-- -- Licensed to the Apache Software Foundation (ASF) under one or more -- contributor license agreements. See the NOTICE file distributed with -- this work for additional information regarding copyright ownership. -- The ASF licenses this file to You under the Apache License, Version 2.0 -- (the "License"); you may not use this file except in compliance with -- the License. You may obtain a copy of the License at -- -- http://www.apache.org/licenses/LICENSE-2.0 -- -- Unless required by applicable law or agreed to in writing, software -- distributed under the License is distributed on an "AS IS" BASIS, -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- See the License for the specific language governing permissions and -- limitations under the License. -- local http = require "resty.http" local _M = {} -- Request APISIX and redirect to keycloak, -- Login keycloak and return the res of APISIX function _M.login_keycloak(uri, username, password) local httpc = http.new() local res, err = httpc:request_uri(uri, {method = "GET"}) if not res then return nil, err elseif res.status ~= 302 then -- Not a redirect which we expect. -- Use 500 to indicate error. return nil, "Initial request was not redirected to ID provider authorization endpoint." else -- Extract cookies. Important since OIDC module tracks state with a session cookie. local cookies = res.headers['Set-Cookie'] -- Concatenate cookies into one string as expected when sent in request header. local cookie_str = _M.concatenate_cookies(cookies) -- Call authorization endpoint we were redirected to. -- Note: This typically returns a login form which is the case here for Keycloak as well. -- However, how we process the form to perform the login is specific to Keycloak and -- possibly even the version used. res, err = httpc:request_uri(res.headers['Location'], {method = "GET"}) if not res then -- No response, must be an error. return nil, err elseif res.status ~= 200 then -- Unexpected response. return nil, res.body end -- Check if response code was ok. if res.status ~= 200 then return nil, "unexpected status " .. res.status end -- From the returned form, extract the submit URI and parameters. local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">') -- Substitute escaped ampersand in parameters. params = params:gsub("&", "&") -- Get all cookies returned. Probably not so important since not part of OIDC specification. local auth_cookies = res.headers['Set-Cookie'] -- Concatenate cookies into one string as expected when sent in request header. local auth_cookie_str = _M.concatenate_cookies(auth_cookies) -- Invoke the submit URI with parameters and cookies, adding username -- and password in the body. -- Note: Username and password are specific to the Keycloak Docker image used. res, err = httpc:request_uri(uri .. "?" .. params, { method = "POST", body = "username=" .. username .. "&password=" .. password, headers = { ["Content-Type"] = "application/x-www-form-urlencoded", ["Cookie"] = auth_cookie_str } }) if not res then -- No response, must be an error. return nil, err elseif res.status ~= 302 then -- Not a redirect which we expect. return nil, "Login form submission did not return redirect to redirect URI." end -- Extract the redirect URI from the response header. -- TODO: Consider validating this against the plugin configuration. local redirect_uri = res.headers['Location'] -- Invoke the redirect URI (which contains the authorization code as an URL parameter). res, err = httpc:request_uri(redirect_uri, { method = "GET", headers = { ["Cookie"] = cookie_str } }) if not res then -- No response, must be an error. return nil, err elseif res.status ~= 302 then -- Not a redirect which we expect. return nil, "Invoking redirect URI with authorization code" .. "did not return redirect to original URI." end return res, nil end end -- Concatenate cookies into one string as expected when sent in request header. function _M.concatenate_cookies(cookies) local cookie_str = "" if type(cookies) == 'string' then cookie_str = cookies:match('([^;]*); .*') else -- Must be a table. local len = #cookies if len > 0 then cookie_str = cookies[1]:match('([^;]*); .*') for i = 2, len do cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*') end end end return cookie_str, nil end return _M