mc-round2 opened a new issue, #11018: URL: https://github.com/apache/apisix/issues/11018
### Description Hi, Im trying to use OIDC to authenticate my APIs, so far its working but its working a bit too well because every single token can pass as long as it is a valid token. Im trying to only allow tokens that were created for the specific API that im trying to connect to be allowed, and tokens that are valid BUT *not for this specific API* to be unauthorized. My token provider provides the audience claim that ideally should be cross referenced with the client_id of the route. From my understanding of the documentation (and according to the APISIX DOCS AI) this should come out of the box... but it clearly doesnt. Am I missing something? This is the current config that I have for the openid-connect plugin: `bearer_only: true client_id: wtv client_secret: wtvwtvw discovery: https://auth.wtv.wtv/auth/realms/wtv/.well-known/openid-configuration introspection_endpoint: https://auth.wtv.wtv/auth/realms/wtv/protocol/openid-connect/token/introspect introspection_endpoint_auth_method: client_secret_basic use_jwks: true` ### Environment - APISIX version (run `apisix version`): - Operating system (run `uname -a`): - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): - APISIX Dashboard version, if relevant: - Plugin runner version, for issues related to plugin runners: - LuaRocks version, for installation issues (run `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
