[I] bug: open-id connect plugin sets bearer_only=true and returns 401 instead of checking the token. [apisix]

[via GitHub]

luoluoyuyu opened a new issue, #10592:
URL: https://github.com/apache/apisix/issues/10592

   ### Current Behavior
   
   I am facing a similar issue with APISIX. I deployed APISIX in GCP GKE and 
tried integrating it with Auth0. In my case my API GW is accessed from a FE app 
which already performs login with Auth0 and thus has a valid token.
   I configured my APISIX route like this
   
   {
     "uri": "/my-service/*",
     "name": "My Route",
     "plugins": {
       "openid-connect": {
         "bearer_only": true,
         "client_id": "AUTH0_CLIENTID",
         "client_secret": "AUTH0_SECRET",
         "discovery": AUTH0_DOMAIN.well-known/openid-configuration",
         "redirect_uri": "http://localhost:8082/my-service/redirect";,  // same 
as Auth0 callback as mentioned in previous threads
         "scope": "openid profile"
       }
     },
     "upstream_id": "1",
     "status": 1
   }
   When calling the api with a -H "Authorization: Bearer AUTH0_TOKEN" i get a 
401 Authorization Required error, why is this?
   If I set the bearer_only to false and still call the API with -H 
"Authorization: Bearer AUTH0_TOKEN" it redirects me to login. It looks like API 
SIX ignores the fact that I have a valid token.
   If I call the endpoint from browser then I get redirected to Auth0, I login, 
get a session and redirect to my api all good.
   
   I see myself forced to use API SIX as a simple API GW without any security 
and handle the security in each upstream service individually. It is quite sad 
as this project has a lot of potential.
   
   If anybody has encountered this issue before and has a solution please do 
share!
   
   ### Expected Behavior
   
   _No response_
   
   ### Error Logs
   
   _No response_
   
   ### Steps to Reproduce
   
   {
     "uri": "/my-service/*",
     "name": "My Route",
     "plugins": {
       "openid-connect": {
         "bearer_only": true,
         "client_id": "AUTH0_CLIENTID",
         "client_secret": "AUTH0_SECRET",
         "discovery": AUTH0_DOMAIN.well-known/openid-configuration",
         "redirect_uri": "http://localhost:8082/my-service/redirect";,  // same 
as Auth0 callback as mentioned in previous threads
         "scope": "openid profile"
       }
     },
     "upstream_id": "1",
     "status": 1
   }
   
   ### Environment
   
   - APISIX version (run `apisix version`):
   - Operating system (run `uname -a`):
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
   - etcd version, if relevant (run `curl 
http://127.0.0.1:9090/v1/server_info`):
   - APISIX Dashboard version, if relevant:
   - Plugin runner version, for issues related to plugin runners:
   - LuaRocks version, for installation issues (run `luarocks --version`):
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org