[GitHub] [apisix] juzhiyuan commented on a diff in pull request #7406: docs: update openid-connect plugin document

Wed, 06 Jul 2022 22:39:39 -0700 


juzhiyuan commented on code in PR #7406:
URL: https://github.com/apache/apisix/pull/7406#discussion_r915476932


##########
docs/en/latest/plugins/openid-connect.md:
##########
@@ -59,21 +59,25 @@ The `openid-connect` Plugin provides authentication and 
introspection capability
 | set_userinfo_header                  | boolean | False    | true             
     |              | When set to true and the UserInfo object is available, 
sets it in the `X-Userinfo` request header.                       |
 | set_refresh_token_header             | boolean | False    | false            
     |              | When set to true and a refresh token object is available, 
sets it in the `X-Refresh-Token` request header.               |
 
-## Modes of operation
+## Scenarios
 
-The `openid-connect` Plugin offers three modes of operation:
+:::tip
 
-1. The Plugin can be configured to just validate an access token that is 
expected to be present in a request header. In such cases, requests without a 
token or with an invalid token are rejected. This requires the `bearer_only` 
attribute to be set to `true` and either `introspection_endpoint` or 
`public_key` attribute to be configured. This mode of operation can be used for 
service-to-service communication where the requester can reasonably be expected 
to obtain and manage a valid token by itself.
+1. Tutorial: [Use Keycloak with API Gateway to secure 
APIs](https://apisix.apache.org/blog/2022/07/06/use-keycloak-with-api-gateway-to-secure-apis/)
 
-2. The Plugin can be configured to authenticate requests without a valid token 
against an identity provider through OIDC authorization. The Plugin then acts 
as an OIDC Relying Party. In such cases, after successful authentication, the 
Plugin obtains and manages an access token in a session cookie. Subsequent 
requests that contain the cookie will use the access token. This requires the 
`bearer_only` attribute to be set to `false`. This mode of operation can be 
used to support cases where the client or the requester is a human interacting 
through a web browser.
+2. Testcases: 
[openid-connect.t](https://github.com/apache/apisix/blob/master/t/plugin/openid-connect.t)

Review Comment:
   make sense.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to