Re: [I] help request: how to debug weird user info returned/altered in the OpenID connect plugin? [apisix]

Wed, 27 May 2026 07:01:38 -0700 


ronnybremer commented on issue #13440:
URL: https://github.com/apache/apisix/issues/13440#issuecomment-4555219169

   Done that, here seems to be the reply received from the user_info endpoint:
   ```
   2026/05/27 13:49:44 [debug] 57#57: *27775 [lua] openidc.lua:636: 
call_userinfo_endpoint(): userinfo response: 
{"sub":"df538330-2b18-4d70-b5c2-c38bdb6e330c","memberGUID":"df538330-2b18-4d70-b5c2-c38bdb6e330c","name":"Testuser
 One","role":"DefaultUser","roles":[]}
   ```
   
   So the roles is still an array at that point. However, it arrives at the web 
browser as:
   ```
   
{"sub":"df538330-2b18-4d70-b5c2-c38bdb6e330c","memberGUID":"df538330-2b18-4d70-b5c2-c38bdb6e330c","name":"Testuser
 One","roles":{},"role":"DefaultUser"}
   ```
   
   My environment:
   Running APISIX as an ingress controller in a Kubernetes cluster.
   
   OpenID Connect plugin config:
   ```yaml
     plugins:
     - name: openid-connect
       enable: true
       config:
         client_id: *redacted*
         client_secret: *redacted*
         scope: "openid offline_access"
         use_nonce: true
         use_pkce: true
         use_jwks: true
         use_jwks: true
         timeout: 10
         discovery: https://idp/.well-known/openid-configuration
         token_endpoint_auth_method: client_secret_post
         redirect_uri: https://portal/.apisix/redirect
         logout_path: /.apisix/logout
         post_logout_redirect_uri: https://idp/logout
         introspection_endpoint: https://idp/token_info
         bearer_only: false
         session.cookie.lifetime: 600
         set_access_token_header: true
         access_token_in_authorization_header: true
         realm: SAD-S
         session:
           secret: *redacted*
         unauth_action: auth
     - name: response-rewrite
       enable: true
       config:
         headers:
           X-Userinfo: $http_x_userinfo
   ```
   
   The route is in front of the portal web server, the IDP is configured for 
authorization code workflow. Token will be stored in the session cookie (I know 
it makes the cookie large, so I might change that to Redis in the future).
   
   Thank you for your help!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to