This is an automated email from the ASF dual-hosted git repository.
monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 8412e3f3f fix: update OIDC plugin attribute description and schema
(#10502)
8412e3f3f is described below
commit 8412e3f3f3326308bec6cdf724deeafc2ade74df
Author: Traky Deng <[email protected]>
AuthorDate: Fri Nov 17 01:00:11 2023 -0800
fix: update OIDC plugin attribute description and schema (#10502)
---
apisix/plugins/openid-connect.lua | 4 ++++
docs/en/latest/plugins/openid-connect.md | 6 +++---
docs/zh/latest/plugins/openid-connect.md | 6 +++---
t/plugin/openid-connect.t | 2 +-
4 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/apisix/plugins/openid-connect.lua
b/apisix/plugins/openid-connect.lua
index 0bd39f20d..5c9fffc89 100644
--- a/apisix/plugins/openid-connect.lua
+++ b/apisix/plugins/openid-connect.lua
@@ -54,6 +54,10 @@ local schema = {
type = "string",
default = "client_secret_basic"
},
+ token_endpoint_auth_method = {
+ type = "string",
+ default = "client_secret_basic"
+ },
bearer_only = {
type = "boolean",
default = false,
diff --git a/docs/en/latest/plugins/openid-connect.md
b/docs/en/latest/plugins/openid-connect.md
index 486001a93..1121250a7 100644
--- a/docs/en/latest/plugins/openid-connect.md
+++ b/docs/en/latest/plugins/openid-connect.md
@@ -46,9 +46,9 @@ description: OpenID Connect allows the client to obtain user
information from th
| redirect_uri | string | False |
"ngx.var.request_uri" | | URI to which the identity provider
redirects back to.
|
| timeout | integer | False | 3
| [1,...] | Request timeout time in seconds.
|
| ssl_verify | boolean | False | false
| | When set to true, verifies the identity provider's SSL
certificates. |
-| introspection_endpoint | string | False |
| | URL of the token verification endpoint of the identity
server. |
-| introspection_endpoint_auth_method | string | False |
"client_secret_basic" | | Authentication method name for token
introspection.
|
-| token_endpoint_auth_method | string | False |
| | Authentication method name for token endpoint. The
default will get the first supported method specified by the OP. |
+| introspection_endpoint | string | False |
| | URL of the token introspection endpoint for the identity
provider used to introspect access tokens. If this is unset, the introspection
endpoint presented in the well-known discovery document is used [as a
fallback](https://github.com/zmartzone/lua-resty-openidc/commit/cdaf824996d2b499de4c72852c91733872137c9c).
|
+| introspection_endpoint_auth_method | string | False |
"client_secret_basic" | | Authentication method for the token
introspection endpoint. The value should be one of the authentication methods
specified in the `introspection_endpoint_auth_methods_supported` [authorization
server metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the
well-known discovery document, such as `client_secret_basic`,
`client_secret_post`, `private_key_jwt`, or `client_secret [...]
+| token_endpoint_auth_method | string | False |
| | Authentication method for the token endpoint. The value
should be one of the authentication methods specified in the
`token_endpoint_auth_methods_supported` [authorization server
metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the
well-known discovery document, such as `client_secret_basic`,
`client_secret_post`, `private_key_jwt`, or `client_secret_jwt`. If the
configur [...]
| public_key | string | False |
| | Public key to verify the token.
|
| use_jwks | boolean | False | false
| | When set to `true`, uses the JWKS endpoint of the
identity server to verify the token. |
| use_pkce | boolean | False | false
| | when set to `true`, the "Proof Key for Code Exchange" as
defined in RFC 7636 will be used. |
diff --git a/docs/zh/latest/plugins/openid-connect.md
b/docs/zh/latest/plugins/openid-connect.md
index 3fbe9fc0d..2dae43d7d 100644
--- a/docs/zh/latest/plugins/openid-connect.md
+++ b/docs/zh/latest/plugins/openid-connect.md
@@ -46,9 +46,9 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议
| redirect_uri | string | 否 |
"ngx.var.request_uri" | | 身份提供者重定向返回的 URI。
|
| timeout | integer | 否 | 3
| [1,...] | 请求超时时间,单位为秒
|
| ssl_verify | boolean | 否 | false
| [true, false] | 当设置为 `true` 时,验证身份提供者的 SSL 证书。
|
-| introspection_endpoint | string | 否 |
| | 身份服务器的令牌认证端点。
|
-| introspection_endpoint_auth_method | string | 否 |
"client_secret_basic" | | 令牌内省的认证方法名称。
|
-| token_endpoint_auth_method | string | 否 |
| | 令牌端点的身份验证方法名称。默认情况将获取 OP 指定的第一个支持的方法。
|
+| introspection_endpoint | string | 否 |
| | 用于内省访问令牌的身份提供者的令牌内省端点的
URL。如果未设置,则使用发现文档中提供的内省端点[作为后备](https://github.com/zmartzone/lua-resty-openidc/commit/cdaf824996d2b499de4c72852c91733872137c9c)。
|
+| introspection_endpoint_auth_method | string | 否 |
"client_secret_basic" | |
令牌内省端点的身份验证方法。该值应是“introspection_endpoint_auth_methods_supported”[授权服务器元数据](https://www.rfc-editor.org/rfc/rfc8414.html)中指定的身份验证方法之一,如发现文档中所示,例如
`client_secret_basic`, `client_secret_post`, `private_key_jwt`,或
`client_secret_jwt`。
|
+| token_endpoint_auth_method | string | 否 |
| |
令牌端点的身份验证方法。该值应是“token_endpoint_auth_methods_supported”[授权服务器元数据](https://www.rfc-editor.org/rfc/rfc8414.html)中指定的身份验证方法之一,如发现文档中所示,例如
`client_secret_basic`, `client_secret_post`, `private_key_jwt`,或
`client_secret_jwt`。如果不支持配置的方法,则回退到`token_endpoint_auth_methods_supported`
数组中的第一个方法。 |
| public_key | string | 否 |
| | 验证令牌的公钥。
|
| use_jwks | boolean | 否 | false
| | 当设置为 `true` 时,则会使用身份认证服务器的 JWKS 端点来验证令牌。
|
| use_pkce | boolean | 否 | false
| [true, false] | 当设置为 `true` 时,则使用 PKEC(Proof Key for Code Exchange)。
|
diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
index 515319248..d78d38067 100644
--- a/t/plugin/openid-connect.t
+++ b/t/plugin/openid-connect.t
@@ -876,7 +876,7 @@ OIDC introspection failed: invalid token
}
}
--- response_body
-{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_heade
[...]
+{"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","introspection_endpoint_auth_method":"client_secret_basic","logout_path":"/logout","realm":"apisix","scope":"openid","set_access_token_header":true,"set_id_token_header":true,"set_refresh_token_header":false,"set_userinfo_heade
[...]
