Re: [PR] feat(openid-connect): add consumer selector for consumer-group realm routing [apisix]

Wed, 27 May 2026 00:33:27 -0700 


PiyushMishra318 commented on PR #13038:
URL: https://github.com/apache/apisix/pull/13038#issuecomment-4552438712

   Hi @Baoyuantop 
   
   ### Proposed approach for multi-issuer OIDC routing
   
   Based on your feedback, I've moved all logic out of core/ctx.lua and into 
the openid-connect plugin itself. No changes to the core routing layer.
   
   ### What it does
   
   Adds an optional realms array to the plugin config. Each entry maps an OIDC 
issuer to its own discovery, client_id, and client_secret. On each request, the 
plugin does a lightweight unsigned base64 decode of the bearer token payload to 
extract the iss claim, finds the matching realm, and proceeds with standard 
OIDC validation using that realm's credentials. Unrecognized issuers return a 
plain 401.
   
   Single-issuer configs are completely unchanged — realms is opt-in.
   
   Example config
   
   ```yaml
   plugins:
     openid-connect:
       bearer_only: true
       realms:
         - issuer: "https://idp.example.com/realms/tenantA";
           discovery: 
"https://idp.example.com/realms/tenantA/.well-known/openid-configuration";
           client_id: "client-a"
           client_secret: "secret-a"
         - issuer: "https://idp.example.com/realms/tenantB";
           discovery: 
"https://idp.example.com/realms/tenantB/.well-known/openid-configuration";
           client_id: "client-b"
           client_secret: "secret-b"
   
   ```
   
   ### What changes
   
   1. apisix/plugins/openid-connect.lua only — schema + logic
   3. Issuer matching is exact string only (no wildcards/regex)
   5. Per-realm config is minimal (discovery, client_id, client_secret) — 
top-level flags like use_jwks, bearer_only, public_key apply globally. This 
scope can be expanded in a follow-up if needed.
   6. lua-resty-openidc has no built-in multi-issuer support, so the realm 
selection happens before the library is called.
   
   Does this approach align with what you had in mind? Happy to adjust before 
pushing the full implementation.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to