shreemaan-abhishek opened a new pull request, #13330: URL: https://github.com/apache/apisix/pull/13330
### Description The `openid-connect` plugin only set the `X-Access-Token`, `X-Userinfo`, `X-ID-Token`, and `X-Refresh-Token` headers when they were not already present in the incoming request, and it never cleared client-supplied values for these reserved header names at the start of the request. As a result, the headers the upstream received depended on what the client sent rather than purely on what the plugin validated. This PR makes the behavior consistent: - At the start of `_M.rewrite`, snapshot the incoming `X-Access-Token` value (it doubles as a bearer-token input via `get_bearer_access_token`) and clear all four reserved headers from the upstream-bound request. - Update `get_bearer_access_token` to read the snapshot from `ctx` instead of the now-cleared header. - Simplify `add_access_token_header` to always overwrite when `set_access_token_header` is true, so the upstream consistently sees plugin-controlled values. A new regression test `t/plugin/openid-connect-identity-headers.t` covers two scenarios: 1. `unauth_action = "pass"` route: client-supplied identity headers do not bleed through to the upstream when the plugin lets the request pass without authentication. 2. `bearer_only = true` route with an embedded RS256 public key: the upstream receives the validated token in `X-Access-Token`, not whatever the client sent. #### Which issue(s) this PR fixes: Fixes # ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
