Skip to content

THREESCALE-11441 only validate oidc setting if authentication method is set to oidc #1568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tkan145 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

THREESCALE-11441 only validate oidc setting if authentication method is set to oidc #1568

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).

### Fixed
- Correct FAPI header to `x-fapi-interaction-id` [PR #1557](https://github.com/3scale/APIcast/pull/1557) [THREESCALE-11957](https://issues.redhat.com/browse/THREESCALE-11957)
- Only validate oidc setting if authentication method is set to oidc [PR #1568](https://github.com/3scale/APIcast/pull/1568) [THREESCALE-11441](https://issues.redhat.com/browse/THREESCALE-11441)

### Added
- Update APIcast schema manifest [PR #1550](https://github.com/3scale/APIcast/pull/1550)
Expand Down
17 changes: 13 additions & 4 deletions gateway/src/apicast/configuration_loader/oidc.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,22 @@ _M.discovery = require('resty.oidc.discovery').new()

local function load_service(service)
if not service or not service.proxy then return nil end
local result = _M.discovery:call(service.proxy.oidc_issuer_endpoint)
local proxy = service.proxy

if result and service.id then
result.service_id = service.id
-- Only fetch OIDC configuration if authentication method is set to 'oidc'
local authentication = proxy.authentication_method or service.backend_version
Comment on lines +26 to +27
Copy link

@josemigallas josemigallas Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this comment could go away by simply extracting a guard from the code below:

Suggested change
-- Only fetch OIDC configuration if authentication method is set to 'oidc'
local authentication = proxy.authentication_method or service.backend_version
local authentication = proxy.authentication_method or service.backend_version
if authentication ~= 'oidc' then
return nil
end

The if authentication part seems redundant anyway (nil is already unequal to 'oidc').

Copy link
Contributor Author

@tkan145 tkan145 Feb 3, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The authentication can take the following values:

  • 1 : user_key
  • 2: app_id/app_key
  • oidc: OIDC
  • nil: But if the oidc_issuer_endpoint is provided, then in this case we don't want to query OIDC endpoint
    Therefore, an if statement is needed.


if authentication and authentication == 'oidc' then
local result = _M.discovery:call(service.proxy.oidc_issuer_endpoint)
Copy link

@josemigallas josemigallas Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

proxy already declared on the top

Suggested change
local result = _M.discovery:call(service.proxy.oidc_issuer_endpoint)
local result = _M.discovery:call(proxy.oidc_issuer_endpoint)


if result and service.id then
result.service_id = service.id
end

return result
end

return result
return nil
end

function _M.call(...)
Expand Down
2 changes: 1 addition & 1 deletion gateway/src/apicast/configuration_loader/remote_v2.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ local function service_config_endpoint(portal_endpoint, service_id, env, version
end

local function get_oidc_issuer_endpoint(proxy_content)
return proxy_content.proxy and proxy_content.proxy.oidc_issuer_endpoint
return proxy_content.proxy and (proxy_content.proxy.authentication_method == "oidc") and proxy_content.proxy.oidc_issuer_endpoint
end

local function parse_proxy_configs(self, proxy_configs)
Expand Down
61 changes: 59 additions & 2 deletions spec/configuration_loader/oidc_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,25 @@ describe('OIDC Configuration loader', function()
assert(loader.call(config))
end)

it('ignores config with oidc_issuer_endpoint but not oidc authentication mode', function()
local config = cjson.encode{
services = {
{ id = 21, proxy = { oidc_issuer_endpoint = 'https://user:[email protected]' } },
{ id = 42 },
}
}

assert(loader.call(config))
end)

it('forwards all parameters', function()
assert.same({'{"oidc":[]}', 'one', 'two'}, { loader.call('{}', 'one', 'two')})
end)

it('gets openid configuration', function()
local config = {
services = {
{ id = 21, proxy = { oidc_issuer_endpoint = 'https://user:[email protected]' } },
{ id = 21, proxy = { oidc_issuer_endpoint = 'https://user:[email protected]', authentication_method = 'oidc' }},
}
}

Expand All @@ -58,7 +69,8 @@ describe('OIDC Configuration loader', function()
{
"id": 21,
"proxy": {
"oidc_issuer_endpoint": "https://user:[email protected]"
"oidc_issuer_endpoint": "https://user:[email protected]",
"authentication_method": "oidc"
}
}
],
Expand Down Expand Up @@ -97,5 +109,50 @@ describe('OIDC Configuration loader', function()

loader.call(cjson.encode(config))
end)

it('ignore openid configuration if authentication_method is not oidc', function()
local config = {
services = {
{ id = 21, proxy = { oidc_issuer_endpoint = 'https://user:[email protected]', authentication_method = '1' }},
}
}

test_backend
.expect{ url = "https://example.com/.well-known/openid-configuration" }
.respond_with{
status = 200,
headers = { content_type = 'application/json' },
body = [[{"jwks_uri":"http://example.com/jwks","issuer":"https://example.com"}]],
}

test_backend
.expect{ url = "http://example.com/jwks" }
.respond_with{
status = 200,
headers = { content_type = 'application/json' },
body = [[{"keys":[]}]],
}

local oidc = loader.call(cjson.encode(config))
local expected_oidc = cjson.decode([[
{
"services": [
{
"id": 21,
"proxy": {
"oidc_issuer_endpoint": "https://user:[email protected]",
"authentication_method": "1"
}
}
],
"oidc": [
{
"service_id": 21
}
]
}
]])
assert.same(expected_oidc, cjson.decode(oidc))
end)
end)
end)
42 changes: 38 additions & 4 deletions spec/configuration_loader/remote_v2_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,10 @@ describe('Configuration Remote Loader V2', function()
environment = 'sandbox',
content = {
id = 42, backend_version = 1,
proxy = { oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/' }
proxy = {
authentication_method= 'oidc',
oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/'
}
}
}
}
Expand Down Expand Up @@ -311,6 +314,28 @@ UwIDAQAB
} },
}, config.oidc)
end)

it('ingore OIDC configuration when authentication_method is not oidc', function()
Copy link

@josemigallas josemigallas Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it('ingore OIDC configuration when authentication_method is not oidc', function()
it('ignore OIDC configuration when authentication_method is not oidc', function()

test_backend.expect{ url = 'http://example.com/admin/api/services/42/proxy/configs/staging/latest.json' }.
respond_with{ status = 200, body = cjson.encode(
{
proxy_config = {
version = 2,
environment = 'sandbox',
content = {
id = 42, backend_version = 1,
proxy = {
authentication_method= '1',
oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/'
}
}
}
}
) }

local config = assert(loader:config({ id = 42 }, 'staging', 'latest'))
assert.is_nil(config.oidc)
end)
end)

describe(':index_per_service', function()
Expand Down Expand Up @@ -580,7 +605,10 @@ UwIDAQAB
{
proxy_config = {
content = {
proxy = { oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/' }
proxy = {
authentication_method= 'oidc',
oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/'
}
}
}
}
Expand Down Expand Up @@ -730,7 +758,10 @@ UwIDAQAB
content = {
id = 2,
backend_version = 1,
proxy = { oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/' }
proxy = {
authentication_method= 'oidc',
oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/'
}
}
}
}
Expand Down Expand Up @@ -920,7 +951,10 @@ UwIDAQAB
content = {
id = 2,
backend_version = 1,
proxy = { oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/' }
proxy = {
authentication_method= 'oidc',
oidc_issuer_endpoint = 'http://user:[email protected]/auth/realms/foo/'
}
}
}
}
Expand Down