OAuth wasm go plugin #663
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| # 功能说明 | ||
| `OAuth2`插件实现了基于JWT(JSON Web Tokens)进行OAuth2 Access Token签发的能力, 遵循[RFC9068](https://datatracker.ietf.org/doc/html/rfc9068)规范 | ||
|
|
||
| # 插件配置说明 | ||
|
|
||
| ## 配置字段 | ||
|
|
||
| | 名称 | 数据类型 | 填写要求 | 默认值 | 描述 | | ||
| | ----------- | --------------- | ------------------------------------------- | ------ | ----------------------------------------------------------- | | ||
| | `consumers` | array of object | 必填 | - | 配置服务的调用者,用于对请求进行认证 | | ||
| | `_rules_` | array of object | 选填 | - | 配置特定路由或域名的访问权限列表,用于对请求进行鉴权 | | ||
| | `issuer` | string | 选填 | Higress-Gateway | 用于填充JWT中的issuer | | ||
| | `auth_path` | string | 选填 | /oauth2/token | 指定路径后缀用于签发Token,路由级配置时,要确保首先能匹配对应的路由 | | ||
| | `global_credentials` | bool | 选填 | ture | 是否开启全局凭证,即允许路由A下的auth_path签发的Token可以用于访问路由B | | ||
| | `auth_header_name` | string | 选填 | Authorization | 用于指定从哪个请求头获取JWT | | ||
| | `token_ttl` | number | 选填 | 7200 | token从签发后多久内有效,单位为秒 | | ||
| | `clock_skew_seconds` | number | 选填 | 60 | 校验JWT的exp和iat字段时允许的时钟偏移量,单位为秒 | | ||
| | `keep_token` | bool | 选填 | ture | 转发给后端时是否保留JWT | | ||
|
|
||
| `consumers`中每一项的配置字段说明如下: | ||
|
|
||
| | 名称 | 数据类型 | 填写要求 | 默认值 | 描述 | | ||
| | ----------------------- | ----------------- | -------- | ------------------------------------------------- | ------------------------ | | ||
| | `name` | string | 必填 | - | 配置该consumer的名称 | | ||
| | `client_id` | string | 必填 | - | OAuth2 client id | | ||
| | `client_secret` | string | 必填 | - | OAuth2 client secret | | ||
|
|
||
| `_rules_` 中每一项的配置字段说明如下: | ||
|
|
||
| | 名称 | 数据类型 | 填写要求 | 默认值 | 描述 | | ||
| | ---------------- | --------------- | ------------------------------------------------- | ------ | -------------------------------------------------- | | ||
| | `_match_route_` | array of string | 选填,`_match_route_`,`_match_domain_`中选填一项 | - | 配置要匹配的路由名称 | | ||
| | `_match_domain_` | array of string | 选填,`_match_route_`,`_match_domain_`中选填一项 | - | 配置要匹配的域名 | | ||
| | `allow` | array of string | 必填 | - | 对于符合匹配条件的请求,配置允许访问的consumer名称 | | ||
|
|
||
| **注意:** | ||
| - 对于开启该配置的路由,如果路径后缀和`auth_path`匹配,则该路由到原目标服务,而是用于生成Token | ||
| - 如果关闭`global_credentials`,请确保启用此插件的路由不是精确匹配路由,此时若存在另一条前缀匹配路由,则可能导致预期外行为 | ||
| - 若不配置`_rules_`字段,则默认对当前网关实例的所有路由开启认证; | ||
| - 对于通过认证鉴权的请求,请求的header会被添加一个`X-Mse-Consumer`字段,用以标识调用者的名称。 | ||
|
|
||
| ## 配置示例 | ||
|
|
||
| ### 对特定路由或域名开启 | ||
|
|
||
| 以下配置将对网关特定路由或域名开启 Jwt Auth 认证和鉴权,注意如果一个JWT能匹配多个`jwks`,则按照配置顺序命中第一个匹配的`consumer` | ||
|
|
||
| ```yaml | ||
| consumers: | ||
| - name: consumer1 | ||
| client_id: 12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx | ||
| client_secret: abcdefgh-xxxx-xxxx-xxxx-xxxxxxxxxxxx | ||
| - name: consumer2 | ||
| client_id: 87654321-xxxx-xxxx-xxxx-xxxxxxxxxxxx | ||
| client_secret: hgfedcba-xxxx-xxxx-xxxx-xxxxxxxxxxxx | ||
| # 使用 _rules_ 字段进行细粒度规则配置 | ||
| _rules_: | ||
| # 规则一:按路由名称匹配生效 | ||
| - _match_route_: | ||
| - default/foo | ||
| - route-b | ||
| allow: | ||
| - consumer1 | ||
| # 规则二:按域名匹配生效 | ||
| - _match_domain_: | ||
| - "*.example.com" | ||
| - foo.bar.com | ||
| allow: | ||
| - consumer2 | ||
