OIDC 插件的黑名单匹配规则支持 domain 非必填

[Japson0]

If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via ASRC(Alibaba Security Response Center) where the issue will be triaged appropriately.

• I have searched the issues of this repository and believe that this is not a duplicate.

Ⅰ. Issue Description

我启用OIDC后，发现不起作用，打开插件日志后出现以下日志

2025-01-10T07:35:15.950839Z	warning	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1390	wasm log: [oidc] parse rule config failed: invalid configuration:
  missing setting: cookie-secret
  provider missing setting: client-id
  missing setting: client-secret or client-secret-file	thread=47
2025-01-10T07:35:15.950876Z	error	envoy wasm external/envoy/source/extensions/common/wasm/wasm.cc:151	Wasm VM failed Failed to configure base Wasm plugin	thread=47

这是我的OIDC插件配置

client_id: "aaa"
client_secret: "lxxabzH5qroDMVI5G0enMiGtaPw8oWRg"
match_list:
- match_rule_path: "/test"
  match_rule_type: "prefix"
match_type: "blacklist"
oidc_issuer_url: "http://127.0.0.1:8084/realms/master"
redirect_url: "http://foo.bar.com/oauth2/callback"
scope: "openid email offline_access"
service_name: "keycloak.static"
service_port: 80
service_host: http://127.0.0.1:8084/

• Higress version: 2.0.5
• OS : K8S
• Others:

[johnlanni]

2025-01-10T07:35:15.950839Z warning envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1390 wasm log: [oidc] parse rule config failed: invalid configuration:
missing setting: cookie-secret
provider missing setting: client-id
missing setting: client-secret or client-secret-file thread=47

不是这个已经说明问题了，缺少对应的配置字段

[johnlanni]

cc @Jing-ze 这个报错看上去有问题，只是少了 cookie_secret，但提示少了 client-id 和 client-secret，而且字段名中的下划线变成了中横杠

[Japson0]

还有我想请问下，如何把插件日志完整打印出来，有时候插件不生效也没一点提示，完全没法感知

[Jing-ze]

还有我想请问下，如何把插件日志完整打印出来，有时候插件不生效也没一点提示，完全没法感知

可以进入数据面容器，通过API交互修改wasm的debug等级

curl -X POST http://localhost:15000/logging?wasm=debug

[Japson0]

还有我想请问下，如何把插件日志完整打印出来，有时候插件不生效也没一点提示，完全没法感知

可以进入数据面容器，通过API交互修改wasm的debug等级

curl -X POST http://localhost:15000/logging?wasm=debug

日志是可以了，是不是OIDC文档有误，比如在keycloak里的，这里service_name和service_host有重复吗
service_name: 'keycloak.static'
service_port: 80
service_host: '127.0.0.1:9090'

[Jing-ze]

还有我想请问下，如何把插件日志完整打印出来，有时候插件不生效也没一点提示，完全没法感知

可以进入数据面容器，通过API交互修改wasm的debug等级

curl -X POST http://localhost:15000/logging?wasm=debug

日志是可以了，是不是OIDC文档有误，比如在keycloak里的，这里service_name和service_host有重复吗 service_name: 'keycloak.static' service_port: 80 service_host: '127.0.0.1:9090'

service_name用于访问对应的FQDN服务，service_host用于代码中访问服务时如果host缺失，则使用默认的service_host补全authority字段，当前的代码访问的http服务不存在host缺失的情况，所以不填写service_host不影响使用

[Japson0]

还有我想请问下，如何把插件日志完整打印出来，有时候插件不生效也没一点提示，完全没法感知

可以进入数据面容器，通过API交互修改wasm的debug等级

curl -X POST http://localhost:15000/logging?wasm=debug

日志是可以了，是不是OIDC文档有误，比如在keycloak里的，这里service_name和service_host有重复吗 service_name: 'keycloak.static' service_port: 80 service_host: '127.0.0.1:9090'

service_name用于访问对应的FQDN服务，service_host用于代码中访问服务时如果host缺失，则使用默认的service_host补全authority字段，当前的代码访问的http服务不存在host缺失的情况，所以不填写service_host不影响使用

这边需要我提供什么信息吗。有没可能是最新开源插件镜像没推送到仓库呢

[johnlanni]

@Japson0 之前只推了 1.0.0，漏推了 latest，你再试试

[Japson0]

@Japson0 之前只推了 1.0.0，漏推了 latest，你再试试

还是不行，我把debug日志输出了

2025-01-16T01:55:49.694982Z	debug	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1384	wasm log: http call start, id: 2f9e2c9a-a939-4a42-8835-67018ee9fe24, cluster: outbound|8084||keycloak.static, method: GET, url: http://168.5.80.43:8084/realms/master/.well-known/openid-configuration, body: , timeout: 2000	thread=50
2025-01-16T01:55:51.022450Z	debug	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1384	wasm log: http call start, id: 99d9f6cb-2056-49d2-a41a-d518cdd355de, cluster: outbound|8084||keycloak.static, method: GET, url: http://168.5.80.43:8084/realms/master/.well-known/openid-configuration, body: , timeout: 2000	thread=102

