membphis commented on PR #13472:
URL: https://github.com/apache/apisix/pull/13472#issuecomment-4630080669

   [P2] The `client_secret` alternatives need to be scoped to the OIDC flow 
they actually replace.
   
   The final schema-level `anyOf` accepts any of `public_key`, `use_jwks`, 
`use_pkce`, `introspection_endpoint_auth_method=private_key_jwt`, or 
`token_endpoint_auth_method=private_key_jwt` as a global replacement for 
`client_secret`. That is broader than the intended behavior: some alternatives 
only apply to bearer/local JWT verification, some only to bearer introspection, 
and some only to the non-bearer token endpoint flow.
   
   For example, a bearer introspection config without `client_secret` can 
currently pass schema validation if it sets 
`token_endpoint_auth_method=private_key_jwt`, even though that field is not the 
auth method used for introspection. Similarly, a non-bearer session flow can be 
accepted via an alternative that is only meaningful for bearer validation.
   
   Please either restore the mode-aware validation in `check_schema`, or 
express the condition in JSON Schema with `bearer_only`/flow-specific branches. 
It would also be good to add negative tests for cross-flow combinations, e.g. 
`bearer_only=true` + introspection + 
`token_endpoint_auth_method=private_key_jwt` without `client_secret`, and 
non-bearer session flow with an introspection-only alternative.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to