Support JWT scopes to allow or reject requests in OAuth2 plugin

[sshniro]

Issue description

The JWT contains the scopes available for a user via the scope attribute. Scope represents the capabilities the token has such as read or delete. It would be good if we can define a required set of scopes and allow or reject the request based on the required scope.

[membphis]

can you provide an example?

[sshniro]

The following is the scenario I have in mind.

The getProducts endpoint should be accessible via a token which has the read scope.

curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
  "uri": "/getProducts",
  "plugins": {
    "proxy-rewrite": {
      "scheme": "https"
    },
    "openid-connect": {
      "client_id": "api_six_client_id",
      "client_secret": "client_secret_code",
      "discovery": "full_URL_of_the_discovery_endpoint",
      "required_scope": "read_scope",
}
  }
}'

And the deleteProducts endpoint should be accessible via the token with a deletescope.

curl http://127.0.0.1:9080/apisix/admin/routes/5 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
  "uri": "/deleteProducts",
  "plugins": {
    "proxy-rewrite": {
      "scheme": "https"
    },
    "openid-connect": {
      "client_id": "api_six_client_id",
      "client_secret": "client_secret_code",
      "discovery": "full_URL_of_the_discovery_endpoint",
      "required_scope": "delete_scope",
}
  }
}'

This is how the core OpenID Library is suggesting to handle this scenario.

https://github.com/zmartzone/lua-resty-openidc#sample-configuration-for-oauth-20-jwt-token-validation

[membphis]

@moonming you can take a look

[sshniro]

@moonming any thoughts on this enhancement?

[moonming]

required_scope should be scope?
others look good to me.

[spacewander]

Is it still in need?

[tamasorban]

@spacewander, I believe there's still a need for this ticket. The openid-connect plugin introduced a scope property for a different purpose. The scope property described in the ticket would allow us to accept/reject the request.

[csotiriou]

@spacewander, I believe there's still a need for this ticket. The openid-connect plugin introduced a scope property for a different purpose. The scope property described in the ticket would allow us to accept/reject the request.

I second that. I believe that this is indeed a very useful addition, and should definitely be reconsidered.

[csotiriou]

I believe that this need is partially or completely fulfilled by this fix: #10493

[kayx23]

I believe that this need is partially or completely fulfilled by this fix: #10493

cc: @monkeyDluffy6017

[monkeyDluffy6017]

considered resolved