OIDC Relying Party flow setup issues

[plamenlakov]

Hello,

I've successfully implemented the openid-connect plugin to protect my backend services via Keycloak an an OIDC identity provider. However this was done using the token introspection flow, meaning that the bearer token would be stored somewhere in the front-end. Obviously this is not ideal since it makes the token accessible client-side. I'd like to make use of the http-only session cookie same as how the Relying Party flow is being handled but I'm having a bit of trouble setting it up considering backend & frontend are two separate services.

My current APISIX configuration looks like this, but I find it hard on handling this flow on the front-end. How do I redirect to the OIDC provider login page without pointing to an existing RESTful API endpoint (my upstream) and then redirect back to my frontend application? Possibly also being able to specify the redirect uri after successful authentication dynamically, since I want to be flexible in terms of the amount of front-end applications that can communicate with the OIDC authenticated gateway.

My current APISIX config is like this:

upstreams:
  - name: backend-upstream
    id: 1
    type: roundrobin
    nodes:
      - host: 172.17.0.1
        port: 3000
        weight: 1

routes:
  - uri: /*
    name: backend-route
    upstream_id: 1
    plugins:
      openid-connect:
        client_id: apisix
        client_secret: 6dE1dzUQFX1r7wa1hgyYGknJjaNrhmi1
        discovery: https://172.17.0.1:8443/realms/users/.well-known/openid-configuration
        introspection_endpoint: https://172.17.0.1:8443/realms/users/protocol/openid-connect/token/introspect
        bearer_only: false
        realm: users
        scope: openid email profile
        session:
          secret: "MjMzZDFlYzAtN2Y3OC00M2MyLTg1OGYtZTk1NGVkZDEyZjZhCg=="
        use_jwks: true
      cors:
        allow_origins: "https://localhost:8000"
        allow_methods: "GET, POST, OPTIONS"
        allow_headers: "Authorization, Content-Type"
        expose_headers: "Content-Length, X-Access-Token"
        max_age: 3600
        allow_credential: true

#END

Also I'd appreciate your help @dosu ;)

[dosubot[bot]]

Hey @plamenlakov 👋, I'm here to help you with your OIDC Relying Party flow setup. Let's solve this together!

To set up the OIDC Relying Party flow using http-only session cookies in APISIX, you can follow these steps to ensure proper redirection to the OIDC provider login page and back to your frontend application, while allowing dynamic specification of the redirect URI for multiple frontend applications:

1. Session Configuration: Ensure that the session is configured with a secret for encrypting and HMAC calculation. This is necessary when bearer_only is set to false. The session.secret must be explicitly configured if you are using standalone mode.

2. Dynamic Redirect URI: The redirect_uri can be dynamically specified by appending .apisix/redirect to ngx.var.uri if not configured. This allows handling multiple frontend applications by dynamically setting the redirect URI based on the incoming request. Ensure that the redirect_uri matches the route where the plugin is configured, without being fully identical. For example, configure the uri of the route to /api/v1/* and the path portion of the redirect_uri to /api/v1/redirect.

3. Authentication Flow: Use the openidc.authenticate function to handle the authentication flow. It will redirect to the OIDC provider's authorization endpoint if no token can be extracted, and handle the redirection back to the configured redirect URI after successful authentication.

Here is a sample configuration snippet:

local conf = {
    client_id = "your_client_id",
    client_secret = "your_client_secret",
    discovery = "https://your-oidc-provider/.well-known/openid-configuration",
    scope = "openid",
    ssl_verify = false,
    session = {
        secret = "your_session_secret",
        cookie = {
            lifetime = 3600 -- Set cookie lifetime in seconds
        }
    },
    redirect_uri = nil, -- Allow dynamic redirect URI
    unauth_action = "auth", -- Redirect to OIDC provider if not authenticated
}

function _M.rewrite(plugin_conf, ctx)
    local conf = core.table.clone(plugin_conf)
    conf.timeout = conf.timeout * 1000

    local unauth_action = conf.unauth_action
    if unauth_action ~= "auth" then
        unauth_action = "deny"
    end

    response, err, _, session = openidc.authenticate(conf, nil, unauth_action, conf.session)

    if err then
        if session then
            session:close()
        end
        if err == "unauthorized request" then
            if conf.unauth_action == "pass" then
                return nil
            end
            return 401
        end
        core.log.error("OIDC authentication failed: ", err)
        return 500
    end

    if response then
        add_access_token_header(ctx, conf, response.access_token)
        if response.id_token and conf.set_id_token_header then
            local token = core.json.encode(response.id_token)
            core.request.set_header(ctx, "X-ID-Token", ngx.encode_base64(token))
        end
    end
end

This configuration ensures that the OIDC Relying Party flow is set up with http-only session cookies, proper redirection, and dynamic redirect URI handling. Additionally, ensure that the SameSite cookie attribute is properly set if your application needs to send the cookie across sites ^[1][2][3].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}