AlinsRan opened a new pull request, #13472:
URL: https://github.com/apache/apisix/pull/13472

   ## Background
   
   Closes #10563
   Closes #13397
   
   In service-to-service scenarios where the gateway only validates an incoming 
Bearer token locally (via a configured public key or JWKS endpoint), 
`client_secret` plays no role — no call is made to the IdP's token or 
introspection endpoint. However, the plugin currently requires `client_secret` 
unconditionally, forcing users to supply a dummy value as a workaround.
   
   ## Changes
   
   ### `apisix/plugins/openid-connect.lua`
   
   - Remove `client_secret` from the schema's `required` array.
   - Add conditional enforcement in `check_schema`: `client_secret` is still 
required for all flows that need it (session/callback flow, introspection), but 
is now optional when:
     - `bearer_only=true` + `public_key`: local JWT verification with a 
configured public key
     - `bearer_only=true` + `use_jwks=true`: local JWT verification via JWKS 
endpoint
     - `token_endpoint_auth_method=private_key_jwt`: RSA private key replaces 
`client_secret`
     - `use_pkce=true` (non-bearer): public-client PKCE flow
   
   - Fix `claim_schema` not being enforced in the bearer-token path (#13397): 
the schema is now applied directly to the flat JWT payload / introspection 
response in the bearer branch.
   
   ### `t/plugin/openid-connect.t`
   
   Add TEST 42–47 covering:
   - `bearer_only=true` + `public_key` → no `client_secret` required
   - `bearer_only=true` + `use_jwks=true` → no `client_secret` required
   - `bearer_only=true` + introspection endpoint (no local key) → 
`client_secret` still required
   - `token_endpoint_auth_method=private_key_jwt` → no `client_secret` required
   - `use_pkce=true` → no `client_secret` required
   - Session flow without special auth method → `client_secret` still required
   
   ## Backward Compatibility
   
   All existing configurations remain valid. The change only relaxes the 
requirement for specific scenarios; any config that previously worked continues 
to work unchanged.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to