serverless pre function not working / need to extract groups from payload data generated from jwt token

[arjunradiant]

This is my yaml for the serverless pre function

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: feeservice-route-test
namespace: feeservice-test
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
http:

• name: feeservice
  match:
  hosts:

  • services-test.airportauthority.net
    paths:

  • /feeservice/*
    backends:

  • serviceName: feeservice-test
    servicePort: 8080
    plugins:

  • name: proxy-rewrite
    enable: true
    config:
    regex_uri:

    • ^/feeservice/(.*)
    • "/$1"

  • name: cors
    enable: true
    config:
    allow_origins: ""
    allow_methods: "GET, POST, PUT, DELETE, PATCH, OPTIONS, MKCOL, COPY, MOVE, PROPFIND, LOCK, UNLOCK, PATCH, TRACE"
    allow_headers: ""
    expose_headers: "*, groups" # Expose 'groups' header

  • name: openid-connect
    enable: true
    config:
    bearer_only: true
    client_id: apisix
    client_secret: 5w0ne2td7AOf49FMT7pZr9BgQhverkPY
    discovery: https://keycloak.airportauthority.net/realms/Airport-Authority/.well-known/openid-configuration

  • name: serverless-pre-function
    enable: true
    config:
    functions:
    - |
    return function(conf, ctx)
    local core = require("apisix.core")
    local jwt = require("resty.jwt")

        local jwt_token = core.request.header(ctx, "Authorization")
        if jwt_token then
            core.log.info("Authorization header found: ", jwt_token)
    
            local _, _, jwt_token_only = string.find(jwt_token, "Bearer%s+(.+)")
            if jwt_token_only then
                core.log.info("Extracted JWT token: ", jwt_token_only)
    
                local jwt_obj = jwt:load_jwt(jwt_token_only)
                if jwt_obj and jwt_obj.valid then
                    core.log.info("JWT token is valid")
    
                    -- Set 'user' header from preferred_username (or another claim)
                    if jwt_obj.payload.preferred_username then
                        core.log.info("Preferred username found: ", jwt_obj.payload.preferred_username)
                        core.request.set_header(ctx, "user", jwt_obj.payload.preferred_username)
                    else
                        core.log.warn("No 'preferred_username' claim in JWT payload")
                    end
    
                    -- Set 'groups' header if it exists and use the same format
                    if jwt_obj.payload.groups then
                        local groups_claim_value = table.concat(jwt_obj.payload.groups, ",")
                        core.log.info("Groups claim value: ", groups_claim_value)
    
                        core.request.set_header(ctx, "groups", groups_claim_value)
                        core.log.info("Set 'groups' header with value: ", groups_claim_value)
                    else
                        core.log.warn("No 'groups' claim in JWT payload")
                    end
                else
                    core.log.warn("Invalid JWT token")
                end
            else
                core.log.warn("JWT token extraction failed")
            end
        else
            core.log.warn("Authorization header not found")
        end
      end
    

• name: swagger-ui
  match:
  hosts:

  • services-test.airportauthority.net
    paths:
  • /feeservice/swagger-ui/*
    backends:
  • serviceName: feeservice-test
    servicePort: 8080
    plugins:
  • name: proxy-rewrite
    enable: true
    config:
    regex_uri:
    • ^/swagger-ui/(.*)
    • "/$1"
  • name: cors
    enable: true
    config:
    allow_origins: ""
    allow_methods: "GET, POST, PUT, DELETE, PATCH, OPTIONS, MKCOL, COPY, MOVE, PROPFIND, LOCK, UNLOCK, PATCH, TRACE"
    allow_headers: ""
    expose_headers: "*, groups" # Expose 'groups' header

• name: swagger-config
  match:
  hosts:

  • services-test.airportauthority.net
    paths:
  • /feeservice/v3/*
    backends:
  • serviceName: feeservice-test
    servicePort: 8080
    plugins:
  • name: proxy-rewrite
    enable: true
    config:
    regex_uri:
    • ^(feeservice/v3/.*)
    • "/$1"
  • name: cors
    enable: true
    config:
    allow_origins: ""
    allow_methods: "GET, POST, PUT, DELETE, PATCH, OPTIONS, MKCOL, COPY, MOVE, PROPFIND, LOCK, UNLOCK, PATCH, TRACE"
    allow_headers: ""
    expose_headers: "*, groups" # Expose 'groups' header

