Baoyuantop commented on PR #13038: URL: https://github.com/apache/apisix/pull/13038#issuecomment-4088116613
Thanks for the detailed explanation, @PiyushMishra318. The pain point you described is valid — the current openid-connect plugin assumes a single realm per route, and the consumer resolution timing makes it impossible to dynamically switch OIDC configurations before authentication. I think the right direction would be to add multi-issuer support directly within the openid-connect plugin itself, rather than at the core routing layer. The plugin could: 1. Accept a `realms` map (issuer → discovery/client config set) 2. Do a lightweight JWT payload decode internally (within the plugin scope) to extract the `iss` claim 3. Select the matching realm config and proceed with standard OIDC validation This keeps the unsigned JWT parsing scoped to the auth plugin rather than the core context, and provides a cleaner API for your use case. Maintaining an internal patch is totally reasonable for your immediate needs. If you are interested in contributing an upstream solution along these lines, we would welcome a proposal on the issue for further discussion. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
