Re: [PR] docs: improve `openid-connect` plugin doc and add keycloak OIDC tutorial [apisix]
Baoyuantop merged PR #11889: URL: https://github.com/apache/apisix/pull/11889 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] docs: improve `openid-connect` plugin doc and add keycloak OIDC tutorial [apisix]
kayx23 commented on code in PR #11889: URL: https://github.com/apache/apisix/pull/11889#discussion_r2131872893 ## docs/en/latest/plugins/openid-connect.md: ## @@ -27,58 +27,62 @@ description: OpenID Connect allows the client to obtain user information from th # --> + + https://docs.api7.ai/hub/openid-connect"; /> + + ## Description -[OpenID Connect](https://openid.net/connect/) (OIDC) is an authentication protocol based on the OAuth 2.0. It allows the client to obtain user information from the identity provider (IdP), e.g., Keycloak, Ory Hydra, Okta, Auth0, etc. API Gateway Apache APISIX supports to integrate with the above identity providers to protect your APIs. +The `openid-connect` Plugin supports the integration with [OpenID Connect (OIDC)](https://openid.net/connect/) identity providers, such as Keycloak, Auth0, Microsoft Entra ID, Google, Okta, and more. It allows APISIX to authenticate clients and obtain their information from the identity provider before allowing or denying their access to upstream protected resources. ## Attributes -| Name | Type | Required | Default | Valid values | Description | +| Name | Type | Required | Default | Valid values | Description | |--|--|--|---|--|---| -| client_id| string | True | | | OAuth client ID. | -| client_secret| string | True | | | OAuth client secret. | -| discovery| string | True | | | Discovery endpoint URL of the identity server. | -| scope| string | False| "openid" | | OIDC scope that corresponds to information that should be returned about the authenticated user, also known as [claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). The default value is `openid`, the required scope for OIDC to return a `sub` claim that uniquely identifies the authenticated user. Additional scopes can be appended and delimited by spaces, such as `openid email profile`. | -| required_scopes | string[] | False| | | Array of strings. Used in conjunction with the introspection endpoint (when `bearer_only` is `true`). If present, the plugin will check if the token contains all required scopes. If not, 403 will be returned with an error message | -| realm| string | False| "apisix" | | Realm used for authentication. | -| claim_validator | object | False| | | Define the JWT claim validator. | -| claim_validator.audience | object | False| | | OpenID Connect Audience (["aud"](https://openid.net/specs/openid-connect-core-1_0.html)) validator. | -| claim_validator.audience.claim | string | False| "aud" | | Customize the claim used to store the audience. | -| claim_validator.audience.required| boolean | False| false | | Requires that the audience claim must exist and that it follows the custom claim. | -| claim_
Re: [PR] docs: improve `openid-connect` plugin doc and add keycloak OIDC tutorial [apisix]
kayx23 commented on code in PR #11889: URL: https://github.com/apache/apisix/pull/11889#discussion_r2048540750 ## docs/en/latest/plugins/openid-connect.md: ## @@ -27,58 +27,62 @@ description: OpenID Connect allows the client to obtain user information from th # --> + + https://docs.api7.ai/hub/openid-connect"; /> + + ## Description -[OpenID Connect](https://openid.net/connect/) (OIDC) is an authentication protocol based on the OAuth 2.0. It allows the client to obtain user information from the identity provider (IdP), e.g., Keycloak, Ory Hydra, Okta, Auth0, etc. API Gateway Apache APISIX supports to integrate with the above identity providers to protect your APIs. +The `openid-connect` Plugin supports the integration with [OpenID Connect (OIDC)](https://openid.net/connect/) identity providers, such as Keycloak, Auth0, Microsoft Entra ID, Google, Okta, and more. It allows APISIX to authenticate clients and obtain their information from the identity provider before allowing or denying their access to upstream protected resources. ## Attributes -| Name | Type | Required | Default | Valid values | Description | +| Name | Type | Required | Default | Valid values | Description | |--|--|--|---|--|---| -| client_id| string | True | | | OAuth client ID. | -| client_secret| string | True | | | OAuth client secret. | -| discovery| string | True | | | Discovery endpoint URL of the identity server. | -| scope| string | False| "openid" | | OIDC scope that corresponds to information that should be returned about the authenticated user, also known as [claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). The default value is `openid`, the required scope for OIDC to return a `sub` claim that uniquely identifies the authenticated user. Additional scopes can be appended and delimited by spaces, such as `openid email profile`. | -| required_scopes | string[] | False| | | Array of strings. Used in conjunction with the introspection endpoint (when `bearer_only` is `true`). If present, the plugin will check if the token contains all required scopes. If not, 403 will be returned with an error message | -| realm| string | False| "apisix" | | Realm used for authentication. | -| claim_validator | object | False| | | Define the JWT claim validator. | -| claim_validator.audience | object | False| | | OpenID Connect Audience (["aud"](https://openid.net/specs/openid-connect-core-1_0.html)) validator. | -| claim_validator.audience.claim | string | False| "aud" | | Customize the claim used to store the audience. | -| claim_validator.audience.required| boolean | False| false | | Requires that the audience claim must exist and that it follows the custom claim. | -| claim_
Re: [PR] docs: improve `openid-connect` plugin doc and add keycloak OIDC tutorial [apisix]
kayx23 commented on PR #11889: URL: https://github.com/apache/apisix/pull/11889#issuecomment-2574384924 watch out for changes in https://github.com/apache/apisix/pull/11892 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
