kevinlzw commented on issue #11219: URL: https://github.com/apache/apisix/issues/11219#issuecomment-4699001508
Hi @Alnyli07 , Sorry to message you in this thread. I am also interested in improving the client-side OAuth 2.0 / OIDC capabilities of the APISIX `openid-connect` plugin, especially when it acts as an OIDC client / relying party. Since this behavior depends on `lua-resty-openidc`, my understanding is that features such as PAR, DPoP proof generation for token/userinfo endpoint calls, and client assertion JWT improvements should first be supported there. I understand your APISIX `dpop` plugin focuses on the resource server / gateway side, after a DPoP-bound access token has already been issued, so I think these efforts are complementary. I have submitted a PAR PR here: https://github.com/zmartzone/lua-resty-openidc/pull/558 I am also experimenting with DPoP client-side proof generation here: https://github.com/zmartzone/lua-resty-openidc/compare/master...kevinlzw:lua-resty-openidc:codex/add-dpop-support I have tested this experimental work with Keycloak 26.6, and the full flow works on my side. I am still learning this area, so please feel free to point out anything I may have misunderstood. Happy to discuss further if you are interested. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
