Re: [PR] feat: support OIDC claim validator (#8772) [apisix]

Mon, 12 May 2025 02:40:51 -0700 


Baoyuantop commented on code in PR #11824:
URL: https://github.com/apache/apisix/pull/11824#discussion_r2084265403


##########
apisix/plugins/openid-connect.lua:
##########
@@ -357,6 +365,14 @@ function _M.check_schema(conf)
         return false, err
     end
 
+    if conf.claim_schema then
+        local ok, res = pcall(jsonschema.generate_validator, conf.claim_schema)
+        if not ok then
+            return false, "generate claim_schema validator failed"

Review Comment:
   It is recommended to include the original error message for better debugging.



##########
docs/en/latest/plugins/openid-connect.md:
##########
@@ -96,6 +96,7 @@ description: OpenID Connect allows the client to obtain user 
information from th
 | introspection_expiry_claim | string | False |  |  | Name of the expiry 
claim, which controls the TTL of the cached and introspected access token. The 
default value is 0, which means this option is not used and the plugin defaults 
to use the TTL passed by expiry claim defined in `introspection_expiry_claim`. 
If `introspection_interval` is larger than 0 and less than the TTL passed by 
expiry claim defined in `introspection_expiry_claim`, use 
`introspection_interval`. |
 | introspection_addon_headers | string[] | False |  |  | Array of strings. 
Used to append additional header values to the introspection HTTP request. If 
the specified header does not exist in origin request, value will not be 
appended. |
 | claim_validator.issuer.valid_issuers | string[] | False |  |  | Whitelist 
the vetted issuers of the jwt. When not passed by the user, the issuer returned 
by discovery endpoint will be used. In case both are missing, the issuer will 
not be validated. |
+| claim_schema | object | False |  |  | JSON schema of OIDC response claim. |

Review Comment:
   It is recommended to add specific configuration examples.



##########
apisix/plugins/openid-connect.lua:
##########
@@ -528,6 +544,18 @@ local function required_scopes_present(required_scopes, 
http_scopes)
     return true
 end
 
+local function validate_claims_in_oidcauth_response(resp)
+    if not generic_claim_validator then
+        return true, nil
+    end
+    local data = {
+        user  = resp.user,

Review Comment:
   What happens if these fields in resp are empty



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to