Pass Access and ID tokens to an upstream resource (nokia#75)

* Pass Access and ID tokens to upstream resource as headers "X-Access-Token" and "X-ID-Token" respectively
upowl · Dec 14, 2018 · 4df820b · 4df820b
1 parent de67ea0
commit 4df820b
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 2 deletions.
diff --git a/kong/plugins/oidc/handler.lua b/kong/plugins/oidc/handler.lua
@@ -36,8 +36,16 @@ function handle(oidcConfig)
 
   if response == nil then
     response = make_oidc(oidcConfig)
-    if response and response.user then
-      utils.injectUser(response.user)
+    if response then
+      if (response.user) then
+        utils.injectUser(response.user)
+      end
+      if (response.access_token) then
+        utils.injectAccessToken(response.access_token)
+      end
+      if (response.id_token) then
+        utils.injectIDToken(response.id_token)
+      end
     end
   end
 end

diff --git a/kong/plugins/oidc/utils.lua b/kong/plugins/oidc/utils.lua
@@ -67,6 +67,15 @@ function M.exit(httpStatusCode, message, ngxCode)
   ngx.exit(ngxCode)
 end
 
+function M.injectAccessToken(accessToken)
+  ngx.req.set_header("X-Access-Token", accessToken)
+end
+
+function M.injectIDToken(idToken)
+  local tokenStr = cjson.encode(idToken)
+  ngx.req.set_header("X-ID-Token", ngx.encode_base64(tokenStr))
+end
+
 function M.injectUser(user)
   local tmp_user = user
   tmp_user.id = user.sub

diff --git a/test/unit/test_handler_mocking_openidc.lua b/test/unit/test_handler_mocking_openidc.lua
@@ -48,6 +48,70 @@ function TestHandler:test_authenticate_ok_with_userinfo()
   lu.assertEquals(headers['X-Userinfo'], "eyJzdWIiOiJzdWIifQ==")
 end
 
+function TestHandler:test_authenticate_ok_with_no_accesstoken()
+  self.module_resty.openidc.authenticate = function(opts)
+    return {}, true
+  end
+
+  local headers = {}
+  ngx.req.set_header = function(h, v)
+    headers[h] = v
+  end
+
+  self.handler:access({})
+  lu.assertTrue(self:log_contains("calling authenticate"))
+  lu.assertNil(headers['X-Access-Token'])
+end
+
+function TestHandler:test_authenticate_ok_with_accesstoken()
+  self.module_resty.openidc.authenticate = function(opts)
+    return {access_token = "ACCESS_TOKEN"}, true
+  end
+
+  local headers = {}
+  ngx.req.set_header = function(h, v)
+    headers[h] = v
+  end
+
+  self.handler:access({})
+  lu.assertTrue(self:log_contains("calling authenticate"))
+  lu.assertEquals(headers['X-Access-Token'], "ACCESS_TOKEN")
+end
+
+function TestHandler:test_authenticate_ok_with_no_idtoken()
+  self.module_resty.openidc.authenticate = function(opts)
+    return {}, true
+  end
+
+  local headers = {}
+  ngx.req.set_header = function(h, v)
+    headers[h] = v
+  end
+
+  self.handler:access({})
+  lu.assertTrue(self:log_contains("calling authenticate"))
+  lu.assertNil(headers['X-ID-Token'])
+end
+
+function TestHandler:test_authenticate_ok_with_idtoken()
+  self.module_resty.openidc.authenticate = function(opts)
+    return {id_token = {sub = "sub"}}, true
+  end
+
+  ngx.encode_base64 = function(x)
+    return "eyJzdWIiOiJzdWIifQ=="
+  end
+
+  local headers = {}
+  ngx.req.set_header = function(h, v)
+    headers[h] = v
+  end
+
+  self.handler:access({})
+  lu.assertTrue(self:log_contains("calling authenticate"))
+  lu.assertEquals(headers['X-ID-Token'], "eyJzdWIiOiJzdWIifQ==")
+end
+
 function TestHandler:test_authenticate_nok_no_recovery()
   self.module_resty.openidc.authenticate = function(opts)
     return {}, true