bzp2010 commented on issue #5834: URL: https://github.com/apache/apisix/issues/5834#issuecomment-997328733
Enable this plugin on the route, when the user request arrives, APISIX will get the session in the request, if it cannot find it, it will jump to the OIDC authentication address (where the default value of redirect_uri is the path of the current request), when the authentication is completed, it will carry the code and state back to the original request address, then APISIX will send the code and other information to the token endpoint to get the token, after that APISIX will cache the token and expiration time to the memory cache and release the legitimate request. When a user holds a token, but it is not yet cached in APISIX, APISIX will send a request to introspection to get information about the token to confirm its validity. Therefore, you don't need to do anything with the code. After the user returns from the OIDC authentication service, the user will visit such address `xxx.com/xxx?code=xxx&state=xxx`, and APISIX will automatically handle the subsequent steps, such as exchanging tokens, etc. 在路由上开启这个插件后,当用户请求到达时,APISIX会获取请求中的session,如果无法找到,它将会跳转至OIDC认证地址(其中redirect_uri默认值为当前请求的路径),当认证完成后,将会携带code和state回到原有的请求地址,这时APISIX会将code等信息发送至token端点以获取token,之后APISIX会将token和过期时间缓存至内存缓存中,并放行合法请求。 当一个用户持有token,但APISIX中尚未缓存它时,APISIX将会向introspection发送请求以获取token的信息确认其是否有效。 因此,您不需要对code做任何操作,用户从OIDC认证服务返回后,用户将访问这样的地址`xxx.com/xxx?code=xxx&state=xxx`,而APISIX会自动处理后续步骤,如换取token等。 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org