[GitHub] [apisix] chrbo opened a new issue, #10275: help request: Plugin openid-connect: How to inject the enc_id_token (original ID-token) to upstream?

[via GitHub]

chrbo opened a new issue, #10275:
URL: https://github.com/apache/apisix/issues/10275

   ### Description
   
   Hello APISIX Community,
   
   First of all, a big thank you for providing this open source API gateway 
solution!
   
   Apparently there is no configuration setting with which the original 
ID-token can be injected into the authorization header of the upstream request.
   
   Many modern identity providers offer a JWT as an access token (this can be 
set via the “access_token_in_authorization_header” setting), but in my opinion 
this is not the standard according to the OpenID Connect specification. The 
standard is still to get the JWT in the id_token.
   
   Currently, only the validated content of the ID token can be accessed via 
the X-ID token header in the upstream request. But not the full ID-token.
   
   In migration scenarios (the ID-token verification is moved from the services 
to the API gateway in a large infrastructure) or when a service is used that 
expects a full ID token, the ability to inject a full ID token would be 
required.
   
   1. Question: Did we miss a way to inject a full ID-token into the 
authorization header?
   
   2. Question: If not, does the community consider such a configuration option 
to be useful and accept a pull request for it?
   
   ### Environment
   
   - APISIX version (run `apisix version`):
   
   ```
   apisix@apisix:/usr/local/apisix$ apisix version
   /usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua version
   3.5.0
   ```
   
   - Operating system (run `uname -a`):
   
   ```
   apisix@apisix:/usr/local/apisix$ uname -a
   Linux apisix 5.4.0-109-generic #123-Ubuntu SMP Fri Apr 8 09:10:54 UTC 2022 
x86_64 GNU/Linux
   ```
   
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
   
   ```
   apisix@apisix:/usr/local/apisix$ openresty -V
   nginx version: openresty/1.21.4.2
   built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
   built with OpenSSL 1.1.1s  1 Nov 2022
   TLS SNI support enabled
   configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 
-DAPISIX_BASE_VER=1.21.4.2.0 
-DNGX_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so 
-DNGX_HTTP_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so 
-DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include 
-I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' 
--add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 
--add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 
--add-module=../set-misc-nginx-module-0.33 
--add-module=../form-input-nginx-module-0.12 
--add-module=../encrypted-session-nginx-module-0.09 
--add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 
--add-module=../ngx_lua_upstream-0.07 
--add-module=../headers-more-nginx-module-0.34 
--add-module=../array-var-nginx-module-0.06 
--add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 
--add-module=../redis-nginx-module-0.3.9 --ad
 d-module=../ngx_stream_lua-0.0.13 
--with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib 
-Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib 
-L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib 
-L/usr/local/openresty/openssl111/lib 
-Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib'
 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../mod_dubbo-1.0.2 
--add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../ngx_multi_upstream_module-1.1.1
 
--add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../apisix-nginx-module-1.14.0
 
--add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../apisix-nginx-module-1.14.0/src/stream
 
--add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../apisix-nginx-module-1.14.0/src/meta
 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../wasm-nginx-module-0.6.5 
--add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../lua-var-nginx-module-v0.5.3
 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../grp
 c-client-nginx-module-v0.4.3 --with-poll_module --with-pcre-jit --with-stream 
--with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module 
--without-mail_pop3_module --without-mail_imap_module 
--without-mail_smtp_module --with-http_stub_status_module 
--with-http_realip_module --with-http_addition_module 
--with-http_auth_request_module --with-http_secure_link_module 
--with-http_random_index_module --with-http_gzip_static_module 
--with-http_sub_module --with-http_dav_module --with-http_flv_module 
--with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat 
--with-stream --with-http_ssl_module
   ```
   
   - etcd version, if relevant (run `curl 
http://127.0.0.1:9090/v1/server_info`):
   
   No etcd configured due to config_provider "yaml"
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org