Apache Apisix is a modern, high-performance, and cloud-native API gateway that enables you to manage and secure your API traffic effectively. It acts as an intermediary between clients and backend services, providing features such as load balancing, authentication, rate limiting, traffic control, and more
Make sure you have already enabled OpenID Connect on your LemonLDAP::NG server.
APISIX acts as OpenID-COnnect Ressource Server, then it only validates given access_token. So LLNG configuration is related to the real Relying Party.
Then, add a Relying Party with the following configuration:
Client ID : choose a client ID, such as james_client_id
Client Secret : choose a client secret, such as james_client_secret
Logout URL: endpoint to Apisix revoked token plugin, such as http://apisix.example.com:8081/add-revoked-token
Login redirect URI: such as http://apisix.example.com:8081/login-callback.html
Define exported attributes:
The Apisix route configuration for OIDC is as follows: (based on openid-connect plugins)
services:
-
id: jmap_service_oidc
upstream_id: jmap_upstream
plugins:
openid-connect:
_meta:
filter:
- - request_method
- "~="
- OPTIONS
client_id: "james_client_id"
client_secret: "james_client_secret"
discovery: "http://lemonldap.domain/auth/realms/oidc/.well-known/openid-configuration"
scope: "openid profile email"
bearer_only: true
use_jwks: true
Note
The example with Apisix and Apache James can be found here: https://github.com/apache/james-project/blob/master/examples/oidc/README.md