Bearer only client (#27)

Add support for bearer_only clients

Author: lodrantl

README.md

@@ -76,6 +76,10 @@ You also need to set the `KONG_CUSTOM_PLUGINS` environment variable
 | `config.scope` | oidc | false| OAuth2 Token scope. To use OIDC it has to contains the `oidc` scope |
 | `config.ssl_verify` | false | false | Enable SSL verification to OIDC Provider |
 | `config.session_secret` | | false | Additional parameter, which is used to encrypt the session cookie. Needs to be random |
+| `config.introspection_endpoint` | | false | Token introspection endpoint |
+| `config.bearer_only` | no | false | Only introspect tokens without redirecting |
+| `config.realm` | kong | false | Realm used in WWW-Authenticate response header |
+
 
 ### Enabling
 

kong/plugins/oidc/handler.lua

@@ -59,9 +59,13 @@ function make_oidc(oidcConfig)
 end
 
 function introspect(oidcConfig)
-  if utils.has_bearer_access_token() then
+  if utils.has_bearer_access_token() or oidcConfig.bearer_only == "yes" then
     local res, err = require("resty.openidc").introspect(oidcConfig)
     if err then
+      if oidcConfig.bearer_only == "yes" then
+        ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. oidcConfig.realm .. '",error="' .. err .. '"'
+        utils.exit(ngx.HTTP_UNAUTHORIZED, err, ngx.HTTP_UNAUTHORIZED)
+      end
       return nil
     end
     ngx.log(ngx.DEBUG, "OidcHandler introspect succeeded, requested path: " .. ngx.var.request_uri)

kong/plugins/oidc/schema.lua

@@ -5,6 +5,8 @@ return {
     client_secret = { type = "string", required = true },
     discovery = { type = "string", required = true, default = "https://.well-known/openid-configuration" },
     introspection_endpoint = { type = "string", required = false },
+    bearer_only = { type = "string", required = true, default = "no" },
+    realm = { type = "string", required = true, default = "kong" },
     redirect_uri_path = { type = "string" },
     scope = { type = "string", required = true, default = "openid" },
     response_type = { type = "string", required = true, default = "code" },

kong/plugins/oidc/utils.lua

@@ -43,6 +43,8 @@ function M.get_options(config, ngx)
     client_secret = config.client_secret,
     discovery = config.discovery,
     introspection_endpoint = config.introspection_endpoint,
+    bearer_only = config.bearer_only,
+    realm = config.realm,
     redirect_uri_path = config.redirect_uri_path or M.get_redirect_uri_path(ngx),
     scope = config.scope,
     response_type = config.response_type,

test/unit/mockable_case.lua

@@ -8,6 +8,7 @@ function MockableCase:setUp()
   self.mocked_ngx = {
     DEBUG = "debug",
     ERR = "error",
+    HTTP_UNAUTHORIZED = 401,
     ctx = {},
     header = {},
     var = {request_uri = "/"},

test/unit/test_handler_mocking_openidc.lua

@@ -80,6 +80,28 @@ function TestHandler:test_introspect_ok_with_userinfo()
   lu.assertTrue(self:log_contains("introspect succeeded"))
 end
 
+function TestHandler:test_bearer_only_with_good_token()
+  self.module_resty.openidc.introspect = function(opts)
+    return {}, false
+  end
+  ngx.req.get_headers = function() return {Authorization = "Bearer xxx"} end
+
+  self.handler:access({introspection_endpoint = "x", bearer_only = "yes", realm = "kong"})
+  lu.assertTrue(self:log_contains("introspect succeeded"))
+end
+
+function TestHandler:test_bearer_only_with_bad_token()
+  self.module_resty.openidc.introspect = function(opts)
+    return {}, "validation failed"
+  end
+  ngx.req.get_headers = function() return {Authorization = "Bearer xxx"} end
+
+  self.handler:access({introspection_endpoint = "x", bearer_only = "yes", realm = "kong"})
+
+  lu.assertEquals(ngx.header["WWW-Authenticate"], 'Bearer realm="kong",error="validation failed"')
+  lu.assertEquals(ngx.status, ngx.HTTP_UNAUTHORIZED)
+  lu.assertFalse(self:log_contains("introspect succeeded"))
+end
 
 lu.run()