nic-6443 opened a new pull request, #13524: URL: https://github.com/apache/apisix/pull/13524
### Description When `introspection_endpoint_auth_method` is `client_secret_basic` (the default), the token introspection request sends the client credentials twice: once in the `Authorization: Basic` header and once more as `client_id`/`client_secret` in the POST body. RFC 6749 Section 2.3.1 says the client must not use more than one authentication mechanism per request, so strict authorization servers reject the introspection call with `invalid_client` and every bearer-token request through the route fails with 401 — with the default plugin config. The root cause is in lua-resty-openidc 1.8.0: `introspect()` unconditionally copies `client_id`/`client_secret` into the request body, and `call_token_endpoint()` then adds the Basic header for `client_secret_basic` without removing the body copies. There is an upstream issue (zmartzone/lua-resty-openidc#556), but it has been open for a while with no release containing a fix, so this patches it on the APISIX side without forking the library. The fix extends the existing `http_request_decorator` hook usage in the plugin's introspection path: when the auth method is `client_secret_basic`, the decorator strips `client_id`/`client_secret` from the urlencoded request body before the request is sent. Scoping notes: - The decorator is set right before `openidc.introspect()` and cleared right after it returns (existing behavior), so it only affects the introspection call, not the token-endpoint calls of the authorization code flow. - Within `openidc.introspect()`, the decorator can also see a body-less discovery GET (when `introspection_endpoint` is not set explicitly), hence the `req.body` guard. - `client_secret_post`, `private_key_jwt` and `client_secret_jwt` are untouched: stripping only happens for `client_secret_basic`, where the credentials are already carried by the Basic header. The new test file `t/plugin/openid-connect11.t` uses a mock introspection endpoint that behaves like a strict authorization server (rejects requests carrying credentials in both the header and the body) and covers `client_secret_basic` (default and explicit, with and without `introspection_addon_headers`) as well as `client_secret_post`, which must keep sending body credentials. #### Which issue(s) this PR fixes: Fixes #13085 ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
