kayx23 commented on code in PR #12964: URL: https://github.com/apache/apisix/pull/12964#discussion_r2758015162
########## docs/en/latest/plugins/openid-connect.md: ########## @@ -55,7 +55,7 @@ The `openid-connect` Plugin supports the integration with [OpenID Connect (OIDC) | introspection_endpoint_auth_method | string | False | client_secret_basic | | Authentication method for the token introspection endpoint. The value should be one of the authentication methods specified in the `introspection_endpoint_auth_methods_supported` [authorization server metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the well-known discovery document, such as `client_secret_basic`, `client_secret_post`, `private_key_jwt`, and `client_secret_jwt`. | | token_endpoint_auth_method | string | False | client_secret_basic | | Authentication method for the token endpoint. The value should be one of the authentication methods specified in the `token_endpoint_auth_methods_supported` [authorization server metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the well-known discovery document, such as `client_secret_basic`, `client_secret_post`, `private_key_jwt`, and `client_secret_jwt`. If the configured method is not supported, fall back to the first method in the `token_endpoint_auth_methods_supported` array. | | public_key | string | False | | | Public key used to verify JWT signature id asymmetric algorithm is used. Providing this value to perform token verification will skip token introspection in client credentials flow. You can pass the public key in `-----BEGIN PUBLIC KEY-----\\n……\\n-----END PUBLIC KEY-----` format. | -| use_jwks | boolean | False | false | | If true and if `public_key` is not set, use the JWKS to verify JWT signature and skip token introspection in client credentials flow. The JWKS endpoint is parsed from the discovery document. | +| use_jwks | boolean | False | false | | Whether to use the JWKS(JSON Web Key Set) endpoint to validate the token signature. | Review Comment: The modified description contains less information than before (though the desc before sounds slightly off on the public key front) From the code it looks like the logic is: > If either `public_key` or `use_jwks` is set, the plugin will verify JWT signature (using the specified public key or JWKS) and skip token introspection. When using JWKS, the endpoint is parsed from the discovery document. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
