AlinsRan commented on PR #13472:
URL: https://github.com/apache/apisix/pull/13472#issuecomment-4630227212

   @membphis Thanks for catching this. You're right that the global `anyOf` was 
too broad — it accepted cross-flow combinations where the alternative does not 
apply to the actual flow.
   
   I've reverted the schema-level `anyOf` and restored the mode-aware 
validation in `check_schema`, scoping each exemption to its flow:
   - `bearer_only=true`: exempt only via `public_key`/`use_jwks` (local JWT 
verification) or `introspection_endpoint_auth_method=private_key_jwt` 
(introspection auth)
   - non-bearer (session/callback): exempt only via 
`token_endpoint_auth_method=private_key_jwt` or `use_pkce`
   
   Also added negative tests for the cross-flow cases you mentioned:
   - `bearer_only=true` + introspection + 
`token_endpoint_auth_method=private_key_jwt` without `client_secret` → now 
rejected
   - non-bearer session flow with a bearer-only alternative (introspection 
`private_key_jwt`) without `client_secret` → now rejected


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to