mayankmurari opened a new issue, #13614:
URL: https://github.com/apache/apisix/issues/13614

   ### Description
   
   I need to support per-consumer credentials for a custom auth plugin behind 
APISIX Ingress Controller. Each consumer calls a ForgeRock IDP, so the plugin 
must send that consumer’s client_id/client_secret along with the token during 
introspection. Hardcoding credentials inside the ApisixConsumer works, but we 
must move them into Kubernetes Secrets (populated from Vault via 
ExternalSecret) so each consumer references its own secret via something like 
secretRef.
   
   Example (works when hardcoded):
   
   yaml
   `consumer:
     - name: test
       ingressClassName: apisix
       authParameter:
         jwtAuth:
           secretRef:
             name: test-jwt
       plugins:
         - name: vendor-forgerock
           enable: true
           config:
             username: test
             client_id: "test-client"
             client_secret: "test-secret"`
   
   However, when I add fields like secretRef inside config, APISIX rejects the 
consumer with “the input data should be an empty table.
   
   
   Requirement:
   
   Store per-consumer client_id/client_secret in Vault → ExternalSecret → 
Kubernetes Secret
   Reference those secrets from the plugin config, so the plugin reads 
credentials at runtime
   Each consumer (100+ total) should have its own secret
   
   Question: Since consumer-level plugins is mainly designed for built-in auth 
plugins (jwt-auth, key-auth, etc.), what’s the correct approach for a custom 
plugin that needs per-consumer credentials? How can we safely reference secrets 
per consumer without hardcoding them?
   
   ### Environment
   
   - APISIX version (run `apisix version`): 3.17
   - Operating system (run `uname -a`): Linux dashboard-shell-2kq85 
5.14.0-611.41.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Mar 21 12:28:25 UTC 
2026 x86_64 GNU/Linux
   - Deployment Mode: Standalone with API Based Ingress Controller
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to