apisix icon indicating copy to clipboard operation
apisix copied to clipboard
verified publisher icon apache

feat(authz-keycloak): support token exchange

Open ohayak opened this issue 3 years ago • 4 comments

Description

Hello,

I'm working on a project using multiple keycloak instances to manage users in different spaces. One master keycloak which used as an Identity Provider (IDP) for all the others (identity brokers). In this scenario, we used the token exchange feature to limit handled tokens to one.

The token issued by the Identity Provider can not be used to verify permissions on the brokers. Therefore, this token need to be exchanged to against a second token issued by the broker in order to be used by authz-keycloak plugin to verify permissions.

The most elegant way to achieve our goal is to let the plugin handle the exchange. Unfortunately, the plugin didn't support this kind of requests, so I tweaked the plugin to support this feature.

More details about token exchange are available here

I appreciate your efforts and the time to review my pull request.

Regards,

Checklist

  • [X] I have explained the need for this PR and the problem it solves
  • [X] I have explained the changes or the new features added to this PR
  • [ ] I have added tests corresponding to this change
  • [X] I have updated the documentation to reflect this change
  • [X] I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

ohayak avatar Jun 11 '22 22:06 ohayak

subject_issuer validation not working as expected

ohayak avatar Jun 11 '22 22:06 ohayak

Any chance to get this PR reviewed ?

ohayak avatar Aug 22 '22 08:08 ohayak

hi @ohayak, thanks for your contribution, pls resolve conflicts files first.

tzssangglass avatar Aug 22 '22 10:08 tzssangglass

Please make the CI pass, thanks!

spacewander avatar Aug 24 '22 06:08 spacewander

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions.

github-actions[bot] avatar Oct 23 '22 10:10 github-actions[bot]

This pull request/issue has been closed due to lack of activity. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time.

github-actions[bot] avatar Nov 20 '22 10:11 github-actions[bot]