csotiriou commented on issue #10454: URL: https://github.com/apache/apisix/issues/10454#issuecomment-1803327689
Hello, again. Found the solution, leaving a note here. I opened the source code of the OpenID plugin, and I saw that basically the client_id and client_secret are NOT supposed to represent the client that will have access to the endpoint. **They are the credentials that APISIX will use to communicate with the introspection endpoint of the authorization server**. Meaning that my use case must be served with other means, like scope-based authorization, which I mentioned in #10352 For now, I have copied and customized the default openid-connect plugin of apisix, I have added the new openid custom plugin using the guide here (https://apisix.apache.org/docs/ingress-controller/tutorials/using-custom-plugins/), I have added scope-based authentication for the cases where an introspection endpoint is used to verify the token, and I have my use case ready. I will try and make a PR in case someone else finds this interesting. For now, I believe that this issue can be closed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
