Authentication with oauth2

Share my latest achievements.
I have a separate oauth2 server to check the identity of the customer.

The following code is used by the Lua code of evoyfilter for istio ingressgateway to authenticate the oauth2 server for the access request of โ€œ/ sapi/โ€ path:

 function checkToken(request_handle,cluster)
            local path=request_handle:headers():get(":path");
            local token=request_handle:headers():get("Authorization");
            local token_p=nil
            local sapi_p=string.find(path,"/sapi/",1);
            -- api
            if(sapi_p == nil)
            then
              return nil;
            end
            -- sapi
            -- check access_token
            if(token == nil)
            then
              token=request_handle:headers():get("access_token");
              if(token == nil)
              then
                 token_p=string.find(path,"access_token=",1);
                 if (token_p ~= nil)
                 then
                   token=string.sub(path,token_p+13)
                   if(token == nil)
                   then
                     token=nil
                   end
                 else
                     token=nil
                 end
              end
            else
              token=string.sub(token,8)
            end

            -- check access_token result
            if(token == nil)
            then
               -- If there is an error, return the error message directly
               request_handle:respond({[":status"] = 500},"{error:invalid_token,error_description:Invalid access token}")
            else
               local authentication_request = {
                 [":method"] = "POST",
                 [":path"] = "/oauth/check_token?token="..token,
                 [":authority"] = "basesecurity.baoli-test.svc.cluster.local:8080",
               }
               local response_headers, response_body = request_handle:httpCall(
                 cluster,
                 authentication_request,
                 "",
                 2000
              )

              -- check token result
              local error_p=string.find(response_body,"error",1)
              -- If there is an error, return the error message directly
              if(error_p ~= nil)
              then
                request_handle:respond({[":status"] = 500},"{error:invalid_token,error_description:Invalid access token["..token.."]}")
              end
            end
          end

  function envoy_on_request(request_handle)
            -- check token
            checkToken(request_handle,"outbound|8080||basesecurity.baoli-test.svc.cluster.local")
            -- setXCustomUserIP
            -- setXCustomUserIP(request_handle)
          end
ยทยทยท
3 Likes