whatvn opened a new pull request, #9127: URL: https://github.com/apache/apisix/pull/9127
### Description Current openid connect plugin does not check for access token scope permission. For example, a client-id clientX has been granted for scope-a, apisix with openid connect has 2 routes set up with scope-a and scope-b for different client-id. ClientX then use client-id and client-secret to get access-token to request for service defined with scope-a, this access token can still be used to access service defined with scope-b since this plugin does not check for scope when doing oidc introspect. This fixes issue mentioned above by also checking allowed scope of access token with granted scope in oidc ### Checklist - [ ] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [ ] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
