mikyll opened a new issue, #13279: URL: https://github.com/apache/apisix/issues/13279
### Description ### TL;DR Introduce a `hide_credentials` attribute to `openid-connect`. ### Problem The `openid-connect` plugin currently forwards the incoming `Authorization` / `X-Access-Token` header to the upstream unchanged, after validating the bearer token. This often unnecessarily exposes the access token to backend services, both violating the principle of least privilege and widening the blast radius of a compromised upstream 👀 ### Feature Request Add a `hide_credential` attribute (set to `false` by default) to `openid-connect` plugin, mirroring the behaviour already supported by other `*-auth` plugins. When `hide_credentials = true`, after the token is extracted and validated, the plugin would clear the **source** header before the request is proxied upstream. ### Notes/Considerations - How would this integrate with `set_access_token_header` (set to `true` by default)? In my opinion, they should be independent: `hide_credentials` hides the original header, `set_access_token_header` adds "back" the token to `X-Access-Token` header (or `Authorization` if `access_token_in_authorization_header = true`), if `set_access_token_header = true`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
