feat(openidc): support redis for session storage (#12986)

Author: shreemaan-abhishek

apisix/plugins/openid-connect.lua

@@ -84,9 +84,76 @@ local schema = {
                             description = "it holds the cookie lifetime in seconds in the future",
                         }
                     }
+                },
+                storage = {
+                    type = "string",
+                    enum = {"cookie", "redis"},
+                    default = "cookie",
+                },
+                redis = {
+                    type = "object",
+                    properties = {
+                        host = {
+                            type = "string", minLength = 2, default = "127.0.0.1"
+                        },
+                        port = {
+                            type = "integer", minimum = 1, default = 6379,
+                        },
+                        username = {
+                            type = "string", minLength = 1,
+                        },
+                        password = {
+                            type = "string", minLength = 0,
+                        },
+                        database = {
+                            type = "integer", minimum = 0, default = 0,
+                            description = "redis database index",
+                        },
+                        prefix = {
+                            type = "string",
+                            default = "sessions",
+                            description = "prefix for keys stored in redis"
+                        },
+                        ssl = {
+                            type = "boolean", default = false,
+                            description = "enable ssl",
+                        },
+                        ssl_verify = {
+                            type = "boolean", default = false,
+                            description = "verify ssl certificate",
+                        },
+                        server_name = {
+                            type = "string",
+                            description = "The server name for the new TLS SNI extension.",
+                        },
+                        connect_timeout = {
+                            type = "integer", minimum = 1, default = 1000,
+                            description = "connect timeout in milliseconds",
+                        },
+                        send_timeout = {
+                            type = "integer", minimum = 1, default = 1000,
+                            description = "send timeout in milliseconds",
+                        },
+                        read_timeout = {
+                            type = "integer", minimum = 1, default = 1000,
+                            description = "read timeout in milliseconds",
+                        },
+                        keepalive_timeout = {
+                            type = "integer", minimum = 1000, default = 10000,
+                            description = "keepalive timeout in milliseconds",
+                        },
+                    }
                 }
             },
             required = {"secret"},
+            ["if"] = {
+                properties = {
+                    storage = { enum = {"redis"} },
+                },
+            },
+            ["then"] = {
+                required = {"redis"},
+            },
             additionalProperties = false,
         },
         realm = {

docs/en/latest/plugins/openid-connect.md

@@ -67,6 +67,21 @@ The `openid-connect` Plugin supports the integration with [OpenID Connect (OIDC)
 | session.secret     | string   | True     |  | 16 or more characters | Key used for session encryption and HMAC operation when `bearer_only` is `false`.         |
 | session.cookie     | object   | False    |     |             |   Cookie configurations.    |
 | session.cookie.lifetime              | integer   | False    | 3600                  |             | Cookie lifetime in seconds. |
+| session.storage    | string   | False    | cookie | ["cookie", "redis"] | Session storage method. |
+| session.redis        | object   | False    |     |             |   Redis configuration when `storage` is `redis`.    |
+| session.redis.host   | string   | False    | 127.0.0.1 |             |   Redis host.    |
+| session.redis.port   | integer   | False    | 6379 |             |   Redis port.    |
+| session.redis.password | string   | False    |     |             |   Redis password.    |
+| session.redis.username | string   | False    |     |             |   Redis username.    |
+| session.redis.database | integer   | False    | 0 |             |   Redis database index.    |
+| session.redis.prefix | string   | False    | sessions |             |   Redis key prefix.    |
+| session.redis.ssl    | boolean   | False    | false |             |   Enable SSL for Redis connection.    |
+| session.redis.ssl_verify | boolean   | False    | false |             |   Verify SSL certificate.    |
+| session.redis.server_name | string   | False    |     |             |   Redis server name for SNI.    |
+| session.redis.connect_timeout | integer   | False    | 1000 |             |   Connect timeout in milliseconds.    |
+| session.redis.send_timeout   | integer   | False    | 1000 |             |   Send timeout in milliseconds.    |
+| session.redis.read_timeout   | integer   | False    | 1000 |             |   Read timeout in milliseconds.    |
+| session.redis.keepalive_timeout | integer   | False    | 10000 |             |   Keepalive timeout in milliseconds.    |
 | session_contents   | object   | False    |                   |             | Session content configurations. If unconfigured, all data will be stored in the session. |
 | session_contents.access_token   | boolean   | False    |          |             | If true, store the access token in the session.  |
 | session_contents.id_token   | boolean   | False    |          |             | If true, store the ID token in the session.  |

docs/zh/latest/plugins/openid-connect.md

@@ -67,6 +67,21 @@ description: openid-connect 插件支持与 OpenID Connect (OIDC) 身份提供
 | session.secret | string | 是 | | 16 个字符以上 | 当 `bearer_only` 为 `false` 时，用于 session 加密和 HMAC 运算的密钥。|
 | session.cookie | object | 否 | | | Cookie 配置。 |
 | session.cookie.lifetime | integer | 否 | 3600 | | Cookie 生存时间（秒）。|
+| session.storage | string | 否 | cookie | ["cookie", "redis"] | 会话存储方式。 |
+| session.redis | object | 否 | | | 当 `storage` 为 `redis` 时的 Redis 配置。 |
+| session.redis.host | string | 否 | 127.0.0.1 | | Redis 主机地址。 |
+| session.redis.port | integer | 否 | 6379 | | Redis 端口。 |
+| session.redis.password | string | 否 | | | Redis 密码。 |
+| session.redis.username | string | 否 | | | Redis 用户名。 |
+| session.redis.database | integer | 否 | 0 | | Redis 数据库索引。 |
+| session.redis.prefix | string | 否 | sessions | | Redis 键前缀。 |
+| session.redis.ssl    | boolean   | 否    | false |             |   启用 Redis SSL 连接。    |
+| session.redis.ssl_verify | boolean   | 否    | false |             |   验证 SSL 证书。    |
+| session.redis.server_name | string   | 否    |     |             |   Redis SNI 服务器名称。    |
+| session.redis.connect_timeout | integer   | 否    | 1000 |             |   连接超时时间（毫秒）。    |
+| session.redis.send_timeout   | integer   | 否    | 1000 |             |   发送超时时间（毫秒）。    |
+| session.redis.read_timeout   | integer   | 否    | 1000 |             |   读取超时时间（毫秒）。    |
+| session.redis.keepalive_timeout | integer   | 否    | 10000 |             |   Keepalive 超时时间（毫秒）。    |
 | unauth_action | string | 否 | auth | ["auth","deny","pass"] | 未经身份验证的请求的操作。设置为 `auth` 时，重定向到 OpenID 提供程序的身份验证端点。设置为 `pass` 时，允许请求而无需身份验证。设置为 `deny` 时，返回 401 未经身份验证的响应，而不是启动授权代码授予流程。|
 | session_contents   | object   | 否    |       |        | 会话内容配置。如果未配置，将把所有数据存储在会话中。 |
 | session_contents.access_token   | boolean   | 否    |          |        | 若为 true，则将访问令牌存储在会话中。 |