From b672a8b05cf6c005686d677b696619dfe32202ac Mon Sep 17 00:00:00 2001 From: Ashish Tiwari Date: Fri, 28 Feb 2025 07:06:33 +0530 Subject: [PATCH] add tests --- apisix/plugins/openid-connect.lua | 1 + t/plugin/openid-connect7.t | 102 ++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+) diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index db4c72b45032..e04768613f17 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -394,6 +394,7 @@ local function introspect(ctx, conf) if discovery_err then core.log.warn("OIDC access discovery url failed : ", discovery_err) else + core.log.info("valid_issuers not provided, using issuer from discovery doc: ", discovery.issuer) valid_issuers = {discovery.issuer} end end diff --git a/t/plugin/openid-connect7.t b/t/plugin/openid-connect7.t index ce39d38f0986..01b34814f7c6 100644 --- a/t/plugin/openid-connect7.t +++ b/t/plugin/openid-connect7.t @@ -322,3 +322,105 @@ true qr/token validate successfully by \w+/ --- grep_error_log_out token validate successfully by jwks + + + +=== TEST 7: Update plugin with ID provider jwks endpoint for token verification with valid issuer in discovery endpoint. +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "openid-connect": { + "client_id": "dummy", + "client_secret": "dummy", + "discovery": "http://127.0.0.1:8089/realms/University/.well-known/openid-configuration", + "redirect_uri": "http://localhost:3000", + "ssl_verify": false, + "timeout": 10, + "bearer_only": true, + "use_jwks": true, + "realm": "University" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 8: Obtain valid token and access route with it. Use valid_issuer from discovery endpoint. +--- http_config + server { + listen 8089; + + location /realms/University/.well-known/openid-configuration { + content_by_lua_block { + ngx.say([[ +{ + "issuer": "http://127.0.0.1:8089/realms/University", + "jwks_uri": "http://127.0.0.1:8089/realms/University/protocol/openid-connect/certs", + "response_types_supported": ["id_token"], + "subject_types_supported": ["public"], + "id_token_signing_alg_values_supported": ["RS256"] +}]]) + } + } + } +--- config + location /t { + content_by_lua_block { + -- Obtain valid access token from Keycloak using known username and password. + local json_decode = require("toolkit.json").decode + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:8080/realms/University/protocol/openid-connect/token" + local res, err = httpc:request_uri(uri, { + method = "POST", + body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456", + headers = { + ["Content-Type"] = "application/x-www-form-urlencoded" + } + }) + + -- Check response from keycloak and fail quickly if there's no response. + if not res then + ngx.say(err) + return + end + + + -- Get access token from JSON response body. + local body = json_decode(res.body) + local accessToken = body["access_token"] + + -- Access route using access token. Should work. + uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello" + local res, err = httpc:request_uri(uri, { + method = "GET", + headers = { + ["Authorization"] = "Bearer " .. body["access_token"] + } + }) + } + } +--- error_log +valid_issuers not provided, using issuer from discovery doc: http://127.0.0.1:8089/realms/University