Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(jwt) add jwt token to ngx.ctx #2988

Closed
wants to merge 4 commits into from

Conversation

albertored
Copy link
Contributor

Summary

In this way subsequent plugins can do things with the token
(specific payload validation, check for revocation, etc..) without
having to obtain it from the request.

@kikito
Copy link
Member

kikito commented Oct 26, 2017

Thanks for sending this PR. Could you add some specs to test that the code works as intended?

@kikito kikito added pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done. and removed pr/status/please review labels Oct 26, 2017
@albertored
Copy link
Contributor Author

albertored commented Oct 26, 2017 via email

@albertored
Copy link
Contributor Author

albertored commented Oct 27, 2017

I just took a look to existing tests of jwt plugin but there is no test for variables added to ngx.ctx.

The only way I can think for test this situation is to add a fake plugin that reads values from ngx.ctx and returns them in a place (body or header of the response) where the tests can check them.

Anyway I think this is more a test for the lua-nginx-module than for kong itself so maybe there is no need of adding such tests here.

What do you think?

@Tieske
Copy link
Member

Tieske commented Oct 29, 2017

I don't think we should be merging this. I get the idea, but this is not the right moment. The planned plugin api should take all this "runloop" logic out of the plugins, as the plugins sole responsibility is authenticating. Updating the request itself is a Kong-core responsibility.

Besides that we will probably provide another mechanism for some inter-plugin comms, so introducing this now, and building dependencies on top of it would only lead to breaking them later.

@thibaultcha thoughts?

@albertored
Copy link
Contributor Author

Yes, if there is a bigger plan for a better inter-plugin communication I agree that populating directly the context is not a good thing. Also, since it is a very small change, I can live a personal fork of kong with this modification applied until the plugin api will allow it in a different way.

My only last suggestion is the following. Maybe you can merge this but writing somewhere (directly on the code or in the documentation) a warning about using it. Something like Use it at your own risk, it will be changed soon. This warning should be added also to existing plugin interactions like setting the consumer in ngx.ctx.authenticated_consumer.

@thibaultcha thibaultcha added pr/status/do not merge (to discuss) and removed pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done. labels Nov 1, 2017
@thibaultcha
Copy link
Member

I think it would be ok to accept this (minor change), especially considering it is synchronized with #2810 thanks to @albertored 's efforts on communicating with @ikogan. Plugins already store other kind of values in ngx.ctx today, although they should not... Until we break free of this paradigm and provide a complete solution with our Lua Plugins API, I'd say this is a minor change to support... I can understand the value in other plugins accessing the OAuth2/JWT tokens... Even when we switch to a Lua Plugins API, some plugins (including those two) will need to make some type of information available to other plugins for further usage. Those plugins do a bit more than just authentication, they also expose how the user was authenticated, something that, say, key-auth might not have to do.

I'd be in favor of merging this, and, as always, all of our current API around plugins development (especially ngx.ctx values) should be considered experimental, so this doesn't derive too much from our current promise.

@albertored
Copy link
Contributor Author

Hi, any news on this?

rhabbachi pushed a commit to OpenDataStack/kong-plugin-jwt that referenced this pull request Dec 8, 2017
feat(jwt) add jwt token to ngx.ctx #2988
@thibaultcha
Copy link
Member

@albertored @ikogan I still am in favor of merging this PR and #2818, granted that they follow the same approach and eventually provide tests for this feature. (Updating one of the plugins under spec/fixtures/custom_plugins (or creating a new one) to consume this value and assert that it is being set would be ideal... We should also rebase both of these PRs.

In this way subsequent plugins can do things with the token
(specific payload validation, check for revocation, etc..) without
having to obtain it from the request.
@albertored albertored force-pushed the feat/jwt-token-in-ngx-ctx branch from 9308915 to f456cc9 Compare January 21, 2018 17:26
@albertored
Copy link
Contributor Author

@thibaultcha @ikogan PR rebased and tests added

I have added a custom plugin for checking values in ngx.ctx, let me know if this is ok

@albertored albertored force-pushed the feat/jwt-token-in-ngx-ctx branch from ae5509c to 56df78c Compare January 22, 2018 11:02
@ikogan
Copy link
Contributor

ikogan commented Jan 25, 2018

Sorry about how long it's taken me to respond, I had to get my Kong development environment working again.

I'm a little confused by the addition of @albertored's custom plugin. Is the purpose to allow for a universal header to be set based on the presence of a field in the context? What if you want to set more than one header? Does it's usefulness extend beyond the unit tests?

Since I don't have this custom plugin, I'll have to rebase around your branch or implement my own logic in the tests. If we find that this additional plugin is useful, I'll go ahead and rebase.

@albertored
Copy link
Contributor Author

Yes, the idea is exactly that. If in future (or now) we think it can be useful to extend it to handle more than one context field we can do it.

For what regards your PR I think you should wait for this to be merged, rebase and use the same plugin for your tests. All this clearly apply only if no one has other suggestion to improve/change the way the feature is tested.

@ikogan
Copy link
Contributor

ikogan commented Jan 25, 2018

Sounds good to me, I'll wait for this to be merged.

thibaultcha pushed a commit that referenced this pull request Feb 15, 2018
This way subsequent plugins can do things with the token
(specific payload validation, check for revocation, etc..) without
having to obtain it from the request.

From #2988

Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
@thibaultcha
Copy link
Member

Merged and pushed to next - thank you @albertored! I made a few modifications to the patch, especially to avoid spreading the test regarding the returned value from the ctx-checker plugin. Better make that a test of its own for the sake of atomicity.

@albertored albertored deleted the feat/jwt-token-in-ngx-ctx branch June 4, 2018 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants