Skip to content

Commit e5982ad

Browse files
shawnhankimshawnhankim
committed
fix: remove intercept error from access token feature and update CRD
1 parent a9ac466 commit e5982ad

File tree

10 files changed

+215
-254
lines changed

10 files changed

+215
-254
lines changed

deployments/common/crds/k8s.nginx.org_policies.yaml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,8 @@ spec:
114114
description: OIDC defines an Open ID Connect policy.
115115
type: object
116116
properties:
117+
accessTokenEnable:
118+
type: boolean
117119
authEndpoint:
118120
type: string
119121
authExtraArgs:
@@ -134,10 +136,6 @@ spec:
134136
type: string
135137
zoneSyncLeeway:
136138
type: integer
137-
accessTokenEnable:
138-
type: boolean
139-
interceptErrorEnable:
140-
type: boolean
141139
rateLimit:
142140
description: RateLimit defines a rate limit policy.
143141
type: object

deployments/helm-chart/crds/k8s.nginx.org_policies.yaml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,8 @@ spec:
114114
description: OIDC defines an Open ID Connect policy.
115115
type: object
116116
properties:
117+
accessTokenEnable:
118+
type: boolean
117119
authEndpoint:
118120
type: string
119121
authExtraArgs:
@@ -134,10 +136,6 @@ spec:
134136
type: string
135137
zoneSyncLeeway:
136138
type: integer
137-
accessTokenEnable:
138-
type: boolean
139-
interceptErrorEnable:
140-
type: boolean
141139
rateLimit:
142140
description: RateLimit defines a rate limit policy.
143141
type: object