| ``` | ||
|
|
||
| 此例 `_match_route_` 中指定的 `route-a` 和 `route-b` 即在创建网关路由时填写的路由名称,当匹配到这两个路由时,将允许`name`为`consumer1`的调用者访问,其他调用者不允许访问; | ||
|
|
||
| 此例 `_match_domain_` 中指定的 `*.example.com` 和 `test.com` 用于匹配请求的域名,当发现域名匹配时,将允许`name`为`consumer2`的调用者访问,其他调用者不允许访问。 | ||
|
|
||
| #### 使用 Client Credential 授权模式 | ||
|
|
||
| **获取 AccessToken** | ||
|
|
||
| ```bash | ||
|
|
||
| # 通过 GET 方法获取 | ||
|
|
||
| curl 'http://test.com/oauth2/token?grant_type=client_credentials&client_id=12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx&client_secret=abcdefgh-xxxx-xxxx-xxxx-xxxxxxxxxxxx' | ||
|
|
||
| # 通过 POST 方法获取 (需要先匹配到有真实目标服务的路由) | ||
|
|
||
| curl 'http://test.com/oauth2/token' -H 'content-type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&client_id=12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx&client_secret=abcdefgh-xxxx-xxxx-xxxx-xxxxxxxxxxxx' | ||
|
|
||
| # 获取响应中的 access_token 字段即可: | ||
| { | ||
| "token_type": "bearer", | ||
| "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uXC9hdCtqd3QifQ.eyJhdWQiOiJkZWZhdWx0IiwiY2xpZW50X2lkIjoiMTIzNDU2NzgteHh4eC14eHh4LXh4eHgteHh4eHh4eHh4eHh4IiwiZXhwIjoxNjg3OTUxNDYzLCJpYXQiOjE2ODc5NDQyNjMsImlzcyI6IkhpZ3Jlc3MtR2F0ZXdheSIsImp0aSI6IjEwOTU5ZDFiLThkNjEtNGRlYy1iZWE3LTk0ODEwMzc1YjYzYyIsInN1YiI6ImNvbnN1bWVyMSJ9.NkT_rG3DcV9543vBQgneVqoGfIhVeOuUBwLJJ4Wycb0", | ||
| "expires_in": 7200 | ||
| } | ||
|
|
||
| ``` | ||
|
|
||
| **使用 AccessToken 请求** | ||
|
|
||
| ```bash | ||
|
|
||
| curl 'http://test.com' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uXC9hdCtqd3QifQ.eyJhdWQiOiJkZWZhdWx0IiwiY2xpZW50X2lkIjoiMTIzNDU2NzgteHh4eC14eHh4LXh4eHgteHh4eHh4eHh4eHh4IiwiZXhwIjoxNjg3OTUxNDYzLCJpYXQiOjE2ODc5NDQyNjMsImlzcyI6IkhpZ3Jlc3MtR2F0ZXdheSIsImp0aSI6IjEwOTU5ZDFiLThkNjEtNGRlYy1iZWE3LTk0ODEwMzc1YjYzYyIsInN1YiI6ImNvbnN1bWVyMSJ9.NkT_rG3DcV9543vBQgneVqoGfIhVeOuUBwLJJ4Wycb0' | ||
|
|
||
| ``` | ||
| 因为 test.com 仅授权了 consumer2,但这个 Access Token 是基于 consumer1 的 `client_id`,`client_secret` 获取的,因此将返回 `403 Access Denied` | ||
|
|
||
|
|
||
| ### 网关实例级别开启 | ||
|
|
||
|
|
||
| 以下配置未指定`_rules_`字段,因此将对网关实例级别开启 OAuth2 认证 | ||
|
|
||
| ```yaml | ||
| consumers: | ||
| - name: consumer1 | ||
| client_id: 12345678-xxxx-xxxx-xxxx-xxxxxxxxxxxx | ||
| client_secret: abcdefgh-xxxx-xxxx-xxxx-xxxxxxxxxxxx | ||
| - name: consumer2 | ||
| client_id: 87654321-xxxx-xxxx-xxxx-xxxxxxxxxxxx | ||
| client_secret: hgfedcba-xxxx-xxxx-xxxx-xxxxxxxxxxxx | ||
| ``` | ||
|
|
||
| # 常见错误码说明 | ||
|
|
||
| | HTTP 状态码 | 出错信息 | 原因说明 | | ||
| | ----------- | ---------------------- | -------------------------------------------------------------------------------- | | ||
| | 401 | Invalid Jwt token | 请求头未提供JWT, 或者JWT格式错误,或过期等原因 | | ||
| | 403 | Access Denied | 无权限访问当前路由 | | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| 1.0.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| module github.com/alibaba/higress/plugins/wasm-go/extensions/oauth | ||
|
|
||
| go 1.19 | ||
|
|
||
| replace github.com/alibaba/higress/plugins/wasm-go => ../.. | ||
|
|
||
| require ( | ||
| github.com/alibaba/higress/plugins/wasm-go v1.3.1 | ||
| github.com/golang-jwt/jwt/v5 v5.1.0 | ||
| github.com/google/uuid v1.4.0 | ||