这是我的configdump里面的配置

       "config": {
        "name": "higress-system.oidc-1.0.0",
        "vm_config": {
         "runtime": "envoy.wasm.runtime.v8",
         "code": {
          "local": {
           "filename": "/var/lib/istio/data/2d31f22ef87ddded88ae97bc1700ec9dab62a91ed58fa4ce0986d30ccfb97ab3/21ef1de56f7748d8e3fcc5ef811324fa1ebdbbbb33e408a22c0fdd6ee1f8b7aa.wasm"
          }
         }
        },
        "configuration": {
         "@type": "type.googleapis.com/google.protobuf.StringValue",
         "value": "{\"client_id\":\"emlp\",\"client_secret\":\"lxxabzH5qroDMVI5G0enMiGtaPw8oWRg\",\"cookie_secret\":\"nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY=\",\"match_list\":[{\"match_rule_path\":\"/llm-train\",\"match_rule_type\":\"prefix\"}],\"match_type\":\"blacklist\",\"oidc_issuer_url\":\"http://168.5.80.43:8084/realms/master\",\"redirect_url\":\"http://foo.bar.com/oauth2/callback\",\"scope\":\"openid email offline_access\",\"service_host\":\"168.5.80.43\",\"service_name\":\"keycloak.static\",\"service_port\":8084}"
        },
        "fail_open": true
       }

我已经明确这个http://168.5.80.43:8084/realms/master/.well-known/openid-configuration地址是可以的
并且我打开了global.onlyPushRouteCluster=false
还有请问下，oidc_issuer_url地址不是包含了所有服务信息了吗，为什么还要配置下面三个
service_name: 'keycloak.static'
service_port: 80
service_host: '127.0.0.1:9090'

[Jing-ze]

@Japson0 之前只推了 1.0.0，漏推了 latest，你再试试

还是不行，我把debug日志输出了

2025-01-16T01:55:49.694982Z debug envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1384 wasm log: http call start, id: 2f9e2c9a-a939-4a42-8835-67018ee9fe24, cluster: outbound|8084||keycloak.static, method: GET, url: http://168.5.80.43:8084/realms/master/.well-known/openid-configuration, body: , timeout: 2000 thread=50
2025-01-16T01:55:51.022450Z debug envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1384 wasm log: http call start, id: 99d9f6cb-2056-49d2-a41a-d518cdd355de, cluster: outbound|8084||keycloak.static, method: GET, url: http://168.5.80.43:8084/realms/master/.well-known/openid-configuration, body: , timeout: 2000 thread=102
这是我的configdump里面的配置

   "config": {
    "name": "higress-system.oidc-1.0.0",
    "vm_config": {
     "runtime": "envoy.wasm.runtime.v8",
     "code": {
      "local": {
       "filename": "/var/lib/istio/data/2d31f22ef87ddded88ae97bc1700ec9dab62a91ed58fa4ce0986d30ccfb97ab3/21ef1de56f7748d8e3fcc5ef811324fa1ebdbbbb33e408a22c0fdd6ee1f8b7aa.wasm"
      }
     }
    },
    "configuration": {
     "@type": "type.googleapis.com/google.protobuf.StringValue",
     "value": "{\"client_id\":\"emlp\",\"client_secret\":\"lxxabzH5qroDMVI5G0enMiGtaPw8oWRg\",\"cookie_secret\":\"nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY=\",\"match_list\":[{\"match_rule_path\":\"/llm-train\",\"match_rule_type\":\"prefix\"}],\"match_type\":\"blacklist\",\"oidc_issuer_url\":\"http://168.5.80.43:8084/realms/master\",\"redirect_url\":\"http://foo.bar.com/oauth2/callback\",\"scope\":\"openid email offline_access\",\"service_host\":\"168.5.80.43\",\"service_name\":\"keycloak.static\",\"service_port\":8084}"
    },
    "fail_open": true
   }

我已经明确这个http://168.5.80.43:8084/realms/master/.well-known/openid-configuration地址是可以的 并且我打开了global.onlyPushRouteCluster=false 还有请问下，oidc_issuer_url地址不是包含了所有服务信息了吗，为什么还要配置下面三个 service_name: 'keycloak.static' service_port: 80 service_host: '127.0.0.1:9090'

在数据面容器可以curl http://168.5.80.43:8084/realms/master/.well-known/openid-configuration这个url试试，能获取到的话延迟是多少，higress中keycloak的服务来源配置可以看看

[johnlanni]

还有请问下，oidc_issuer_url地址不是包含了所有服务信息了吗，为什么还要配置下面三个
service_name: 'keycloak.static'
service_port: 80
service_host: '127.0.0.1:9090'

---

service_name和service_port是用来做服务发现用的，service_host 可以不用配的，oidc_issuer_url是用来解析host和path的

[johnlanni]

@Japson0 完整的插件日志有吗？

[Japson0]

@Japson0 完整的插件日志有吗？

完整日志插件要怎么看，gateway控制台吗，
或者我们钉钉沟通下？

[johnlanni]

可以加我钉钉：chengtanzty

[johnlanni]

https://github.com/higress-group/oauth2-proxy/blob/c1a05d79c2a3386cf0b5df19854e711104422701/pkg/apis/options/rule.go#L66-L68

@Jing-ze 他没有配 match_rule_domain，导致这块匹配不上，这里的行为可以优化下，如果没有配置 domain，就当作 * 处理