bzp2010 commented on issue #12438: URL: https://github.com/apache/apisix/issues/12438#issuecomment-3134684961
I do not understand the reasonableness of this requirement. If you use `bearer_only = true`, that means that anything related to token generation is handled outside the gateway, whether it's token generation or token rotation, and the gateway will always just validate it and decide if the traffic should go through or not. If you use `bearer_only = false`, that means APISIX will use sessions to store authentication information and passthrough access_token/id_token to the backend. if the information in those sessions is outdated, it first tries to refresh the cached access_tokens using refresh_token token, and if it succeeds, the user does not feel the interruption; if the refresh fails, it jumps to the IDP and asks the user to re-authenticate. This is the intended design, and in this model it seems that the user shouldn't and doesn't need to get the original value of the token whenever it is available (and passing it upstream seems to lack justification), and the token expiration date will be maintained by the gateway and transparent to the downstream. You'll need to do more to justify it broadly, the "my organization needs it" rationale doesn't seem to be general enough to justify such a security-related change. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