| github.com/pkg/errors v0.9.1 | ||
| github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0 | ||
| github.com/tidwall/gjson v1.17.0 | ||
| ) | ||
|
|
||
| require ( | ||
| github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect | ||
| github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520 // indirect | ||
| github.com/magefile/mage v1.14.0 // indirect | ||
| github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect | ||
| github.com/stretchr/testify v1.8.3 // indirect | ||
| github.com/tidwall/match v1.1.1 // indirect | ||
| github.com/tidwall/pretty v1.2.0 // indirect | ||
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= | ||
| github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||
| github.com/golang-jwt/jwt/v5 v5.1.0 h1:UGKbA/IPjtS6zLcdB7i5TyACMgSbOTiR8qzXgw8HWQU= | ||
| github.com/golang-jwt/jwt/v5 v5.1.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= | ||
| github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= | ||
| github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | ||
| github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520 h1:IHDghbGQ2DTIXHBHxWfqCYQW1fKjyJ/I7W1pMyUDeEA= | ||
| github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520/go.mod h1:Nz8ORLaFiLWotg6GeKlJMhv8cci8mM43uEnLA5t8iew= | ||
| github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= | ||
| github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= | ||
| github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= | ||
| github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | ||
| github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= | ||
| github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||
| github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY= | ||
| github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= | ||
| github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0 h1:kS7BvMKN+FiptV4pfwiNX8e3q14evxAWkhYbxt8EI1M= | ||
| github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0/go.mod h1:qkW5MBz2jch2u8bS59wws65WC+Gtx3x0aPUX5JL7CXI= | ||
| github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM= | ||
| github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= | ||
| github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= | ||
| github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= | ||
| github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= | ||
| github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= | ||
| gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
这块说明可以去掉,之前写cpp版本文档的时候,还没有现在的wasmplugin crd,所以要用户手动配置这些规则,现在已经在crd里定义对应字段了,插件文档里可以不用写了
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@johnlanni 是指
rules_这个配置在插件yaml中不用写了吗?如果在插件的yaml中定义了_rules_,那此时实际的规则是以crd为准还是这里的yaml为准?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
crd里已经封装掉对
_rules_字段的处理,用户再写上这个配置,是不会有作用的There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
可以看下这篇文档:https://higress.io/zh-cn/docs/plugins/intro
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@johnlanni 明白,即匹配域名或路由生效的配置
matchRules是所有wasm plugin都具备的特性,因此直接在wasm plugin crd层面做了定义,特定插件的文档主要关注自身特有的配置字段的说明。已删除oauth插件文档中有关
rules字段的说明