luarx opened a new pull request, #13616:
URL: https://github.com/apache/apisix/pull/13616
### Description
Add a new boolean plugin option `set_enc_id_token_header` (default:
`false`) that, when
enabled, forwards the raw RS256-signed ID token JWT to upstream via the
`X-Enc-ID-Token`
request header.
Unlike the existing `X-ID-Token` header (which contains
`base64(JSON(decoded_claims))` with
no cryptographic signature), `X-Enc-ID-Token` carries the original signed
token verifiable
against the identity provider's JWKS endpoint.
Implementation details:
- The header is cleared at rewrite entry to prevent client injection.
ensures `enc_id_token` is included so the raw JWT is persisted in the
session by
lua-resty-openidc. When `session_contents` is nil (the default),
lua-resty-openidc stores all
session data including `enc_id_token`, so no action is needed.
- Only available in the full OIDC session flow (not in the
bearer/introspection path, where
no session exists).
#### Which issue(s) this PR fixes:
Fixes #13615
### Checklist
- [x] I have explained the need for this PR and the problem it solves
- [x] I have explained the changes or the new features added to this PR
- [x] I have added tests corresponding to this change
- [x] I have updated the documentation to reflect this change
- [x] I have verified that this change is backward compatible (If not,
please discuss on the
[APISIX mailing
list](https://github.com/apache/apisix/tree/master#community) first)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]