feat: Add forward-auth plugin exception configuration status_on_error (#10898)
diff --git a/apisix/plugins/forward-auth.lua b/apisix/plugins/forward-auth.lua
index 6d4454a..69dc48d 100644
--- a/apisix/plugins/forward-auth.lua
+++ b/apisix/plugins/forward-auth.lua
@@ -24,6 +24,7 @@
properties = {
uri = {type = "string"},
allow_degradation = {type = "boolean", default = false},
+ status_on_error = {type = "integer", minimum = 200, maximum = 599, default = 403},
ssl_verify = {
type = "boolean",
default = true,
@@ -131,8 +132,8 @@
if not res and conf.allow_degradation then
return
elseif not res then
- core.log.error("failed to process forward auth, err: ", err)
- return 403
+ core.log.warn("failed to process forward auth, err: ", err)
+ return conf.status_on_error
end
if res.status >= 300 then
diff --git a/docs/en/latest/plugins/forward-auth.md b/docs/en/latest/plugins/forward-auth.md
index 2fe89d3..4b8d138 100644
--- a/docs/en/latest/plugins/forward-auth.md
+++ b/docs/en/latest/plugins/forward-auth.md
@@ -49,6 +49,7 @@
| keepalive_timeout | integer | False | 60000ms | [1000, ...]ms | Idle time after which the connection is closed. |
| keepalive_pool | integer | False | 5 | [1, ...]ms | Connection pool limit. |
| allow_degradation | boolean | False | false | | When set to `true`, allows authentication to be skipped when authentication server is unavailable. |
+| status_on_error | integer | False | 403 | [200,...,599] | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is “403” (HTTP Forbidden). |
## Data definition
diff --git a/docs/zh/latest/plugins/forward-auth.md b/docs/zh/latest/plugins/forward-auth.md
index a7babfe..82aa5f4 100644
--- a/docs/zh/latest/plugins/forward-auth.md
+++ b/docs/zh/latest/plugins/forward-auth.md
@@ -48,6 +48,7 @@
| keepalive_timeout | integer | 否 | 60000ms | [1000, ...]ms | 长连接超时时间。 |
| keepalive_pool | integer | 否 | 5 | [1, ...]ms | 长连接池大小。 |
| allow_degradation | boolean | 否 | false | | 当设置为 `true` 时,允许在身份验证服务器不可用时跳过身份验证。 |
+| status_on_error | boolean | 否 | 403 | [200,...,599] | 设置授权服务出现网络错误时返回给客户端的 HTTP 状态。默认状态为“403”。 |
## 数据定义
diff --git a/t/plugin/forward-auth.t b/t/plugin/forward-auth.t
index 25e4fe6..b22260c 100644
--- a/t/plugin/forward-auth.t
+++ b/t/plugin/forward-auth.t
@@ -285,6 +285,26 @@
"upstream_id": "u1",
"uri": "/large-body"
}]],
+ },
+ {
+ url = "/apisix/admin/routes/8",
+ data = [[{
+ "plugins": {
+ "forward-auth": {
+ "uri": "http://127.39.40.1:9999/auth",
+ "request_headers": ["Authorization"],
+ "upstream_headers": ["X-User-ID"],
+ "client_headers": ["Location"],
+ "status_on_error": 503,
+ "allow_degradation": false
+ },
+ "proxy-rewrite": {
+ "uri": "/echo"
+ }
+ },
+ "upstream_id": "u1",
+ "uri": "/onerror"
+ }]],
}
}
@@ -297,7 +317,7 @@
}
}
--- response_body eval
-"passed\n" x 10
+"passed\n" x 11
@@ -408,7 +428,16 @@
-=== TEST 13: test large body
+=== TEST 13: Verify status_on_error
+--- request
+GET /onerror
+--- more_headers
+Authorization: 333
+--- error_code: 503
+
+
+
+=== TEST 14: test large body
--- config
location /t {
content_by_lua_block {
