njanelt commented on issue #11018: URL: https://github.com/apache/apisix/issues/11018#issuecomment-2017679563
> Hello, we are facing the same issue (not being able to validate the aud claim). Just to recap: > > We are using the openid-connect with the following parameters configured: > > * `discovery` with the `.well-known/openid-configuration` endpoint > * `client_id` > * `client_secret` > * `bearer_only` set to `true` > * `introspection_endpoint` with the `openid-connect/token/introspect` endpoint > * `use_jwks` set to true, otherwise everything fails with 401 > > Alternative of the last two, is to set the public key instead. > > I expect openid-connect to allow Bearer tokens that are created with the provided `client_id` and `client_secret` but instead, all valid tokens even from other clients are allowed. > > If this is true and this is the intended behaviour, it sounds like a quite serious security issue imo. Can you confirm that this is the result of your tests too? Is there any other similar plugin that offers this functionality? > > Is this something you can verify @shreemaan-abhishek ? Yes I am facing the same issue. @shreemaan-abhishek is this rellay the intended behaviour? I think for the most usecases this plugin is not usable if it behaves like that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