docs/content/configuration/policy-resource.md

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -357,7 +357,6 @@ spec:
357357
tokenEndpoint: https://idp.example.com/openid-connect/token
358358
jwksURI: https://idp.example.com/openid-connect/certs
359359
accessTokenEnable: true
360-
interceptErrorEnable: false
361360
```
362361

363362
NGINX Plus will pass the ID of an authenticated user to the backend in the HTTP header `username`.
@@ -389,8 +388,6 @@ The OIDC policy defines a few internal locations that can't be customized: `/_jw
389388
|``zoneSyncLeeway`` | Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is ``200``. | ``int`` | No |
390389
|``accessTokenEnable`` | Option of whether Bearer token is used to authorize NGINX to access protected backend. | ``boolean`` | No |
391390
{{% /table %}}
392-
|``interceptErrorEnable`` | Option to intercept and redirect "401 Unauthorized" proxied responses to nginx for processing with the `error_page` directive to restart `@do_oidc_flow` if an access token can expire before ID token. | ``boolean`` | No |
393-
{{% /table %}}
394391

395392
> **Note**: Only one OIDC policy can be referenced in a VirtualServer and its VirtualServerRoutes. However, the same policy can still be applied to different routes in the VirtualServer and VirtualServerRoutes.
396393

examples/custom-resources/oidc/oidc.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,3 @@ spec:
1111
jwksURI: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/protocol/openid-connect/certs
1212
scope: openid+profile+email
1313
accessTokenEnable: true
14-
interceptErrorEnable: false

internal/configs/version2/http.go

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -111,17 +111,16 @@ type EgressMTLS struct {
111111

112112
// OIDC holds OIDC configuration data.
113113
type OIDC struct {
114-
AuthEndpoint string
115-
ClientID string
116-
ClientSecret string
117-
JwksURI string
118-
Scope string
119-
TokenEndpoint string
120-
RedirectURI string
121-
ZoneSyncLeeway int
122-
AuthExtraArgs string
123-
AccessTokenEnable bool
124-
InterceptErrorEnable bool
114+
AuthEndpoint string
115+
ClientID string
116+
ClientSecret string
117+
JwksURI string
118+
Scope string
119+
TokenEndpoint string
120+
RedirectURI string
121+
ZoneSyncLeeway int
122+
AuthExtraArgs string
123+
AccessTokenEnable bool
125124
}
126125

127126
// WAF defines WAF configuration.

internal/configs/version2/nginx-plus.virtualserver.tmpl

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -433,9 +433,6 @@ server {
433433
{{ if $oidc.AccessTokenEnable }}
434434
{{ $proxyOrGRPC }}_set_header Authorization "Bearer $access_token";
435435
{{ end }}
436-
{{ if $oidc.InterceptErrorEnable }}
437-
{{ $proxyOrGRPC }}_intercept_errors on;
438-
{{ end }}
439436
{{ end }}
440437

441438
{{ with $l.WAF }}

internal/configs/virtualserver.go

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1052,17 +1052,16 @@ func (p *policiesCfg) addOIDCConfig(
10521052
}
10531053

10541054
oidcPolCfg.oidc = &version2.OIDC{
1055-
AuthEndpoint: oidc.AuthEndpoint,
1056-
AuthExtraArgs: authExtraArgs,
1057-
TokenEndpoint: oidc.TokenEndpoint,
1058-
JwksURI: oidc.JWKSURI,
1059-
ClientID: oidc.ClientID,
1060-
ClientSecret: string(clientSecret),
1061-
Scope: scope,
1062-
RedirectURI: redirectURI,
1063-
ZoneSyncLeeway: generateIntFromPointer(oidc.ZoneSyncLeeway, 200),
1064-
AccessTokenEnable: oidc.AccessTokenEnable,
1065-
InterceptErrorEnable: oidc.InterceptErrorEnable,
1055+
AuthEndpoint: oidc.AuthEndpoint,
1056+
AuthExtraArgs: authExtraArgs,
1057+
TokenEndpoint: oidc.TokenEndpoint,
1058+
JwksURI: oidc.JWKSURI,
1059+
ClientID: oidc.ClientID,
1060+
ClientSecret: string(clientSecret),
1061+
Scope: scope,
1062+
RedirectURI: redirectURI,
1063+
ZoneSyncLeeway: generateIntFromPointer(oidc.ZoneSyncLeeway, 200),
1064+
AccessTokenEnable: oidc.AccessTokenEnable,
10661065
}
10671066
oidcPolCfg.key = polKey
10681067
}

internal/configs/virtualserver_test.go

