mayankmurari opened a new issue, #13614:
URL: https://github.com/apache/apisix/issues/13614
### Description
I need to support per-consumer credentials for a custom auth plugin behind
APISIX Ingress Controller. Each consumer calls a ForgeRock IDP, so the plugin
must send that consumer’s client_id/client_secret along with the token during
introspection. Hardcoding credentials inside the ApisixConsumer works, but we
must move them into Kubernetes Secrets (populated from Vault via
ExternalSecret) so each consumer references its own secret via something like
secretRef.
Example (works when hardcoded):
yaml
`consumer:
- name: test
ingressClassName: apisix
authParameter:
jwtAuth:
secretRef:
name: test-jwt
plugins:
- name: vendor-forgerock
enable: true
config:
username: test
client_id: "test-client"
client_secret: "test-secret"`
However, when I add fields like secretRef inside config, APISIX rejects the
consumer with “the input data should be an empty table.
Requirement:
Store per-consumer client_id/client_secret in Vault → ExternalSecret →
Kubernetes Secret
Reference those secrets from the plugin config, so the plugin reads
credentials at runtime
Each consumer (100+ total) should have its own secret
Question: Since consumer-level plugins is mainly designed for built-in auth
plugins (jwt-auth, key-auth, etc.), what’s the correct approach for a custom
plugin that needs per-consumer credentials? How can we safely reference secrets
per consumer without hardcoding them?
### Environment
- APISIX version (run `apisix version`): 3.17
- Operating system (run `uname -a`): Linux dashboard-shell-2kq85
5.14.0-611.41.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Mar 21 12:28:25 UTC
2026 x86_64 GNU/Linux
- Deployment Mode: Standalone with API Based Ingress Controller
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]