[I] feat: As a user, I want have multiple OIDC connect clients, and restrict access using their scope using client_credentials [apisix]

[via GitHub]

csotiriou opened a new issue, #10352:
URL: https://github.com/apache/apisix/issues/10352

   ### Description
   
   Hello, I am using the Ingress Controller and I am trying to support the 
following scenario using OIDC
   - ClientID A should have access to Endpoints A,B
   - ClientID B should have access to Endpoints B,C
   
   And on top of a route, I have the following definition:
   
   ```
   apiVersion: apisix.apache.org/v2
   kind: ApisixRoute
   metadata:
     name: echoserver-multiple-apisix
     namespace: ${kubernetes_namespace_v1.echonamespace2.metadata.0.name}
   spec:
     http:
     - name: echohttp
       match:
         hosts:
         - echo.k8s.orb.local
         paths:
         - "/echo*"
       backends:
       - serviceName: echoserver2-service
         servicePort: 80
       plugins:
   
         - name: "openid-connect"
           enable: true
           config:
             client_id: "apisix2"
             client_secret: "..."
             discovery: 
"http://keycloak-proxy.keycloak.svc.cluster.local/realms/apisixrealm/.well-known/openid-configuration";
             introspection_endpoint: 
"http://keycloak-proxy.keycloak.svc.cluster.local/realms/apisixrealm/protocol/openid-connect/token/introspect";
             realm: "apisixrealm"
             scope: "route1scope"
   ```
   
   
   I am using the OIDC plugin and Keycloak as my authentication provider. 
Although APISIX can provide access to the endpoints, with tokens accessed **it 
fails to deny access to clients that don't have the required scope**. No matter 
what scope I put in the `scope` parameter, it always allows anyone with a valid 
token (but without a scope) to access the route. Perhaps this is a relevant 
issue: https://github.com/apache/apisix/issues/1272
   
   Therefore, I have two questions:
   - For the scenario originally described, can I have multiple OIDC plugins 
with different client IDs and secrets on top of a route to achieve what I want? 
(since multiple clients must be able to access the same route)
   - For the issue where the scopes are not taken into account, is there 
something I am missing or can do differently?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org