AlinsRan commented on PR #13472: URL: https://github.com/apache/apisix/pull/13472#issuecomment-4630227212
@membphis Thanks for catching this. You're right that the global `anyOf` was too broad — it accepted cross-flow combinations where the alternative does not apply to the actual flow. I've reverted the schema-level `anyOf` and restored the mode-aware validation in `check_schema`, scoping each exemption to its flow: - `bearer_only=true`: exempt only via `public_key`/`use_jwks` (local JWT verification) or `introspection_endpoint_auth_method=private_key_jwt` (introspection auth) - non-bearer (session/callback): exempt only via `token_endpoint_auth_method=private_key_jwt` or `use_pkce` Also added negative tests for the cross-flow cases you mentioned: - `bearer_only=true` + introspection + `token_endpoint_auth_method=private_key_jwt` without `client_secret` → now rejected - non-bearer session flow with a bearer-only alternative (introspection `private_key_jwt`) without `client_secret` → now rejected -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
