell ```shell
curl -X POST \ curl -X POST \
@@ -55,7 +61,7 @@
--data "code=0bdopoS2c2lx95u7iO0OH9kY1TvaEdJHo4lB6CT2_qVFm" \ --data "code=0bdopoS2c2lx95u7iO0OH9kY1TvaEdJHo4lB6CT2_qVFm" \
``` ```
返回的请求里包含了id_token, access_tokenrefresh_token用于后续刷新access_token 返回的请求里包含了 id_token, access_tokenrefresh_token 用于后续刷新 token
```json ```json
{ {
@@ -68,7 +74,9 @@
} }
``` ```
6. 将获得的id_tokenaccess_token加密存储在Cookie _oauth2_proxy中用于后续用户登录状态的验证同时清除Cookie _oauth2_proxy_csrf 8. 将获得的 id_token, access_token, refresh_token 加密存储在cookie _oauth2_proxy中
9. 重定向到用户访问的后端服务并设置 cookie用于后续用户登录状态的验证同时清除 cookie _oauth2_proxy_csrf
```json ```json
"Set-Cookie": [ "Set-Cookie": [
@@ -77,14 +85,16 @@
] ]
``` ```
7. 携带 Authorization的标头对应access_token访问对应api 10. 校验是否存在 cookie 存储了用户的 token 信息同时查看是否过期
11. 使用含有 Authorization 头部存储用户的 access_token 访问相应的 API
```shell ```shell
curl --url "foo.bar.com/headers" curl --url "foo.bar.com/headers"
--header "Authorization: Bearer eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtbzQzeGIxbXo3eWE3YWNoNC51cy5hdXRoMC5jb20vIn0..WP_WRVM-y3fM1sN4.fAQqtKoKZNG9Wj0OhtrMgtsjTJ2J72M2klDRd9SvUKGbiYsZNPmIl_qJUf81D3VIjD59o9xrOOJIzXTgsfFVA2x15g-jBlNh68N7dyhXu9237Tbplweu1jA25IZDSnjitQ3pbf7xJVIfPnWcrzl6uT8G1EP-omFcl6AQprV2FoKFMCGFCgeafuttppKe1a8mpJDj7AFLPs-344tT9mvCWmI4DuoLFh0PiqMMJBByoijRSxcSdXLPxZng84j8JVF7H6mFa-dj-icP-KLy6yvzEaRKz_uwBzQCzgYK434LIpqw_PRuN3ClEsenwRgIsNdVjvKcoAysfoZhmRy9BQaE0I7qTohSBFNX6A.mgGGeeWgugfXcUcsX4T5dQ" --header "Authorization: Bearer eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtbzQzeGIxbXo3eWE3YWNoNC51cy5hdXRoMC5jb20vIn0..WP_WRVM-y3fM1sN4.fAQqtKoKZNG9Wj0OhtrMgtsjTJ2J72M2klDRd9SvUKGbiYsZNPmIl_qJUf81D3VIjD59o9xrOOJIzXTgsfFVA2x15g-jBlNh68N7dyhXu9237Tbplweu1jA25IZDSnjitQ3pbf7xJVIfPnWcrzl6uT8G1EP-omFcl6AQprV2FoKFMCGFCgeafuttppKe1a8mpJDj7AFLPs-344tT9mvCWmI4DuoLFh0PiqMMJBByoijRSxcSdXLPxZng84j8JVF7H6mFa-dj-icP-KLy6yvzEaRKz_uwBzQCzgYK434LIpqw_PRuN3ClEsenwRgIsNdVjvKcoAysfoZhmRy9BQaE0I7qTohSBFNX6A.mgGGeeWgugfXcUcsX4T5dQ"
``` ```
8. 后端服务根据access_token获取用户信息并返回对应的Http响应 12. 后端服务根据 access_token 获取用户授权信息并返回对应的 HTTP 响应
```json ```json
{ {
@@ -99,6 +109,29 @@
} }
``` ```
#### 用户令牌刷新
1. 模拟用户访问对应服务 API
```shell
curl --url "foo.bar.com/headers"
```
2. 验证令牌的过期时间
3. 如果在 cookie 中检测到存在 refresh_token则可以访问相应的接口以交换新的 id_token 和 access_token
```shell
curl -X POST \
--url "https://dev-o43xb1mz7ya7ach4.us.auth0.com/oauth/token" \
--data "grant_type=refresh_token" \
--data "client_id=YagFqRD9tfNIaac5BamjhsSatjrAnsnZ" \
--data "client_secret=ekqv5XoZuMFtYms1NszEqRx03qct6BPvGeJUeptNG4y09PrY16BKT9IWezTrrhJJ" \
--data "refresh_token=GrZ1f2JvzjAZQzSXmyr1ScWbv8aMFBvzAXHBUSiILcDEG"
```
4. 携带 Authorization 的标头对应 access_token 访问对应 API
5. 后端服务根据 access_token 获取用户授权信息并返回对应的 HTTP 响应
## 配置 ## 配置
### 配置项 ### 配置项

1
plugins/wasm-go/extensions/oidc/main.go
View File

@@ -42,6 +42,7 @@ func parseConfig(json gjson.Result, config *PluginConfig, log wrapper.Log) error
if err != nil { if err != nil {
return err return err
} }
opts.Providers[0].Scope = strings.Replace(opts.Providers[0].Scope, ";", " ", -1)
config.options = opts config.options = opts
oidcHandler, err = oidc.NewOAuthProxy(opts) oidcHandler, err = oidc.NewOAuthProxy(opts)