-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(openid-connect): Add symmetric_key
option to support verifying tokens with symmetric algorithms
#7691
base: master
Are you sure you want to change the base?
feat(openid-connect): Add symmetric_key
option to support verifying tokens with symmetric algorithms
#7691
Conversation
The underlying `lua-resty-openidc` module already supports the `symmetric_key` option to specify the HMAC key for verifying HS??? tokens. However, note that `lua-resty-openidc` just passes the `symmetric_key` value as-is to HMAC. So we choose to accept a base64url-encoded secret, which is easier to obtain from OP and configure, and then decode it before passing it to `lua-resty-openidc`.
NOTE: the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add some tests for this feature? How can we test it?
Hmm, I'll have to first check out the existing tests (e.g., for RS256) and figure out one for the HS256/HS512 tokens. |
Well. By the way, I'll have to consider how to best pass the |
Is there any link for this issue in Keycloak? Would you explain it in depth? |
Solved it: keycloak/keycloak#13823. |
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions. |
This pull request/issue has been closed due to lack of activity. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time. |
symmetric_key
option to support verifying tokens with symmetric algorithms
Re-opened as this is a meaningful contribution. Helped resolve conflicts and update the explanation for the |
@shreemaan-abhishek please help to finish this pr |
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions. |
@liweitianux Can you no longer work on this PR? |
@liweitianux Looks like you're busy. We will assign this issue to someone else. |
Hi @Revolyssup, sorry that I haven't been using APISIX for some time, and I currently don't have the time for this PR. Please help reassign it. Thanks. |
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions. |
Description
The underlying
lua-resty-openidc
module already supports thesymmetric_key
option to specify the HMAC key for verifying HS???tokens. However, note that
lua-resty-openidc
just passes thesymmetric_key
value as-is to HMAC. So we choose to accept abase64url-encoded secret, which is easier to obtain from OP and
configure, and then decode it before passing it to
lua-resty-openidc
.Checklist