Skip to content

Commit 5396af9

Browse files
feat(openidc): support redis for session storage (#12986)
1 parent d6e288b commit 5396af9

File tree

5 files changed

+509
-1
lines changed

5 files changed

+509
-1
lines changed

apisix/plugins/openid-connect.lua

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,9 +84,76 @@ local schema = {
8484
description = "it holds the cookie lifetime in seconds in the future",
8585
}
8686
}
87+
},
88+
storage = {
89+
type = "string",
90+
enum = {"cookie", "redis"},
91+
default = "cookie",
92+
},
93+
redis = {
94+
type = "object",
95+
properties = {
96+
host = {
97+
type = "string", minLength = 2, default = "127.0.0.1"
98+
},
99+
port = {
100+
type = "integer", minimum = 1, default = 6379,
101+
},
102+
username = {
103+
type = "string", minLength = 1,
104+
},
105+
password = {
106+
type = "string", minLength = 0,
107+
},
108+
database = {
109+
type = "integer", minimum = 0, default = 0,
110+
description = "redis database index",
111+
},
112+
prefix = {
113+
type = "string",
114+
default = "sessions",
115+
description = "prefix for keys stored in redis"
116+
},
117+
ssl = {
118+
type = "boolean", default = false,
119+
description = "enable ssl",
120+
},
121+
ssl_verify = {
122+
type = "boolean", default = false,
123+
description = "verify ssl certificate",
124+
},
125+
server_name = {
126+
type = "string",
127+
description = "The server name for the new TLS SNI extension.",
128+
},
129+
connect_timeout = {
130+
type = "integer", minimum = 1, default = 1000,
131+
description = "connect timeout in milliseconds",
132+
},
133+
send_timeout = {
134+
type = "integer", minimum = 1, default = 1000,
135+
description = "send timeout in milliseconds",
136+
},
137+
read_timeout = {
138+
type = "integer", minimum = 1, default = 1000,
139+
description = "read timeout in milliseconds",
140+
},
141+
keepalive_timeout = {
142+
type = "integer", minimum = 1000, default = 10000,
143+
description = "keepalive timeout in milliseconds",
144+
},
145+
}
87146
}
88147
},
89148
required = {"secret"},
149+
["if"] = {
150+
properties = {
151+
storage = { enum = {"redis"} },
152+
},
153+
},
154+
["then"] = {
155+
required = {"redis"},
156+
},
90157
additionalProperties = false,
91158
},
92159
realm = {

docs/en/latest/plugins/openid-connect.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,21 @@ The `openid-connect` Plugin supports the integration with [OpenID Connect (OIDC)
6767
| session.secret | string | True | | 16 or more characters | Key used for session encryption and HMAC operation when `bearer_only` is `false`. |
6868
| session.cookie | object | False | | | Cookie configurations. |
6969
| session.cookie.lifetime | integer | False | 3600 | | Cookie lifetime in seconds. |
70+
| session.storage | string | False | cookie | ["cookie", "redis"] | Session storage method. |
71+
| session.redis | object | False | | | Redis configuration when `storage` is `redis`. |
72+
| session.redis.host | string | False | 127.0.0.1 | | Redis host. |
73+
| session.redis.port | integer | False | 6379 | | Redis port. |
74+
| session.redis.password | string | False | | | Redis password. |
75+
| session.redis.username | string | False | | | Redis username. |
76+
| session.redis.database | integer | False | 0 | | Redis database index. |
77+
| session.redis.prefix | string | False | sessions | | Redis key prefix. |
78+
| session.redis.ssl | boolean | False | false | | Enable SSL for Redis connection. |
79+
| session.redis.ssl_verify | boolean | False | false | | Verify SSL certificate. |
80+
| session.redis.server_name | string | False | | | Redis server name for SNI. |
81+
| session.redis.connect_timeout | integer | False | 1000 | | Connect timeout in milliseconds. |
82+
| session.redis.send_timeout | integer | False | 1000 | | Send timeout in milliseconds. |
83+
| session.redis.read_timeout | integer | False | 1000 | | Read timeout in milliseconds. |
84+
| session.redis.keepalive_timeout | integer | False | 10000 | | Keepalive timeout in milliseconds. |
7085
| session_contents | object | False | | | Session content configurations. If unconfigured, all data will be stored in the session. |
7186
| session_contents.access_token | boolean | False | | | If true, store the access token in the session. |
7287
| session_contents.id_token | boolean | False | | | If true, store the ID token in the session. |

docs/zh/latest/plugins/openid-connect.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,21 @@ description: openid-connect 插件支持与 OpenID Connect (OIDC) 身份提供
6767
| session.secret | string || | 16 个字符以上 |`bearer_only``false` 时,用于 session 加密和 HMAC 运算的密钥。|
6868
| session.cookie | object || | | Cookie 配置。 |
6969
| session.cookie.lifetime | integer || 3600 | | Cookie 生存时间(秒)。|
70+
| session.storage | string || cookie | ["cookie", "redis"] | 会话存储方式。 |
71+
| session.redis | object || | |`storage``redis` 时的 Redis 配置。 |
72+
| session.redis.host | string || 127.0.0.1 | | Redis 主机地址。 |
73+
| session.redis.port | integer || 6379 | | Redis 端口。 |
74+
| session.redis.password | string || | | Redis 密码。 |
75+
| session.redis.username | string || | | Redis 用户名。 |
76+
| session.redis.database | integer || 0 | | Redis 数据库索引。 |
77+
| session.redis.prefix | string || sessions | | Redis 键前缀。 |
78+
| session.redis.ssl | boolean || false | | 启用 Redis SSL 连接。 |
79+
| session.redis.ssl_verify | boolean || false | | 验证 SSL 证书。 |
80+
| session.redis.server_name | string || | | Redis SNI 服务器名称。 |
81+
| session.redis.connect_timeout | integer || 1000 | | 连接超时时间(毫秒)。 |
82+
| session.redis.send_timeout | integer || 1000 | | 发送超时时间(毫秒)。 |
83+
| session.redis.read_timeout | integer || 1000 | | 读取超时时间(毫秒)。 |
84+
| session.redis.keepalive_timeout | integer || 10000 | | Keepalive 超时时间(毫秒)。 |
7085
| unauth_action | string || auth | ["auth","deny","pass"] | 未经身份验证的请求的操作。设置为 `auth` 时,重定向到 OpenID 提供程序的身份验证端点。设置为 `pass` 时,允许请求而无需身份验证。设置为 `deny` 时,返回 401 未经身份验证的响应,而不是启动授权代码授予流程。|
7186
| session_contents | object || | | 会话内容配置。如果未配置,将把所有数据存储在会话中。 |
7287
| session_contents.access_token | boolean || | | 若为 true,则将访问令牌存储在会话中。 |

0 commit comments

Comments
 (0)