Lines changed: 64 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -3136,16 +3136,15 @@ func TestGeneratePolicies(t *testing.T) {
31363136
},
31373137
Spec: conf_v1.PolicySpec{
31383138
OIDC: &conf_v1.OIDC{
3139-
AuthEndpoint: "http://example.com/auth",
3140-
TokenEndpoint: "http://example.com/token",
3141-
JWKSURI: "http://example.com/jwks",
3142-
ClientID: "client-id",
3143-
ClientSecret: "oidc-secret",
3144-
Scope: "scope",
3145-
RedirectURI: "/redirect",
3146-
ZoneSyncLeeway: createPointerFromInt(20),
3147-
AccessTokenEnable: true,
3148-
InterceptErrorEnable: false,
3139+
AuthEndpoint: "http://example.com/auth",
3140+
TokenEndpoint: "http://example.com/token",
3141+
JWKSURI: "http://example.com/jwks",
3142+
ClientID: "client-id",
3143+
ClientSecret: "oidc-secret",
3144+
Scope: "scope",
3145+
RedirectURI: "/redirect",
3146+
ZoneSyncLeeway: createPointerFromInt(20),
3147+
AccessTokenEnable: true,
31493148
},
31503149
},
31513150
},
@@ -4254,12 +4253,11 @@ func TestGeneratePoliciesFails(t *testing.T) {
42544253
},
42554254
Spec: conf_v1.PolicySpec{
42564255
OIDC: &conf_v1.OIDC{
4257-
ClientSecret: "oidc-secret",
4258-
AuthEndpoint: "http://foo.com/bar",
4259-
TokenEndpoint: "http://foo.com/bar",
4260-
JWKSURI: "http://foo.com/bar",
4261-
AccessTokenEnable: true,
4262-
InterceptErrorEnable: false,
4256+
ClientSecret: "oidc-secret",
4257+
AuthEndpoint: "http://foo.com/bar",
4258+
TokenEndpoint: "http://foo.com/bar",
4259+
JWKSURI: "http://foo.com/bar",
4260+
AccessTokenEnable: true,
42634261
},
42644262
},
42654263
},
@@ -4302,13 +4300,12 @@ func TestGeneratePoliciesFails(t *testing.T) {
43024300
},
43034301
Spec: conf_v1.PolicySpec{
43044302
OIDC: &conf_v1.OIDC{
4305-
ClientID: "foo",
4306-
ClientSecret: "oidc-secret",
4307-
AuthEndpoint: "https://foo.com/auth",
4308-
TokenEndpoint: "https://foo.com/token",
4309-
JWKSURI: "https://foo.com/certs",
4310-
AccessTokenEnable: true,
4311-
InterceptErrorEnable: false,
4303+
ClientID: "foo",
4304+
ClientSecret: "oidc-secret",
4305+
AuthEndpoint: "https://foo.com/auth",
4306+
TokenEndpoint: "https://foo.com/token",
4307+
JWKSURI: "https://foo.com/certs",
4308+
AccessTokenEnable: true,
43124309
},
43134310
},
43144311
},
@@ -4319,13 +4316,12 @@ func TestGeneratePoliciesFails(t *testing.T) {
43194316
},
43204317
Spec: conf_v1.PolicySpec{
43214318
OIDC: &conf_v1.OIDC{
4322-
ClientID: "foo",
4323-
ClientSecret: "oidc-secret",
4324-
AuthEndpoint: "https://bar.com/auth",
4325-
TokenEndpoint: "https://bar.com/token",
4326-
JWKSURI: "https://bar.com/certs",
4327-
AccessTokenEnable: true,
4328-
InterceptErrorEnable: false,
4319+
ClientID: "foo",
4320+
ClientSecret: "oidc-secret",
4321+
AuthEndpoint: "https://bar.com/auth",
4322+
TokenEndpoint: "https://bar.com/token",
4323+
JWKSURI: "https://bar.com/certs",
4324+
AccessTokenEnable: true,
43294325
},
43304326
},
43314327
},
@@ -4345,16 +4341,15 @@ func TestGeneratePoliciesFails(t *testing.T) {
43454341
context: "route",
43464342
oidcPolCfg: &oidcPolicyCfg{
43474343
oidc: &version2.OIDC{
4348-
AuthEndpoint: "https://foo.com/auth",
4349-
TokenEndpoint: "https://foo.com/token",
4350-
JwksURI: "https://foo.com/certs",
4351-
ClientID: "foo",
4352-
ClientSecret: "super_secret_123",
4353-
RedirectURI: "/_codexch",
4354-
Scope: "openid",
4355-
ZoneSyncLeeway: 0,
4356-
AccessTokenEnable: true,
4357-
InterceptErrorEnable: false,
4344+
AuthEndpoint: "https://foo.com/auth",
4345+
TokenEndpoint: "https://foo.com/token",
4346+
JwksURI: "https://foo.com/certs",
4347+
ClientID: "foo",
4348+
ClientSecret: "super_secret_123",
4349+
RedirectURI: "/_codexch",
4350+
Scope: "openid",
4351+
ZoneSyncLeeway: 0,
4352+
AccessTokenEnable: true,
43584353
},
43594354
key: "default/oidc-policy-1",
43604355
},
@@ -4370,15 +4365,14 @@ func TestGeneratePoliciesFails(t *testing.T) {
43704365
},
43714366
expectedOidc: &oidcPolicyCfg{
43724367
oidc: &version2.OIDC{
4373-
AuthEndpoint: "https://foo.com/auth",
4374-
TokenEndpoint: "https://foo.com/token",
4375-
JwksURI: "https://foo.com/certs",
