(apisix) branch master updated: chore: set default value of ssl_verify to true (#13010)

Thu, 26 Feb 2026 22:27:17 -0800 

This is an automated email from the ASF dual-hosted git repository.

shreemaanabhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new dd42b19fe chore: set default value of ssl_verify to true (#13010)
dd42b19fe is described below

commit dd42b19feb15d12b0f6dbfbfdae6f4f2207d0f2c
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Fri Feb 27 12:10:50 2026 +0545

    chore: set default value of ssl_verify to true (#13010)
---
 apisix/plugins/openid-connect.lua        | 4 ++--
 docs/en/latest/plugins/openid-connect.md | 4 ++--
 docs/zh/latest/plugins/openid-connect.md | 4 ++--
 t/plugin/openid-connect.t                | 4 +++-
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/apisix/plugins/openid-connect.lua 
b/apisix/plugins/openid-connect.lua
index 1f84476d1..9c461671c 100644
--- a/apisix/plugins/openid-connect.lua
+++ b/apisix/plugins/openid-connect.lua
@@ -45,7 +45,7 @@ local schema = {
         },
         ssl_verify = {
             type = "boolean",
-            default = false,
+            default = true,
         },
         timeout = {
             type = "integer",
@@ -119,7 +119,7 @@ local schema = {
                             description = "enable ssl",
                         },
                         ssl_verify = {
-                            type = "boolean", default = false,
+                            type = "boolean", default = true,
                             description = "verify ssl certificate",
                         },
                         server_name = {
diff --git a/docs/en/latest/plugins/openid-connect.md 
b/docs/en/latest/plugins/openid-connect.md
index cdee06366..38eb83603 100644
--- a/docs/en/latest/plugins/openid-connect.md
+++ b/docs/en/latest/plugins/openid-connect.md
@@ -50,7 +50,7 @@ The `openid-connect` Plugin supports the integration with 
[OpenID Connect (OIDC)
 | post_logout_redirect_uri             | string   | False    |     |           
   | URL to redirect users to after the `logout_path` receive a request to log 
out. |
 | redirect_uri       | string  | False    |     |              | URI to 
redirect to after authentication with the OpenID provider. Note that the 
redirect URI should not be the same as the request URI, but a sub-path of the 
request URI. For example, if the `uri` of the Route is `/api/v1/*`, 
`redirect_uri` can be configured as `/api/v1/redirect`. If `redirect_uri` is 
not configured, APISIX will append `/.apisix/redirect` to the request URI to 
determine the value for `redirect_uri`. |
 | timeout            | integer  | False    | 3   | [1,...]      | Request 
timeout time in seconds.   |
-| ssl_verify         | boolean  | False    | false                 |           
   | If true, verify the OpenID provider 's SSL certificates.                 |
+| ssl_verify         | boolean  | True    | false                 |            
  | If true, verify the OpenID provider 's SSL certificates.                 |
 | introspection_endpoint               | string   | False    |     |           
   | URL of the [token 
introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint for the 
OpenID provider used to introspect access tokens. If this is unset, the 
introspection endpoint presented in the well-known discovery document is used 
[as a 
fallback](https://github.com/zmartzone/lua-resty-openidc/commit/cdaf824996d2b499de4c72852c91733872137c9c).
                      |
 | introspection_endpoint_auth_method   | string   | False    | 
client_secret_basic |              | Authentication method for the token 
introspection endpoint. The value should be one of the authentication methods 
specified in the `introspection_endpoint_auth_methods_supported` [authorization 
server metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the 
well-known discovery document, such as `client_secret_basic`, 
`client_secret_post`, `private_key_jwt`, and `client_secret [...]
 | token_endpoint_auth_method           | string   | False    |   
client_secret_basic      |              | Authentication method for the token 
endpoint. The value should be one of the authentication methods specified in 
the `token_endpoint_auth_methods_supported` [authorization server 
metadata](https://www.rfc-editor.org/rfc/rfc8414.html) as seen in the 
well-known discovery document, such as `client_secret_basic`, 
`client_secret_post`, `private_key_jwt`, and `client_secret_jwt`. If the c [...]
@@ -76,7 +76,7 @@ The `openid-connect` Plugin supports the integration with 
[OpenID Connect (OIDC)
 | session.redis.database | integer   | False    | 0 |             |   Redis 
database index.    |
 | session.redis.prefix | string   | False    | sessions |             |   
Redis key prefix.    |
