[PR] feat(openid-connect): add hide_credentials attribute [apisix]

Wed, 10 Jun 2026 08:53:16 -0700 


mikyll opened a new pull request, #13510:
URL: https://github.com/apache/apisix/pull/13510

   ### Description
   
   This PR adds a `hide_credentials` attribute to the `openid-connect` plugin, 
mirroring the
   behavior already available in other authentication plugins (e.g. `key-auth`, 
`basic-auth`,
   `hmac-auth`).
   
   When `hide_credentials` is set to `true`, the inbound `Authorization` header 
carrying the
   bearer token is cleared after token validation, so the raw credential is 
**not** forwarded
   to the upstream service. By default it is `false`, preserving the current 
behavior of
   passing the `Authorization` header through.
   
   Key details:
   
   - The header is cleared **after** validation, because `lua-resty-openidc` 
re-reads the
     `Authorization` header while verifying the token.
   - It works **independently of `set_access_token_header`**: when both are 
enabled, the
     original credential is removed and the validated access token is added 
back as a fresh,
     plugin-controlled header (`X-Access-Token` by default).
   - The client-supplied `X-Access-Token` header is always cleared regardless 
of this option,
     so a client cannot smuggle an arbitrary access token to the upstream.
   
   **Changes:**
   
   - `apisix/plugins/openid-connect.lua`: new `hide_credentials` boolean schema 
field
     (default `false`) and the corresponding header-clearing logic in `rewrite`.
   - `t/plugin/openid-connect-identity-headers.t`: new test suite (8 cases) 
covering identity
     header handling — unauthenticated passthrough, client-supplied headers not 
reaching the
     upstream, `hide_credentials` with `set_access_token_header` 
enabled/disabled, and the
     validated-token-vs-client-value distinction.
   - `docs/en/latest/plugins/openid-connect.md` and 
`docs/zh/latest/plugins/openid-connect.md`:
     documented the new attribute.
   
   #### Which issue(s) this PR fixes:
   
   Fixes #13279
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [x] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible (If not, 
please discuss on the [APISIX mailing 
list](https://github.com/apache/apisix/tree/master#community) first)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to