kevinlzw commented on code in PR #13649:
URL: https://github.com/apache/apisix/pull/13649#discussion_r3520719404


##########
apisix/plugins/openid-connect.lua:
##########
@@ -298,6 +317,60 @@ local schema = {
             type = "boolean",
             default = false
         },
+        par = {
+            description = "Pushed Authorization Requests (PAR) configuration.",
+            type = "object",
+            properties = {
+                enabled = {
+                    description = "When true, use Pushed Authorization 
Requests (PAR).",
+                    type = "boolean",
+                    default = false,
+                },
+                endpoint = {
+                    description = "URL of the Pushed Authorization Requests 
endpoint.",
+                    type = "string",
+                },
+                endpoint_auth_method = {
+                    description = "Authentication method for the PAR 
endpoint.",
+                    type = "string",
+                },
+            },
+            additionalProperties = false,
+        },
+        dpop = {
+            description = "Demonstrating Proof-of-Possession (DPoP) 
configuration.",
+            type = "object",
+            properties = {
+                enabled = {
+                    description = "When true, use DPoP proof JWTs.",
+                    type = "boolean",
+                    default = false,
+                },
+                signing_alg = {
+                    description = "DPoP proof JWT signing algorithm.",
+                    type = "string",
+                    enum = {"ES256", "RS256", "PS256"},
+                    default = "ES256",
+                },
+                private_key = {
+                    description = "Private key used to sign DPoP proof JWTs.",
+                    type = "string",
+                },
+                public_jwk = {
+                    description = "Public JWK matching dpop.private_key.",
+                    type = "object",

Review Comment:
   Thanks for the detailed catch. I added the schema-side rejection for private 
JWK members (`d`, `p`, `q`, `dp`, `dq`, `qi`, `oth`, and `k`) under 
`dpop.public_jwk`, so complete/private JWKs now fail `check_schema` before 
anything can be persisted in etcd. I also added a regression case that verifies 
a JWK containing `d` is rejected.



##########
apisix/plugins/openid-connect.lua:
##########
@@ -52,6 +52,25 @@ local function build_session_opts(session_conf)
 end
 
 
+local function flatten_openidc_options(conf)

Review Comment:
   Thanks, that makes sense. I added a Test::Nginx runtime block with a fake 
discovery document and a fake PAR endpoint, then configured the plugin through 
the Admin API and hit the route to exercise the actual flattening path. The 
test now parses the final authorize redirect and asserts the query shape 
exactly: only `client_id` and `request_uri` are present, while `scope`, 
`state`, `response_type`, and `redirect_uri` are absent.



##########
t/plugin/openid-connect.t:
##########
@@ -152,23 +155,22 @@ passed
 
 
 
-=== TEST 5: verify encrypted field
+=== TEST 5: verify encrypted fields
 --- config
     location /t {
         content_by_lua_block {
-            local json = require("toolkit.json")
-            local t = require("lib.test_admin").test
-
-
-            -- get plugin conf from etcd, client_rsa_private_key is encrypted
+            -- get plugin conf from etcd, private key fields are encrypted
             local etcd = require("apisix.core.etcd")
             local res = assert(etcd.get('/routes/1'))
-            
ngx.say(res.body.node.value.plugins["openid-connect"].client_rsa_private_key)
+            local conf = res.body.node.value.plugins["openid-connect"]
+            ngx.say(conf.client_rsa_private_key ~= 
"89ae4c8edadf1cd1c9f034335f136f87ad84b625c8f1")
+            ngx.say(conf.dpop.private_key ~= "dpop-private-key")

Review Comment:
   Good point. I updated the assertions to require the stored values to be 
strings before comparing them with the plaintext values, so a missing/nil value 
no longer passes as encrypted. I kept it value-agnostic rather than pinning the 
deterministic ciphertext, to avoid making the test depend on the exact 
encrypted blob.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to