Skip to content

THREESCALE-11441 only validate oidc setting if authentication method is set to oidc #1568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tkan145 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

THREESCALE-11441 only validate oidc setting if authentication method is set to oidc #1568

tkan145 wants to merge 1 commit into from

Conversation

@tkan145
Copy link
Contributor

@tkan145 tkan145 commented Jan 30, 2026
edited
Loading

What

Fix https://issues.redhat.com/browse/THREESCALE-11441

Verification steps

  • Checkout this branch
  • Build APIcast image
make runtime-image IMAGE_NAME=apicast-test
  • Get into dev-environment
cd dev-environments/plain-http-upstream
  • Modify apicast-config.json as follow
diff --git a/dev-environments/plain-http-upstream/apicast-config.json b/dev-environments/plain-http-upstream/apicast-config.json
index ff944273..405498c6 100644                                                                                                 
--- a/dev-environments/plain-http-upstream/apicast-config.json                                                                  
+++ b/dev-environments/plain-http-upstream/apicast-config.json                                                                  
@@ -5,6 +5,7 @@                                                                                                                 
       "backend_version": "1",                                                                                                  
       "proxy": {                                                                                                               
         "hosts": ["get.example.com"],                                                                                          
+        "oidc_issuer_endpoint": "https://3scale-test:[email protected]/auth/realms/3scale", 
+        "authentication_method": "1", 
         "api_backend": "http://example.com/get",                                                                               
         "backend": {                                                                                                           
           "endpoint": "http://backend:80",

and docker-compose

diff --git a/dev-environments/plain-http-upstream/docker-compose.yml b/dev-environments/plain-http-upstream/docker-compose.yml
index ebf84ebc..0563effa 100644                                                                                               
--- a/dev-environments/plain-http-upstream/docker-compose.yml                                                                 
+++ b/dev-environments/plain-http-upstream/docker-compose.yml                                                                 
@@ -10,11 +10,11 @@ services:                                                                                                 
     - two.upstream                                                                                                           
     environment:                                                                                                             
       THREESCALE_CONFIG_FILE: /tmp/config.json                                                                               
-      THREESCALE_DEPLOYMENT_ENV: staging                                                                                     
-      APICAST_CONFIGURATION_LOADER: lazy                                                                                     
+      THREESCALE_DEPLOYMENT_ENV: production                                                                                  
+      APICAST_CONFIGURATION_LOADER: boot                                                                                     
       APICAST_WORKERS: 1                                                                                                     
       APICAST_LOG_LEVEL: debug                                                                                               
-      APICAST_CONFIGURATION_CACHE: "0"                                                                                       
+      APICAST_CONFIGURATION_CACHE: "300"                                                                                     
     expose:                                                                                                                  
       - "8080"                                                                                                               
       - "8090"
  • Start APIcast with latest image first,
make gateway IMAGE_NAME=quay.io/3scale/apicast:latest

the gateway should output the following

gateway-1  | 2026/01/30 00:13:53 [debug] 23#23: *2 [lua] http.lua:86: connect(): connected to  ip:172.19.0.2 host: keycloak port: 8080 ok: nil err: connection refused                                           
gateway-1  | 2026/01/30 00:13:53 [error] 23#23: *2 [lua] discovery.lua:113: openid_configuration(): failed to get OIDC Provider from http://oidc-issuer-for-3scale:oidc-issuer-for-3scale-secret@keycloak:8080/re
alms/basic/.well-known/openid-configuration status: 0 body: nil, context: ngx.timer                                                                                                                              
gateway-1  | 2026/01/30 00:13:53 [notice] 23#23: gracefully shutting down                                                                                                                                        
gateway-1  | 2026/01/30 00:13:53 [notice] 23#23: exiting
  • Stop the gateway
CTRL-C
  • Start the gateway again with new image
make  gateway IMAGE_NAME=apicast-test

Check the log again and you should not see the same error

@tkan145 tkan145 requested a review from a team as a code owner January 30, 2026 00:22
@tkan145 tkan145 changed the title fix: only validate oidc setting if authentication method is set to oidc THREESCALE-11441 only validate oidc setting if authentication method is set to oidc Jan 30, 2026
@tkan145 tkan145 force-pushed the THREESCALE-11441 branch 2 times, most recently from 842cd5f to 2bd8459 Compare February 2, 2026 08:27
josemigallas
josemigallas reviewed Feb 3, 2026
View reviewed changes
Copy link

@josemigallas josemigallas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with some minor suggestions

spec/configuration_loader/remote_v2_spec.lua
}, config.oidc)
end)

it('ingore OIDC configuration when authentication_method is not oidc', function()
Copy link

@josemigallas josemigallas Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it('ingore OIDC configuration when authentication_method is not oidc', function()
it('ignore OIDC configuration when authentication_method is not oidc', function()

gateway/src/apicast/configuration_loader/oidc.lua
Comment on lines +26 to +27
-- Only fetch OIDC configuration if authentication method is set to 'oidc'
local authentication = proxy.authentication_method or service.backend_version
Copy link

@josemigallas josemigallas Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this comment could go away by simply extracting a guard from the code below:

Suggested change
-- Only fetch OIDC configuration if authentication method is set to 'oidc'
local authentication = proxy.authentication_method or service.backend_version
local authentication = proxy.authentication_method or service.backend_version
if authentication ~= 'oidc' then
return nil
end

The if authentication part seems redundant anyway (nil is already unequal to 'oidc').

Copy link
Contributor Author

@tkan145 tkan145 Feb 3, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The authentication can take the following values:

  • 1 : user_key
  • 2: app_id/app_key
  • oidc: OIDC
  • nil: But if the oidc_issuer_endpoint is provided, then in this case we don't want to query OIDC endpoint
    Therefore, an if statement is needed.

gateway/src/apicast/configuration_loader/oidc.lua
local authentication = proxy.authentication_method or service.backend_version

if authentication and authentication == 'oidc' then
local result = _M.discovery:call(service.proxy.oidc_issuer_endpoint)
Copy link

@josemigallas josemigallas Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

proxy already declared on the top

Suggested change
local result = _M.discovery:call(service.proxy.oidc_issuer_endpoint)
local result = _M.discovery:call(proxy.oidc_issuer_endpoint)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josemigallas josemigallas josemigallas left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tkan145 @josemigallas