markusmueller commented on PR #11059: URL: https://github.com/apache/apisix/pull/11059#issuecomment-2028423173
I came across this PR while working on another issue in the openid plugin. While I understand the need for an audience check in the use case mentioned I have concerns about the solution proposed with this change. As far as I know neither openid nor oauth2 specify a format, existence or content of an audience claim (e.g. https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3. `The interpretation of audience values is generally application specific.`). Some IDPs use JWTs using the client_id as value of the aud claim, but that's not a requirement and the case for every IDP. Hard-coding the check to the client_id configured in the plugin would break the plugin for some IDPs which are not using the client_id in an audience claim but still conforming to the spec. The apisix openid plugin is using lua-resty-openidc to verify access tokens, the method `jwt_verify` is accepting jwt-validators which can be dynamic. It might be a better way to add a configurable audience/general claim validation to solve this problem? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org