oidc-connect plugin, and restricting access to endpoints using scope

[csotiriou]

Description

Hello, I am using the Ingress Controller and I am trying to support the following scenario using OIDC

• ClientID A should have access to Endpoints A,B
• ClientID B should have access to Endpoints B,C

All of them should be of type "client_credentials"

And on top of a test route, I have the following definition:

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: echoserver-multiple-apisix
  namespace: ${kubernetes_namespace_v1.echonamespace2.metadata.0.name}
spec:
  http:
  - name: echohttp
    match:
      hosts:
      - echo.k8s.orb.local
      paths:
      - "/echo*"
    backends:
    - serviceName: echoserver2-service
      servicePort: 80
    plugins:

      - name: "openid-connect"
        enable: true
        config:
          client_id: "apisix2"
          client_secret: "..."
          discovery: "http://keycloak-proxy.keycloak.svc.cluster.local/realms/apisixrealm/.well-known/openid-configuration"
          introspection_endpoint: "http://keycloak-proxy.keycloak.svc.cluster.local/realms/apisixrealm/protocol/openid-connect/token/introspect"
          realm: "apisixrealm"
          scope: "route1scope"

I am using the OIDC plugin and Keycloak as my authentication provider. Although APISIX can provide access to the endpoints, with tokens accessed it fails to deny access to clients that don't have the required scope. No matter what scope I put in the scope parameter, it always allows anyone with a valid token (but without a scope) to access the route. Perhaps this is a relevant issue: #1272

Therefore, I have two questions:

• For the scenario originally described, can I have multiple OIDC plugins with different client IDs and secrets on top of a route to achieve what I want? (since multiple clients must be able to access the same route)
• For the issue where the scopes are not taken into account, is there something I am missing or can do differently?
  • How can I restrict an API to specific scopes with the openid-connect plugin?

[kayx23]

Consolidating #10454 (comment) into this thread. OP mentioned they have customized the openid-connect plugin to suit their need for scope-based authorization.

@csotiriou I was wondering if you have explored authz-keycloak plugin and tried setting the permissions attribute to achieve scope-based authorization?

[csotiriou]

Hello,

I have considered it yes - however, for standardization's sake, we want to use the openid-connect (plus I stumbled across other issues as well that I may mention in another thread when I make sure that I have the correct configuration).

I believe that the scope-based approach is more generic than having to resort to putting the permissions attribute in the token.

[csotiriou]

I took the liberty of making a PR out of this, here: #10493.

I hope you find this useful.