feat: add dingtalk-auth plugin#13381
Open
AlinsRan wants to merge 4 commits into
Open
Conversation
dosubot
Bot
added
size:XL
There was a problem hiding this comment.
Pull request overview
This PR introduces a new dingtalk-auth plugin that integrates DingTalk OAuth 2.0 authentication into APISIX routes. The plugin extracts an authorization code from query/header, exchanges it for an access token (with an LRU cache), retrieves user info from DingTalk, and persists the verified user in an encrypted lua-resty-session v4 cookie. It also optionally forwards user info to the upstream via an X-Userinfo header.
Changes:
- New plugin implementation
apisix/plugins/dingtalk-auth.luawith priority 2430 and encryptedapp_secret/secretfields. - New test suite
t/plugin/dingtalk-auth.t(13 cases) and registration int/admin/plugins.t,apisix/cli/config.lua, andconf/config.yaml.example. - New English documentation
docs/en/latest/plugins/dingtalk-auth.mdand sidebar entry indocs/en/latest/config.json.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| apisix/plugins/dingtalk-auth.lua | New plugin implementing DingTalk OAuth2 code-to-userinfo flow with session cookie. |
| apisix/cli/config.lua | Registers dingtalk-auth in the default plugin list at priority 2430. |
| conf/config.yaml.example | Adds dingtalk-auth to the example plugin list. |
| t/plugin/dingtalk-auth.t | New test suite mocking DingTalk endpoints and exercising schema, redirect, code, session, and custom code-source paths. |
| t/admin/plugins.t | Adds plugin to expected admin plugin list. |
| docs/en/latest/plugins/dingtalk-auth.md | New English plugin documentation. |
| docs/en/latest/config.json | Adds doc page to the English sidebar. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add the dingtalk-auth plugin that integrates DingTalk OAuth 2.0 authentication into APISIX routes. The plugin: - Validates a DingTalk authorization code from a configurable query parameter (default: "code") or request header (default: "X-DingTalk-Code") - Exchanges the code for an access token via the DingTalk token API and caches it with a 7000-second TTL to avoid repeated token fetches - Retrieves DingTalk user information and stores it in an encrypted cookie session (lua-resty-session v4) - Forwards user information to upstream in the X-Userinfo header (Base64-encoded JSON) when set_userinfo_header is true - Supports secret_fallbacks for zero-downtime session key rotation Priority: 2430 (between key-auth 2500 and consumer-restriction 2400) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…nfo encoding error - Check return value of sess:save() and return 500 if it fails, rather than silently proceeding with an unsaved session - Handle encoding error for the X-Userinfo header gracefully instead of passing nil to base64_encode Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add dingtalk-auth to apisix/cli/config.lua so the plugin is loaded by the APISIX runtime and recognized by the Admin API. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
AlinsRan
force-pushed
the
feat/dingtalk-auth
branch
from
6d03b36 to
0adcd44
Compare
- Add minimum=1 to timeout and cookie_expires_in to reject non-positive values that would cause undefined behavior - Add minLength=1 to optional string fields (code_header, code_query, redirect_uri, userinfo_url, access_token_url) to reject empty strings - Use direct truthiness check for set_userinfo_header (schema always provides a boolean default) - Distinguish auth failures (errcode != 0 → 401) from transient upstream errors (network/decode/non-200 → 503) in fetch_userinfo - Improve access token failure message: 'Failed to obtain access token' instead of the misleading 'Invalid configuration' - Redirect to redirect_uri instead of returning 500 when session cookie contains corrupted JSON; this matches the no-session behavior - Remove ctx.external_user assignment (no standard consumer in OSS APISIX) - Add error message assertions to schema tests 2 and 3 - Add note in schema comment about secret_fallbacks encrypt_fields limitation (array traversal not supported) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
AlinsRan
force-pushed
the
feat/dingtalk-auth
branch
from
0adcd44 to
908641e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Add a new
dingtalk-authplugin that integrates DingTalk (钉钉) OAuth 2.0 authentication into APISIX routes. The plugin exchanges a DingTalk authorization code for a verified user identity and stores the result in an encrypted cookie session, so downstream requests only hit DingTalk APIs once per session.How it works
redirect_uri.codeor headerX-DingTalk-Code), it is exchanged for an access token via the DingTalk token API.lua-resty-sessionv4 cookie.set_userinfo_headeristrue(default), the upstream receives user information in theX-Userinfoheader as a Base64-encoded JSON object.Attributes
app_keyapp_secretsecretredirect_uricode_query"code"code_header"X-DingTalk-Code"access_token_urluserinfo_urltimeout6000ssl_verifytrueset_userinfo_headertrueX-Userinfoheadercookie_expires_in86400secret_fallbacksPlugin priority: 2430 (between
key-auth2500 andconsumer-restriction2400).Usage
1. Enable the plugin in config.yaml
2. Create a route
3. Authentication flow
When a user visits your protected API without a session, they are redirected to DingTalk's login page. After authorizing, DingTalk calls back with a
codequery parameter. APISIX exchanges the code for user info, stores it in a session cookie, and forwards the request to upstream with theX-Userinfoheader set:Decoded:
{"userId": "123456", "name": "John Doe"}4. Key rotation (zero downtime)
To rotate the session encryption secret without invalidating existing sessions:
{ "secret": "new-secret-value", "secret_fallbacks": ["old-secret-value"] }Existing sessions encrypted with
old-secret-valuecontinue to work until they expire.Changes
apisix/plugins/dingtalk-auth.luat/plugin/dingtalk-auth.tdocs/en/latest/plugins/dingtalk-auth.mdconf/config.yaml.example,docs/en/latest/config.json,t/admin/plugins.t,apisix/cli/config.lua