 | session.redis.ssl    | boolean   | False    | false |             |   Enable 
SSL for Redis connection.    |
-| session.redis.ssl_verify | boolean   | False    | false |             |   
Verify SSL certificate.    |
+| session.redis.ssl_verify | boolean   | True    | false |             |   
Verify SSL certificate.    |
 | session.redis.server_name | string   | False    |     |             |   
Redis server name for SNI.    |
 | session.redis.connect_timeout | integer   | False    | 1000 |             |  
 Connect timeout in milliseconds.    |
 | session.redis.send_timeout   | integer   | False    | 1000 |             |   
Send timeout in milliseconds.    |
diff --git a/docs/zh/latest/plugins/openid-connect.md 
b/docs/zh/latest/plugins/openid-connect.md
index 33f6499a6..8fff537fc 100644
--- a/docs/zh/latest/plugins/openid-connect.md
+++ b/docs/zh/latest/plugins/openid-connect.md
@@ -50,7 +50,7 @@ description: openid-connect 插件支持与 OpenID Connect (OIDC) 身份提供
 | post_logout_redirect_uri | string | 否 | | | `logout_path` 收到注销请求后将用户重定向到的 
URL。|
 | redirect_uri | string | 否 | | | 通过 OpenID 提供商进行身份验证后重定向到的 URI。请注意,重定向 URI 
不应与请求 URI 相同,而应为请求 URI 的子路径。例如,如果路由的 `uri` 是 `/api/v1/*`,则 `redirect_uri` 可以配置为 
`/api/v1/redirect`。如果未配置 `redirect_uri`,APISIX 将在请求 URI 后附加 `/.apisix/redirect` 
以确定 `redirect_uri` 的值。|
 | timeout | integer | 否 | 3 | [1,...] | 请求超时时间(秒)。|
-| ssl_verify | boolean | 否 | false | | 如果为 true,则验证 OpenID 提供商的 SSL 证书。|
+| ssl_verify | boolean | 否 | true | | 如果为 true,则验证 OpenID 提供商的 SSL 证书。|
 | introspection_endpoint | string | 否 | | |用于自检访问令牌的 OpenID 提供程序的 
[令牌自检](https://datatracker.ietf.org/doc/html/rfc7662) 端点的 
URL。如果未设置,则将使用众所周知的发现文档中提供的自检端点[作为后备](https://github.com/zmartzone/lua-resty-openidc/commit/cdaf824996d2b499de4c72852c91733872137c9c)。|
 | introspection_endpoint_auth_method | string | 否 | client_secret_basic | | 
令牌自检端点的身份验证方法。该值应为 `introspection_endpoint_auth_methods_supported` 
[授权服务器元数据](https://www.rfc-editor.org/rfc/rfc8414.html) 
中指定的身份验证方法之一,如众所周知的发现文档中所示,例如 
`client_secret_basic`、`client_secret_post`、`private_key_jwt` 和 
`client_secret_jwt`。|
 | token_endpoint_auth_method | string | 否 | client_secret_basic | | 
令牌端点的身份验证方法。该值应为 `token_endpoint_auth_methods_supported` 
[授权服务器元数据](https://www.rfc-editor.org/rfc/rfc8414.html) 
中指定的身份验证方法之一,如众所周知的发现文档中所示,例如 
`client_secret_basic`、`client_secret_post`、`private_key_jwt` 和 
`client_secret_jwt`。如果配置的方法不受支持,则回退到 `token_endpoint_auth_methods_supported` 
数组中的第一个方法。|
@@ -76,7 +76,7 @@ description: openid-connect 插件支持与 OpenID Connect (OIDC) 身份提供
 | session.redis.database | integer | 否 | 0 | | Redis 数据库索引。 |
 | session.redis.prefix | string | 否 | sessions | | Redis 键前缀。 |
 | session.redis.ssl    | boolean   | 否    | false |             |   启用 Redis 
SSL 连接。    |
-| session.redis.ssl_verify | boolean   | 否    | false |             |   验证 SSL 
证书。    |
+| session.redis.ssl_verify | boolean   | 否    | true |             |   验证 SSL 
证书。    |
 | session.redis.server_name | string   | 否    |     |             |   Redis 
SNI 服务器名称。    |
 | session.redis.connect_timeout | integer   | 否    | 1000 |             |   
连接超时时间(毫秒)。    |
 | session.redis.send_timeout   | integer   | 否    | 1000 |             |   
发送超时时间(毫秒)。    |
diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
index 3f3a98387..c018dc977 100644
--- a/t/plugin/openid-connect.t
+++ b/t/plugin/openid-connect.t
@@ -937,7 +937,7 @@ OIDC introspection failed: invalid token
         }
     }
 --- response_body
-{"accept_none_alg":false,"accept_unsupported_alg":true,"access_token_expires_leeway":0,"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_jwt_assertion_expires_in":60,"client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","force_reauthorize":false,"iat_slack":120,"introspection_endpoint_auth_method":"client_secret_basic","in
 [...]
+{"accept_none_alg":false,"accept_unsupported_alg":true,"access_token_expires_leeway":0,"access_token_in_authorization_header":false,"bearer_only":false,"client_id":"kbyuFDidLLm280LIwVFiazOqjO3ty8KH","client_jwt_assertion_expires_in":60,"client_secret":"60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa","discovery":"http://127.0.0.1:1980/.well-known/openid-configuration","force_reauthorize":false,"iat_slack":120,"introspection_endpoint_auth_method":"client_secret_basic","in
 [...]
 
 
 
@@ -1415,6 +1415,7 @@ passed
 
 
 === TEST 36: Check whether auth0 can redirect normally using 
post_logout_redirect_uri configuration
+--- custom_trusted_cert: /etc/ssl/certs/ca-certificates.crt
 --- config
     location /t {
         content_by_lua_block {
@@ -1479,6 +1480,7 @@ passed
 
 
 === TEST 38: Check whether google can redirect normally using 
post_logout_redirect_uri configuration
+--- custom_trusted_cert: /etc/ssl/certs/ca-certificates.crt
 --- config
     location /t {
         content_by_lua_block {

Reply via email to