Baoyuantop commented on code in PR #13081:
URL: https://github.com/apache/apisix/pull/13081#discussion_r2929207629
##########
apisix/plugins/openid-connect.lua:
##########
@@ -622,6 +623,88 @@ local function validate_claims_in_oidcauth_response(resp,
conf)
return core.schema.check(conf.claim_schema, data)
end
+
+local function get_forwarded_param(ctx, param_name)
+ local forwarded = ctx.var.http_forwarded
+ if not forwarded then
+ return nil
+ end
+ -- take only the first proxy entry (before any comma)
+ local first = forwarded:match("^([^,]+)")
+ if not first then
+ return nil
+ end
+ for part in first:gmatch("[^;]+") do
+ local name, value = part:match("^%s*([^=]+)%s*=%s*(.-)%s*$")
+ if name and name:lower() == param_name then
+ -- strip surrounding quotes
+ if value:sub(1, 1) == '"' then
+ value = value:sub(2, -2)
+ end
+ return value
+ end
+ end
+ return nil
+end
+
+
+-- Build an absolute redirect_uri from the incoming request.
+local function build_redirect_uri(ctx)
+ local suffix = "/.apisix/redirect"
+ local uri = ctx.var.uri
+ local redirect_path
+ if core.string.has_suffix(uri, suffix) then
+ -- This is the redirection response from the OIDC provider.
+ redirect_path = uri
+ else
+ if string.sub(uri, -1, -1) == "/" then
+ redirect_path = string.sub(uri, 1, -2) .. suffix
+ else
+ redirect_path = uri .. suffix
+ end
+ end
+
+ local scheme
+ local host
+
+ if trusted_addr.is_trusted(ctx.var.realip_remote_addr) then
Review Comment:
Can we directly use ctx.var.http_x_forwarded_host,
ctx.var.http_x_forwarded_proto, and ctx.var.http_x_forwarded_port (which have
already been correctly handled in handle_x_forwarded_headers) without having to
repeatedly check the trusted/untrusted branch?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