• name: feeservice-wildcard
  match:
  hosts:

  • services-test.airportauthority.net
    paths:

  • "/-fee/"
    backends:

  • serviceName: feeservice-test
    servicePort: 8080
    plugins:

  • name: proxy-rewrite
    enable: true
    config:
    regex_uri:

    • ^/(.*)
    • "/$1"

  • name: cors
    enable: true
    config:
    allow_origins: ""
    allow_methods: "GET, POST, PUT, DELETE, PATCH, OPTIONS, MKCOL, COPY, MOVE, PROPFIND, LOCK, UNLOCK, PATCH, TRACE"
    allow_headers: ""
    expose_headers: "*, groups" # Expose 'groups' header

  • name: openid-connect
    enable: true
    config:
    bearer_only: true
    client_id: apisix
    client_secret: 5w0ne2td7AOf49FMT7pZr9BgQhverkPY
    discovery: https://keycloak.airportauthority.net/realms/Airport-Authority/.well-known/openid-configuration

  • name: serverless-pre-function
    enable: true
    config:
    functions:
    - |
    return function(conf, ctx)
    local core = require("apisix.core")
    local jwt = require("resty.jwt")

        local jwt_token = core.request.header(ctx, "Authorization")
        if jwt_token then
            core.log.info("Authorization header found: ", jwt_token)
    
            local _, _, jwt_token_only = string.find(jwt_token, "Bearer%s+(.+)")
            if jwt_token_only then
                core.log.info("Extracted JWT token: ", jwt_token_only)
    
                local jwt_obj = jwt:load_jwt(jwt_token_only)
                if jwt_obj and jwt_obj.valid then
                    core.log.info("JWT token is valid")
    
                    -- Set 'user' header from preferred_username (or another claim)
                    if jwt_obj.payload.preferred_username then
                        core.log.info("Preferred username found: ", jwt_obj.payload.preferred_username)
                        core.request.set_header(ctx, "user", jwt_obj.payload.preferred_username)
                    else
                        core.log.warn("No 'preferred_username' claim in JWT payload")
                    end
    
                    -- Set 'groups' header if it exists and use the same format
                    if jwt_obj.payload.groups then
                        local groups_claim_value = table.concat(jwt_obj.payload.groups, ",")
                        core.log.info("Groups claim value: ", groups_claim_value)
    
                        core.request.set_header(ctx, "groups", groups_claim_value)
                        core.log.info("Set 'groups' header with value: ", groups_claim_value)
                    else
                        core.log.warn("No 'groups' claim in JWT payload")
                    end
                else
                    core.log.warn("Invalid JWT token")
                end
            else
                core.log.warn("JWT token extraction failed")
            end
        else
            core.log.warn("Authorization header not found")
        end
      end
    

  but when I use curl the serverless pre function doesnt seem to work , I get responce till the cors plugin only.

[dosubot[bot]]

I found a similar open issue regarding the serverless-pre-function plugin not working correctly for setting the Authorization request header. You can check the details in this GitHub issue, which is still open and was last updated on January 09, 2024 ^[1].

To troubleshoot your issue, ensure the following:

1. Function Validity: Verify that the Lua function in your serverless-pre-function is correctly defined and that the resty.jwt library is properly loaded and used.

2. Plugin Execution Order: The serverless-pre-function plugin should have a high priority to ensure it executes before other plugins. By default, it has a priority of 10000. Ensure no other plugins with higher priority are interfering.

3. Logs and Debugging: Check the APISIX logs for any warnings or errors related to the JWT token extraction or validation. This can provide insights into why the function might not be executing as expected.

4. Configuration Verification: Use the curl command to verify the route configuration and ensure the serverless-pre-function is correctly set up in the APISIX configuration. You can also test the route and check the error.log for expected log messages to confirm the function is being executed ^[2][3].

If these steps do not resolve the issue, consider reviewing the open issue for any updates or additional troubleshooting steps.

To continue talking to Dosu, mention @dosu.

[arjunradiant]

@indrekj @huacnlee @markokocic @jaysonsantos please can you help me with the above