shreemaan-abhishek opened a new issue, #13397:
URL: https://github.com/apache/apisix/issues/13397
### Description
The `openid-connect` plugin enforces the `claim_schema` option only in the
session/callback authentication path, not in the bearer-token path.
`claim_schema` is validated by `validate_claims_in_oidcauth_response()` in
`apisix/plugins/openid-connect.lua`, and that function has a single call site,
inside the `openidc.authenticate()` branch (session/browser flow). The bearer
branch that handles `bearer_only` / `introspection_endpoint` / `public_key` /
`use_jwks` never calls it.
As a result, when a route accepts both authentication modes and a
`claim_schema` is configured:
- requests authenticated via the session/callback flow are checked against
`claim_schema`
- requests authenticated via a bearer token are not checked against
`claim_schema`
### Why it happens
`claim_schema` was added together with the OIDC claim validator (#11824) and
was wired into the session-flow response, which is the structured object `{
user, access_token, id_token }` returned by `openidc.authenticate()`. The
bearer/introspection/JWKS path returns a flat introspection or JWT payload with
a different shape (no `id_token`, no `user` wrapper), so it was never routed
through the same validation function.
### Expected behavior
The behavior of `claim_schema` across the two authentication paths should be
consistent and clearly documented. Either:
1. apply an equivalent claim validation step to the
bearer/introspection/JWKS path, or
2. document explicitly that `claim_schema` applies only to the
session/callback flow.
If option 1 is chosen, note that the bearer-path response has a different
structure than the session-flow response, so the validation object for bearer
mode would need to be built accordingly (and the per-flow key differences
documented).
### Steps to reproduce
1. Configure a route with the `openid-connect` plugin, `bearer_only: false`,
an `introspection_endpoint`, and a `claim_schema`.
2. Access the route without credentials and complete the browser login flow:
the response is checked against `claim_schema`.
3. Access the same route with an `Authorization: Bearer <token>` header: the
response is not checked against `claim_schema`.
### Environment
- APISIX version: present since 3.14.0 (the release that first carried
#11824); reproducible on current master.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
