This is an automated email from the ASF dual-hosted git repository.
juzhiyuan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new ebe8d6c5e docs: add missing parameters back to openid-connect plugin
docs (#12673)
ebe8d6c5e is described below
commit ebe8d6c5ed4f5273a1da3731d2c9418990e82406
Author: Traky Deng <[email protected]>
AuthorDate: Thu Oct 16 20:02:01 2025 +0800
docs: add missing parameters back to openid-connect plugin docs (#12673)
---
docs/en/latest/plugins/openid-connect.md | 7 ++++++-
docs/zh/latest/plugins/openid-connect.md | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/docs/en/latest/plugins/openid-connect.md
b/docs/en/latest/plugins/openid-connect.md
index 236422315..472ab2489 100644
--- a/docs/en/latest/plugins/openid-connect.md
+++ b/docs/en/latest/plugins/openid-connect.md
@@ -99,7 +99,12 @@ The `openid-connect` Plugin supports the integration with
[OpenID Connect (OIDC)
| introspection_interval | integer | False | 0 | | TTL of the cached and
introspected access token in seconds. The default value is 0, which means this
option is not used and the Plugin defaults to use the TTL passed by expiry
claim defined in `introspection_expiry_claim`. If `introspection_interval` is
larger than 0 and less than the TTL passed by expiry claim defined in
`introspection_expiry_claim`, use `introspection_interval`. |
| introspection_expiry_claim | string | False | exp | | Name of the expiry
claim, which controls the TTL of the cached and introspected access token. |
| introspection_addon_headers | array[string] | False | | | Used to append
additional header values to the introspection HTTP request. If the specified
header does not exist in origin request, value will not be appended. |
-| claim_validator.issuer.valid_issuers | string[] | False | | | Whitelist
the vetted issuers of the jwt. When not passed by the user, the issuer returned
by discovery endpoint will be used. In case both are missing, the issuer will
not be validated. |
+| claim_validator | object | False |
| | JWT claim validation configurations. |
+| claim_validator.issuer.valid_issuers | array[string] | False | | | An
array of trusted JWT issuers. If unconfigured, the issuer returned by discovery
endpoint will be used. If both are unavailable, the issuer will not be
validated. |
+| claim_validator.audience | object | False |
| | [Audience
claim](https://openid.net/specs/openid-connect-core-1_0.html) validation
configurations. |
+| claim_validator.audience.claim | string | False | aud
| | Name of the claim that contains the audience. |
+| claim_validator.audience.required | boolean | False | false
| | If true, audience claim is required and the name of the
claim will be the name defined in `claim`. |
+| claim_validator.audience.match_with_client_id | boolean | False | false
| | If true, require the audience to match the client ID. If
the audience is a string, it must exactly match the client ID. If the audience
is an array of strings, at least one of the values must match the client ID. If
no match is found, you will receive a `mismatched audience` error. This
requirement is stated in the OpenID Connect specification to ensure that the
token is intended for the [...]
| claim_schema | object | False | | | JSON schema of OIDC response claim.
Example:
`{"type":"object","properties":{"access_token":{"type":"string"}},"required":["access_token"]}`
- validates that the response contains a required string field `access_token`.
|
NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema,
which means that the field will be stored encrypted in etcd. See [encrypted
storage fields](../plugin-develop.md#encrypted-storage-fields).
diff --git a/docs/zh/latest/plugins/openid-connect.md
b/docs/zh/latest/plugins/openid-connect.md
index b70137712..7da9ffc2f 100644
--- a/docs/zh/latest/plugins/openid-connect.md
+++ b/docs/zh/latest/plugins/openid-connect.md
@@ -99,7 +99,12 @@ description: openid-connect 插件支持与 OpenID Connect (OIDC) 身份提供
| introspection_interval | integer | 否 | 0 | | 缓存和自省访问令牌的 TTL(以秒为单位)。默认值为
0,这意味着不使用此选项,插件默认使用 `introspection_expiry_claim` 中定义的到期声明传递的
TTL。如果`introspection_interval` 大于 0 且小于 `introspection_expiry_claim`
中定义的到期声明传递的 TTL,则使用`introspection_interval`。|
| introspection_expiry_claim | string | 否 | exp | | 到期声明的名称,它控制缓存和自省访问令牌的 TTL。|
| introspection_addon_headers | array[string] | 否 | | | 用于将其他标头值附加到自省 HTTP
请求。如果原始请求中不存在指定的标头,则不会附加值。|
-| claim_validator.issuer.valid_issuers | string[] | 否 | |
| 将经过审查的 jwt 发行者列入白名单。当用户未传递时,将使用发现端点返回的颁发者。如果两者均缺失,发行人将无法得到验证|
+| claim_validator | object | 否 | | | JWT 声明(claim)验证的相关配置。 |
+| claim_validator.issuer.valid_issuers | array[string] | 否 | | | 可信任的 JWT
发行者(issuer)列表。如果未配置,将使用发现端点返回的发行者;如果两者都不可用,将不会验证发行者。 |
+| claim_validator.audience | object | 否 | | | [Audience
声明](https://openid.net/specs/openid-connect-core-1_0.html) 验证的相关配置。 |
+| claim_validator.audience.claim | string | 否 | aud | | 包含受众(audience)的声明名称。 |
+| claim_validator.audience.required | boolean | 否 | false | | 若为
`true`,则要求必须存在受众声明,其名称为 `claim` 中定义的值。 |
+| claim_validator.audience.match_with_client_id | boolean | 否 | false | | 若为
`true`,则要求受众(audience)必须与客户端 ID 匹配。若受众为字符串,则必须与客户端 ID
完全一致;若受众为字符串数组,则至少有一个值需与客户端 ID 匹配。若未找到匹配项,将返回 `mismatched audience` 错误。此要求来自
OpenID Connect 规范,用于确保令牌仅用于指定的客户端。 |
| claim_schema | object | 否 | | | OIDC 响应 claim 的 JSON
schema。示例:`{"type":"object","properties":{"access_token":{"type":"string"}},"required":["access_token"]}`
- 验证响应中包含必需的字符串字段 `access_token`。 |
注意:schema 中还定义了 `encrypt_fields = {"client_secret"}`,这意味着该字段将会被加密存储在 etcd
中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。
