AlinsRan opened a new pull request, #13472:
URL: https://github.com/apache/apisix/pull/13472
## Background
Closes #10563
Closes #13397
In service-to-service scenarios where the gateway only validates an incoming
Bearer token locally (via a configured public key or JWKS endpoint),
`client_secret` plays no role — no call is made to the IdP's token or
introspection endpoint. However, the plugin currently requires `client_secret`
unconditionally, forcing users to supply a dummy value as a workaround.
## Changes
### `apisix/plugins/openid-connect.lua`
- Remove `client_secret` from the schema's `required` array.
- Add conditional enforcement in `check_schema`: `client_secret` is still
required for all flows that need it (session/callback flow, introspection), but
is now optional when:
- `bearer_only=true` + `public_key`: local JWT verification with a
configured public key
- `bearer_only=true` + `use_jwks=true`: local JWT verification via JWKS
endpoint
- `token_endpoint_auth_method=private_key_jwt`: RSA private key replaces
`client_secret`
- `use_pkce=true` (non-bearer): public-client PKCE flow
- Fix `claim_schema` not being enforced in the bearer-token path (#13397):
the schema is now applied directly to the flat JWT payload / introspection
response in the bearer branch.
### `t/plugin/openid-connect.t`
Add TEST 42–47 covering:
- `bearer_only=true` + `public_key` → no `client_secret` required
- `bearer_only=true` + `use_jwks=true` → no `client_secret` required
- `bearer_only=true` + introspection endpoint (no local key) →
`client_secret` still required
- `token_endpoint_auth_method=private_key_jwt` → no `client_secret` required
- `use_pkce=true` → no `client_secret` required
- Session flow without special auth method → `client_secret` still required
## Backward Compatibility
All existing configurations remain valid. The change only relaxes the
requirement for specific scenarios; any config that previously worked continues
to work unchanged.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]