4376-
ClientID: "foo",
4377-
ClientSecret: "super_secret_123",
4378-
RedirectURI: "/_codexch",
4379-
Scope: "openid",
4380-
AccessTokenEnable: true,
4381-
InterceptErrorEnable: false,
4368+
AuthEndpoint: "https://foo.com/auth",
4369+
TokenEndpoint: "https://foo.com/token",
4370+
JwksURI: "https://foo.com/certs",
4371+
ClientID: "foo",
4372+
ClientSecret: "super_secret_123",
4373+
RedirectURI: "/_codexch",
4374+
Scope: "openid",
4375+
AccessTokenEnable: true,
43824376
},
43834377
key: "default/oidc-policy-1",
43844378
},
@@ -4403,13 +4397,12 @@ func TestGeneratePoliciesFails(t *testing.T) {
44034397
},
44044398
Spec: conf_v1.PolicySpec{
44054399
OIDC: &conf_v1.OIDC{
4406-
ClientSecret: "oidc-secret",
4407-
AuthEndpoint: "https://foo.com/auth",
4408-
TokenEndpoint: "https://foo.com/token",
4409-
JWKSURI: "https://foo.com/certs",
4410-
ClientID: "foo",
4411-
AccessTokenEnable: true,
4412-
InterceptErrorEnable: false,
4400+
ClientSecret: "oidc-secret",
4401+
AuthEndpoint: "https://foo.com/auth",
4402+
TokenEndpoint: "https://foo.com/token",
4403+
JWKSURI: "https://foo.com/certs",
4404+
ClientID: "foo",
4405+
AccessTokenEnable: true,
44134406
},
44144407
},
44154408
},
@@ -4420,13 +4413,12 @@ func TestGeneratePoliciesFails(t *testing.T) {
44204413
},
44214414
Spec: conf_v1.PolicySpec{
44224415
OIDC: &conf_v1.OIDC{
4423-
ClientSecret: "oidc-secret",
4424-
AuthEndpoint: "https://bar.com/auth",
4425-
TokenEndpoint: "https://bar.com/token",
4426-
JWKSURI: "https://bar.com/certs",
4427-
ClientID: "bar",
4428-
AccessTokenEnable: true,
4429-
InterceptErrorEnable: false,
4416+
ClientSecret: "oidc-secret",
4417+
AuthEndpoint: "https://bar.com/auth",
4418+
TokenEndpoint: "https://bar.com/token",
4419+
JWKSURI: "https://bar.com/certs",
4420+
ClientID: "bar",
4421+
AccessTokenEnable: true,
44304422
},
44314423
},
44324424
},
@@ -4454,16 +4446,15 @@ func TestGeneratePoliciesFails(t *testing.T) {
44544446
},
44554447
expectedOidc: &oidcPolicyCfg{
44564448
&version2.OIDC{
4457-
AuthEndpoint: "https://foo.com/auth",
4458-
TokenEndpoint: "https://foo.com/token",
4459-
JwksURI: "https://foo.com/certs",
4460-
ClientID: "foo",
4461-
ClientSecret: "super_secret_123",
4462-
RedirectURI: "/_codexch",
4463-
Scope: "openid",
4464-
ZoneSyncLeeway: 200,
4465-
AccessTokenEnable: true,
4466-
InterceptErrorEnable: false,
4449+
AuthEndpoint: "https://foo.com/auth",
4450+
TokenEndpoint: "https://foo.com/token",
4451+
JwksURI: "https://foo.com/certs",
4452+
ClientID: "foo",
4453+
ClientSecret: "super_secret_123",
4454+
RedirectURI: "/_codexch",
4455+
Scope: "openid",
4456+
ZoneSyncLeeway: 200,
4457+
AccessTokenEnable: true,
44674458
},
44684459
"default/oidc-policy",
44694460
},

pkg/apis/configuration/v1/types.go

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -475,17 +475,16 @@ type EgressMTLS struct {
475475

476476
// OIDC defines an Open ID Connect policy.
477477
type OIDC struct {
478-
AuthEndpoint string `json:"authEndpoint"`
479-
TokenEndpoint string `json:"tokenEndpoint"`
480-
JWKSURI string `json:"jwksURI"`
481-
ClientID string `json:"clientID"`
482-
ClientSecret string `json:"clientSecret"`
483-
Scope string `json:"scope"`
484-
RedirectURI string `json:"redirectURI"`
485-
ZoneSyncLeeway *int `json:"zoneSyncLeeway"`
486-
AuthExtraArgs []string `json:"authExtraArgs"`
487-
AccessTokenEnable bool `json:"accessTokenEnable"`
488-
InterceptErrorEnable bool `json:"interceptErrorEnable"`
478+
AuthEndpoint string `json:"authEndpoint"`
479+
TokenEndpoint string `json:"tokenEndpoint"`
480+
JWKSURI string `json:"jwksURI"`
481+
ClientID string `json:"clientID"`
482+
ClientSecret string `json:"clientSecret"`
483+
Scope string `json:"scope"`
484+
RedirectURI string `json:"redirectURI"`
485+
ZoneSyncLeeway *int `json:"zoneSyncLeeway"`
486+
AuthExtraArgs []string `json:"authExtraArgs"`
487+
AccessTokenEnable bool `json:"accessTokenEnable"`
489488
}
490489

491490
// WAF defines an WAF policy.

0 commit comments

Comments
 (0)